02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Size

94KB
MD5

68a8fc94938741f21f1ae6d56def0200
SHA1

fb6b4f95b16589a4263c6b7283d793cfa9bf8db0
SHA256

02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8
SHA512

ce2ae81ef1ba012a3acf689ac54f0cd89c590dc0855967f1ca14984dc1f421006b95658044bd2e8a137cf5b237c702da3b79b964f2e5c12e24dfb3d1e51925be
SSDEEP

1536:upFXYyC+gpxo/DYGwjJNuNe4K2hUG2LraIZTJ+7LhkiB0MPiKeEAgv:ubZCeVKJNuU4Ko2raMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oagmmgdm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oagmmgdm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe

Executes dropped EXE 20 IoCs

pid	Process
1904	Nilhhdga.exe
2744	Oagmmgdm.exe
2708	Onpjghhn.exe
2656	Odlojanh.exe
2556	Oqcpob32.exe
2956	Pqemdbaj.exe
768	Pfbelipa.exe
2684	Pomfkndo.exe
2348	Pjbjhgde.exe
2040	Qeohnd32.exe
1528	Qodlkm32.exe
2780	Ajpjakhc.exe
944	Agdjkogm.exe
1728	Ajecmj32.exe
2892	Bpfeppop.exe
2372	Becnhgmg.exe
2340	Behgcf32.exe
1812	Ckiigmcd.exe
1764	Cklfll32.exe
1084	Ceegmj32.exe

Loads dropped DLL 44 IoCs

pid	Process
2080	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
2080	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
1904	Nilhhdga.exe
1904	Nilhhdga.exe
2744	Oagmmgdm.exe
2744	Oagmmgdm.exe
2708	Onpjghhn.exe
2708	Onpjghhn.exe
2656	Odlojanh.exe
2656	Odlojanh.exe
2556	Oqcpob32.exe
2556	Oqcpob32.exe
2956	Pqemdbaj.exe
2956	Pqemdbaj.exe
768	Pfbelipa.exe
768	Pfbelipa.exe
2684	Pomfkndo.exe
2684	Pomfkndo.exe
2348	Pjbjhgde.exe
2348	Pjbjhgde.exe
2040	Qeohnd32.exe
2040	Qeohnd32.exe
1528	Qodlkm32.exe
1528	Qodlkm32.exe
2780	Ajpjakhc.exe
2780	Ajpjakhc.exe
944	Agdjkogm.exe
944	Agdjkogm.exe
1728	Ajecmj32.exe
1728	Ajecmj32.exe
2892	Bpfeppop.exe
2892	Bpfeppop.exe
2372	Becnhgmg.exe
2372	Becnhgmg.exe
2340	Behgcf32.exe
2340	Behgcf32.exe
1812	Ckiigmcd.exe
1812	Ckiigmcd.exe
1764	Cklfll32.exe
1764	Cklfll32.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bfenfipk.dll	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Onpjghhn.exe	Oagmmgdm.exe
File created	C:\Windows\SysWOW64\Daekko32.dll	Onpjghhn.exe
File opened for modification	C:\Windows\SysWOW64\Pfbelipa.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Oagmmgdm.exe	Nilhhdga.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	Pfbelipa.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Odlojanh.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pqemdbaj.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Pfbelipa.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Kjcceqko.dll	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Jbbpnl32.dll	Odlojanh.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Lgenio32.dll	Oagmmgdm.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Dfglke32.dll	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Odlojanh.exe	Onpjghhn.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Odlojanh.exe	Onpjghhn.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Oqcpob32.exe	Odlojanh.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Oagmmgdm.exe	Nilhhdga.exe
File opened for modification	C:\Windows\SysWOW64\Onpjghhn.exe	Oagmmgdm.exe
File created	C:\Windows\SysWOW64\Jgafgmqa.dll	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Jcbemfmf.dll	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Ajpjakhc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	1084	WerFault.exe	47

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll"	Oagmmgdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oagmmgdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odlojanh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfglke32.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbpnl32.dll"	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oagmmgdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onpjghhn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1904	2080	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 1904	2080	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 1904	2080	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 1904	2080	02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2744	1904	Nilhhdga.exe	29
PID 1904 wrote to memory of 2744	1904	Nilhhdga.exe	29
PID 1904 wrote to memory of 2744	1904	Nilhhdga.exe	29
PID 1904 wrote to memory of 2744	1904	Nilhhdga.exe	29
PID 2744 wrote to memory of 2708	2744	Oagmmgdm.exe	30
PID 2744 wrote to memory of 2708	2744	Oagmmgdm.exe	30
PID 2744 wrote to memory of 2708	2744	Oagmmgdm.exe	30
PID 2744 wrote to memory of 2708	2744	Oagmmgdm.exe	30
PID 2708 wrote to memory of 2656	2708	Onpjghhn.exe	31
PID 2708 wrote to memory of 2656	2708	Onpjghhn.exe	31
PID 2708 wrote to memory of 2656	2708	Onpjghhn.exe	31
PID 2708 wrote to memory of 2656	2708	Onpjghhn.exe	31
PID 2656 wrote to memory of 2556	2656	Odlojanh.exe	32
PID 2656 wrote to memory of 2556	2656	Odlojanh.exe	32
PID 2656 wrote to memory of 2556	2656	Odlojanh.exe	32
PID 2656 wrote to memory of 2556	2656	Odlojanh.exe	32
PID 2556 wrote to memory of 2956	2556	Oqcpob32.exe	33
PID 2556 wrote to memory of 2956	2556	Oqcpob32.exe	33
PID 2556 wrote to memory of 2956	2556	Oqcpob32.exe	33
PID 2556 wrote to memory of 2956	2556	Oqcpob32.exe	33
PID 2956 wrote to memory of 768	2956	Pqemdbaj.exe	34
PID 2956 wrote to memory of 768	2956	Pqemdbaj.exe	34
PID 2956 wrote to memory of 768	2956	Pqemdbaj.exe	34
PID 2956 wrote to memory of 768	2956	Pqemdbaj.exe	34
PID 768 wrote to memory of 2684	768	Pfbelipa.exe	35
PID 768 wrote to memory of 2684	768	Pfbelipa.exe	35
PID 768 wrote to memory of 2684	768	Pfbelipa.exe	35
PID 768 wrote to memory of 2684	768	Pfbelipa.exe	35
PID 2684 wrote to memory of 2348	2684	Pomfkndo.exe	36
PID 2684 wrote to memory of 2348	2684	Pomfkndo.exe	36
PID 2684 wrote to memory of 2348	2684	Pomfkndo.exe	36
PID 2684 wrote to memory of 2348	2684	Pomfkndo.exe	36
PID 2348 wrote to memory of 2040	2348	Pjbjhgde.exe	37
PID 2348 wrote to memory of 2040	2348	Pjbjhgde.exe	37
PID 2348 wrote to memory of 2040	2348	Pjbjhgde.exe	37
PID 2348 wrote to memory of 2040	2348	Pjbjhgde.exe	37
PID 2040 wrote to memory of 1528	2040	Qeohnd32.exe	38
PID 2040 wrote to memory of 1528	2040	Qeohnd32.exe	38
PID 2040 wrote to memory of 1528	2040	Qeohnd32.exe	38
PID 2040 wrote to memory of 1528	2040	Qeohnd32.exe	38
PID 1528 wrote to memory of 2780	1528	Qodlkm32.exe	39
PID 1528 wrote to memory of 2780	1528	Qodlkm32.exe	39
PID 1528 wrote to memory of 2780	1528	Qodlkm32.exe	39
PID 1528 wrote to memory of 2780	1528	Qodlkm32.exe	39
PID 2780 wrote to memory of 944	2780	Ajpjakhc.exe	40
PID 2780 wrote to memory of 944	2780	Ajpjakhc.exe	40
PID 2780 wrote to memory of 944	2780	Ajpjakhc.exe	40
PID 2780 wrote to memory of 944	2780	Ajpjakhc.exe	40
PID 944 wrote to memory of 1728	944	Agdjkogm.exe	41
PID 944 wrote to memory of 1728	944	Agdjkogm.exe	41
PID 944 wrote to memory of 1728	944	Agdjkogm.exe	41
PID 944 wrote to memory of 1728	944	Agdjkogm.exe	41
PID 1728 wrote to memory of 2892	1728	Ajecmj32.exe	42
PID 1728 wrote to memory of 2892	1728	Ajecmj32.exe	42
PID 1728 wrote to memory of 2892	1728	Ajecmj32.exe	42
PID 1728 wrote to memory of 2892	1728	Ajecmj32.exe	42
PID 2892 wrote to memory of 2372	2892	Bpfeppop.exe	43
PID 2892 wrote to memory of 2372	2892	Bpfeppop.exe	43
PID 2892 wrote to memory of 2372	2892	Bpfeppop.exe	43
PID 2892 wrote to memory of 2372	2892	Bpfeppop.exe	43

C:\Users\Admin\AppData\Local\Temp\02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02e2b8e8cdbceff2c82ebe3ab83ce69669cc095f8ebdcf9b1a13d402066359f8_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Nilhhdga.exe
  C:\Windows\system32\Nilhhdga.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\Oagmmgdm.exe
    C:\Windows\system32\Oagmmgdm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\Onpjghhn.exe
      C:\Windows\system32\Onpjghhn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        21⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Behgcf32.exe

Filesize
94KB

MD5
dd4af46877e115bf5d592e49416cb6fb

SHA1
716f3a9ebc0b09cf70688406f878bae23a11125b

SHA256
3ff679ef0841015ba1e89ab75d3fcc4040d3dc0e5a520fe13d3a2771e8c00117

SHA512
e44f4b24011c1693944a9eb744d0fba6d6b90a339f67c093afd74f3d45539b291bd812e9c96476b0c9e44c9c4915931760941c79af47b53e0d71643ee814f928

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
94KB

MD5
a30c7876e50e65952fde61b968417528

SHA1
34b7a9768a58b5839ecff587c16d08e141b13877

SHA256
d45f39925fdda45273afcf2f19e7ffdb8a7cbd68cd44e139de98e417e77e74b0

SHA512
77b03e4dbc263f91a925afa06b5728141361d1964218b56e48a38d17569e83a567513c7f5940fff4a37a793aee7b06a6e4ee2e749d8b69054c17389858288b0c

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
94KB

MD5
0eb6ea7f62f257d601d3c8ad3c9d41ce

SHA1
609dcbdf5dcc8006577d96d079ae189e9764ccd5

SHA256
26a42e26306a003fab76077705b3feae28ed81b251ae073216ae572695096ec8

SHA512
e4b85dc122a6c7488a9c0df99062b252cc28d609107e1e634a07fe3d7f6fbcca3241dfafd0e503d70a75a6cc6730afcf2d485dd39c075e7b27f70cea9e1404b6

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
94KB

MD5
24a52e7eae85c69add7476313752f7bf

SHA1
e94534795513c2b5b95fc6100a2ed350cd64a5d2

SHA256
cd2720d266be05042be95aef07d83a5ce451648fc47eadd43a3bbc8d79c775e5

SHA512
ac571ba7543d2d0f8302c74900e7c820d0379f3ac5fd5801d50adf1119a1734e12853337988113538bfa224f864da9cd0f2766b196b232a304c4e1c2dbe01443

Download Submit
C:\Windows\SysWOW64\Onpjghhn.exe

Filesize
94KB

MD5
7a3a29b04611bbfcb915009c766aea69

SHA1
7438bcb2facfc48827022f740684c9d3a2e14235

SHA256
5435ed594709b4debb12562640e9d8dfd61a6083e5e300eaa333c4847537ebc4

SHA512
158381f34649c2451ebf9f0d6ecd1e929f01cef3f7f4c06a7ce44f76ef9952ab9d6c5af9c44665506bb976fa32369dff49d3f70607018de8f9bcb4dbe397359b

Download Submit
C:\Windows\SysWOW64\Pqemdbaj.exe

Filesize
94KB

MD5
f27c07ef33469afcb35701b366248540

SHA1
33d6d2cda02e4a04453af2a6e5d33db8c380c4a5

SHA256
dd138126379272893c7a22b2ff9f1d4358b40124f77bba610a9e1ea133b7ac21

SHA512
a92a2c6ae2b43f0f6b648585ade0f058da1eb7e881aaac3f6fa0041a7fc879b6fb950954798241b943f182ca4c8f490a7fe372168a71f714bac2987bf4c867bf

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
94KB

MD5
b993bc001291dc6738810339924b34b4

SHA1
0420dc5daabc4708f46c2f3f8a9d3d4412fdafa1

SHA256
a9aa7662ec2e7a4e7852da2e81ba4f46aad0af84a540d674573a652fb1f7734d

SHA512
c97fa76295cc4597d4ea61336840d63d2624d85a6811b8a27259c3397e6876c1835279c3e5cc03adf5536d0bb5c2be0daa878b481bf74bab61b58557f26962b8

Download Submit
\Windows\SysWOW64\Agdjkogm.exe

Filesize
94KB

MD5
8dc6ff25440dddc9051deed051b3deaa

SHA1
5bbbd9914b0816f4a8ba24ec6b05cfc6475673c4

SHA256
9bae05202e6af292297b2d581dbe0bbb6166040daaff46ceb92590c4d2f16ede

SHA512
d5cec28fd1633411e6c1b202f6af681f01c57b84525e0fd55c749818021dfca4d9e61725fea50ed14978b59514b327867b69dd06fe6f0beef933ab4ebfe0c9af

Download Submit
\Windows\SysWOW64\Ajecmj32.exe

Filesize
94KB

MD5
4168b7fe80b7913276e01e64dd9c1fd1

SHA1
2b5962cf7fc5e0583a9317644bb191953cbfb1ac

SHA256
618850fc8270beee0be660082a4ed65ee5c3c1ab1b845a36c25f16a0b53948de

SHA512
7beae009cecaca6370e58373081aa2d49f36102a20153d55886831e8bb18867aed721c50199b154439f06791b8937f912b602766c7cb9dfd54f22eef48236d57

Download Submit
\Windows\SysWOW64\Ajpjakhc.exe

Filesize
94KB

MD5
ee5f24d0062ad3cfa3dd50f72638dd4f

SHA1
bad7a4de4ef18c460f4bdec1ea685c7eab2ccf54

SHA256
2ba56e25a17b4a9f30cfb9384128873511fdceda812e5a2c9f0f84a8c7d8e819

SHA512
6580e644889955cf481d981fb0925d7a19cd6ded9ac57fe7fbe8557a9722cdad4d6e9642335bc43a96c30ebd654f8b3fc2beabb39bdd7babe7baa569e4d3a394

Download Submit
\Windows\SysWOW64\Becnhgmg.exe

Filesize
94KB

MD5
ae5947309b11f6abd8743f3ab0800557

SHA1
56c8019a66b80f110bda631c25688728afa2fb9c

SHA256
b49593a9b57164e70fee86fa818aecfdbd192f9c4965e689a7940e634d918ea3

SHA512
ac51832ec096e5207194a453ad3fe55e3cfd1fadce615c1f8eda7b609b4028dddd4b92a1b217eda771e8707a93f3ae39655b5be21ce3d2dc6aa2352a2f13dcbe

Download Submit
\Windows\SysWOW64\Bpfeppop.exe

Filesize
94KB

MD5
219043fd3e66a45a7479abd1496edc71

SHA1
773f5aaa56a891f74839472eb203988746a4e186

SHA256
78a9a5a99de02a4d50e153f0cbfa55bf578016a9f52b3fdae454a1feca90a925

SHA512
7cf136acf69404ba3fdef21824187062f8e56033492ee519a04785f13d09a01dfa8831c3a6f08ff8e9fe0a96902c6049989fb40e9405105efed0c9f19258b004

Download Submit
\Windows\SysWOW64\Nilhhdga.exe

Filesize
94KB

MD5
bb18cc0411d7e27bcf98cb867e67ae38

SHA1
e2bee3043a4edefc683fef62516db4b26bc27199

SHA256
fd762c2ae7f085995b5396ee8b14f2b05c3e65ce3854a3a410e58d4595d1940a

SHA512
822131b9f52c30fa4116cb6e7d4bcb85f2dc972a3049ba4733afdb25b034dcf1cd714983cdbb9224bfe28386e2e292e1de9f783dcf673fbc64fb39e47c7ee811

Download Submit
\Windows\SysWOW64\Oagmmgdm.exe

Filesize
94KB

MD5
93a56600a801e897141066552e2605d9

SHA1
e147262e5657503f16cd874442269aef71e263ea

SHA256
6af5b5bd844a6b256cf69a37dc4683f1666bf0675c0ca7fc14e5830b9d9ef3a4

SHA512
2c2c2031aa4756e8bcfe2d5455947a5bdc443d47ff1f6b0711d0e88d3157100b9dc60bc448b10356ba0f4b1e43cca7a8581302e0d0e9602e7c12e2089cfda743

Download Submit
\Windows\SysWOW64\Odlojanh.exe

Filesize
94KB

MD5
820b1820ac7134b043dd593c0ff2265b

SHA1
0d51df8c2e12f761ff71994c4a032f573ab0429c

SHA256
f5bd6430fbc2ef80d202f1977ce3c191925f32b1140d7215ab63376dbab8b589

SHA512
1ce1f14628ac1225f08399ea49135b6716bec78d514b6226d09d177132ba2f251aa4a1d59056885d349e45b8c7bcc95cb66f578093bbf0ef2b548df7adbe999c

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
94KB

MD5
7ffdd58f398fca0d19ea1690aa0f8a61

SHA1
33bdc9824ba06a573e9b39fefb5335373d7efcc6

SHA256
d72aa643b57fc3b5adf46ef529baa85117842eedfe1e40d168f8643d01bf3d4f

SHA512
1531c4d683d4572ac0c36832d586320449791ede35a5ec05ff5924edfe15b6753599bb79d18855001d7c290d847910e41381b2c0e79abfc6fadf77d1aded5022

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
94KB

MD5
ed7525ff4d520fb54a21327858132455

SHA1
c7a2f09ad846b10c8c298282cb37ebfb04920fcf

SHA256
f08624cfdef77bc92e13447e6f9d8e7db3fff1a65692aa9a62634ee6a30d5a0e

SHA512
90c69bc8c0fa6014cc18aed2f9026dda1dd540889455cc3b7e08523d056587adf3c223e34dfef98e16f3baee64790dae59c47fc3107ea3971c9f085fd04124aa

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
94KB

MD5
71f0e25f966c67b23822e7177b02358c

SHA1
753673783738b6b82a3dae3485ac2f4ea7b683b1

SHA256
19cb38cec61c0059a1e5d1608e47973b0ac5682d99d5cb7d8dfe4ebeb2c1a3b0

SHA512
a61e0e40988475f582b49dba4bfff42e8ef998ef3e87afac9dc0bf3a48c0c42bf56b226854fb4beb04fbc6d432fea19158bfaedf9be3f9de5ab16848f33950ac

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
94KB

MD5
d0c63df62bd3862b0112948452901a70

SHA1
155ff87da9f28dc4406d5d2a6c64701d4545e5b0

SHA256
afe718754de7a492479db4a2e83220b8a3ed183cadfbf000a5121b035e5183d0

SHA512
7bca1e96977cd0e2b5beefc88fbb6bf2d3833d3ac8db3ccc11ac0791310ba0250707609160dea3df06c4c80b44ed4587112f18c8bace0f4927dba369224c6edb

Download Submit
\Windows\SysWOW64\Qeohnd32.exe

Filesize
94KB

MD5
ec6b30b22eaa01adcb560248f46c66d5

SHA1
9949b1c6a9cf744eb494f4af82f8bced087e510e

SHA256
927e74bb20e5a6a544f03d507617f2cc469cec39daf46950d2c74f3b5c0eeef8

SHA512
ba31eaef7eda80136b0894829e9be0ec50c3d0726e30ecc373caa40e0fc6fd4bf8edd7ef81a03df4ce7386f53021fd9ddb7add508fd864f16a177786f7576412

Download Submit
memory/768-186-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/768-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/768-116-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/768-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-198-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1084-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-166-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1528-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-221-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1528-236-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1528-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1728-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1728-218-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1728-267-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1764-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-268-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1904-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-21-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1904-28-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2040-156-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2040-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-18-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2080-7-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2080-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-259-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2348-142-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2348-204-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2348-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-217-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2348-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-246-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2372-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-78-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2656-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-126-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2684-196-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2684-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-125-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2684-195-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2684-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-55-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2708-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-41-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2780-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2780-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-237-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2892-229-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2892-282-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2892-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads