Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 12:04
Behavioral task
behavioral1
Sample
6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe
-
Size
337KB
-
MD5
4fcefc1cc5e5a2683523a5d01c986430
-
SHA1
7dfcfc48f8913553c5635990daa75c48c3fad59e
-
SHA256
6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e
-
SHA512
e6c025369312c95ba9554e89e20a4ae6442807b303f322a4ab5fd6cae60187ef392c99f961a2cd26940a033c18599b92317fa25f65fbb9fdf1e3315f5cebd78d
-
SSDEEP
3072:8GY3Z3S2W2Tw35yoNAD3yKJzgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:8/i92TwJZAD3rz1+fIyG5jZkCwi8r
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs
Processes:
Gacpdbej.exeHpmgqnfl.exeHpapln32.exeIdceea32.exeIknnbklc.exeGkgkbipp.exeFbdqmghm.exeFfnphf32.exeGkkemh32.exeHnagjbdf.exeGpknlk32.exeFfkcbgek.exeHdfflm32.exeHpocfncj.exe6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exeFddmgjpo.exeGdopkn32.exeHgbebiao.exeFaokjpfd.exeGbijhg32.exeHenidd32.exeHogmmjfo.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceea32.exe -
Executes dropped EXE 22 IoCs
Processes:
Faokjpfd.exeFfkcbgek.exeFfnphf32.exeFbdqmghm.exeFddmgjpo.exeGpknlk32.exeGbijhg32.exeGkgkbipp.exeGdopkn32.exeGacpdbej.exeGkkemh32.exeHgbebiao.exeHdfflm32.exeHpmgqnfl.exeHnagjbdf.exeHpocfncj.exeHpapln32.exeHenidd32.exeHogmmjfo.exeIdceea32.exeIknnbklc.exeIagfoe32.exepid process 1252 Faokjpfd.exe 2580 Ffkcbgek.exe 1192 Ffnphf32.exe 2700 Fbdqmghm.exe 2484 Fddmgjpo.exe 2552 Gpknlk32.exe 792 Gbijhg32.exe 1688 Gkgkbipp.exe 1848 Gdopkn32.exe 1632 Gacpdbej.exe 1700 Gkkemh32.exe 664 Hgbebiao.exe 1508 Hdfflm32.exe 1248 Hpmgqnfl.exe 2688 Hnagjbdf.exe 2996 Hpocfncj.exe 2064 Hpapln32.exe 1896 Henidd32.exe 916 Hogmmjfo.exe 292 Idceea32.exe 676 Iknnbklc.exe 1948 Iagfoe32.exe -
Loads dropped DLL 48 IoCs
Processes:
6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exeFaokjpfd.exeFfkcbgek.exeFfnphf32.exeFbdqmghm.exeFddmgjpo.exeGpknlk32.exeGbijhg32.exeGkgkbipp.exeGdopkn32.exeGacpdbej.exeGkkemh32.exeHgbebiao.exeHdfflm32.exeHpmgqnfl.exeHnagjbdf.exeHpocfncj.exeHpapln32.exeHenidd32.exeHogmmjfo.exeIdceea32.exeIknnbklc.exeWerFault.exepid process 2400 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe 2400 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe 1252 Faokjpfd.exe 1252 Faokjpfd.exe 2580 Ffkcbgek.exe 2580 Ffkcbgek.exe 1192 Ffnphf32.exe 1192 Ffnphf32.exe 2700 Fbdqmghm.exe 2700 Fbdqmghm.exe 2484 Fddmgjpo.exe 2484 Fddmgjpo.exe 2552 Gpknlk32.exe 2552 Gpknlk32.exe 792 Gbijhg32.exe 792 Gbijhg32.exe 1688 Gkgkbipp.exe 1688 Gkgkbipp.exe 1848 Gdopkn32.exe 1848 Gdopkn32.exe 1632 Gacpdbej.exe 1632 Gacpdbej.exe 1700 Gkkemh32.exe 1700 Gkkemh32.exe 664 Hgbebiao.exe 664 Hgbebiao.exe 1508 Hdfflm32.exe 1508 Hdfflm32.exe 1248 Hpmgqnfl.exe 1248 Hpmgqnfl.exe 2688 Hnagjbdf.exe 2688 Hnagjbdf.exe 2996 Hpocfncj.exe 2996 Hpocfncj.exe 2064 Hpapln32.exe 2064 Hpapln32.exe 1896 Henidd32.exe 1896 Henidd32.exe 916 Hogmmjfo.exe 916 Hogmmjfo.exe 292 Idceea32.exe 292 Idceea32.exe 676 Iknnbklc.exe 676 Iknnbklc.exe 2912 WerFault.exe 2912 WerFault.exe 2912 WerFault.exe 2912 WerFault.exe -
Drops file in System32 directory 64 IoCs
Processes:
Idceea32.exeFfnphf32.exeGdopkn32.exeGacpdbej.exeHdfflm32.exeHogmmjfo.exeIknnbklc.exe6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exeFbdqmghm.exeGkkemh32.exeHgbebiao.exeGkgkbipp.exeHpmgqnfl.exeHpapln32.exeGpknlk32.exeHnagjbdf.exeFaokjpfd.exeFfkcbgek.exeGbijhg32.exeHpocfncj.exeHenidd32.exeFddmgjpo.exedescription ioc process File created C:\Windows\SysWOW64\Iknnbklc.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Idceea32.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Ffnphf32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hdfflm32.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Hogmmjfo.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Cqmnhocj.dll 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fbdqmghm.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Fbdqmghm.exe File created C:\Windows\SysWOW64\Gdopkn32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gdopkn32.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hpapln32.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Gpknlk32.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Henidd32.exe Hpapln32.exe File created C:\Windows\SysWOW64\Kdanej32.dll Faokjpfd.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Gkkemh32.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hgbebiao.exe File created C:\Windows\SysWOW64\Kegiig32.dll Ffkcbgek.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Gkgkbipp.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Hciofb32.dll Hnagjbdf.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hpocfncj.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Henidd32.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Ffnphf32.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Gfoihbdp.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Hogmmjfo.exe Henidd32.exe File created C:\Windows\SysWOW64\Idceea32.exe Hogmmjfo.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Hogmmjfo.exe File created C:\Windows\SysWOW64\Faokjpfd.exe 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Faokjpfd.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Fddmgjpo.exe File opened for modification C:\Windows\SysWOW64\Gkgkbipp.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hpapln32.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Idceea32.exe File created C:\Windows\SysWOW64\Ffkcbgek.exe Faokjpfd.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gkgkbipp.exe File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe Ffkcbgek.exe File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe Fddmgjpo.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Fpmkde32.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Gkkemh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2912 1948 WerFault.exe Iagfoe32.exe -
Modifies registry class 64 IoCs
Processes:
Faokjpfd.exeGacpdbej.exeGkkemh32.exeHpapln32.exeHenidd32.exe6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exeFbdqmghm.exeGdopkn32.exeHdfflm32.exeFfkcbgek.exeGbijhg32.exeIdceea32.exeFfnphf32.exeFddmgjpo.exeHpocfncj.exeHogmmjfo.exeHgbebiao.exeIknnbklc.exeHnagjbdf.exeGpknlk32.exeGkgkbipp.exeHpmgqnfl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffnphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exeFaokjpfd.exeFfkcbgek.exeFfnphf32.exeFbdqmghm.exeFddmgjpo.exeGpknlk32.exeGbijhg32.exeGkgkbipp.exeGdopkn32.exeGacpdbej.exeGkkemh32.exeHgbebiao.exeHdfflm32.exeHpmgqnfl.exeHnagjbdf.exedescription pid process target process PID 2400 wrote to memory of 1252 2400 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Faokjpfd.exe PID 2400 wrote to memory of 1252 2400 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Faokjpfd.exe PID 2400 wrote to memory of 1252 2400 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Faokjpfd.exe PID 2400 wrote to memory of 1252 2400 6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe Faokjpfd.exe PID 1252 wrote to memory of 2580 1252 Faokjpfd.exe Ffkcbgek.exe PID 1252 wrote to memory of 2580 1252 Faokjpfd.exe Ffkcbgek.exe PID 1252 wrote to memory of 2580 1252 Faokjpfd.exe Ffkcbgek.exe PID 1252 wrote to memory of 2580 1252 Faokjpfd.exe Ffkcbgek.exe PID 2580 wrote to memory of 1192 2580 Ffkcbgek.exe Ffnphf32.exe PID 2580 wrote to memory of 1192 2580 Ffkcbgek.exe Ffnphf32.exe PID 2580 wrote to memory of 1192 2580 Ffkcbgek.exe Ffnphf32.exe PID 2580 wrote to memory of 1192 2580 Ffkcbgek.exe Ffnphf32.exe PID 1192 wrote to memory of 2700 1192 Ffnphf32.exe Fbdqmghm.exe PID 1192 wrote to memory of 2700 1192 Ffnphf32.exe Fbdqmghm.exe PID 1192 wrote to memory of 2700 1192 Ffnphf32.exe Fbdqmghm.exe PID 1192 wrote to memory of 2700 1192 Ffnphf32.exe Fbdqmghm.exe PID 2700 wrote to memory of 2484 2700 Fbdqmghm.exe Fddmgjpo.exe PID 2700 wrote to memory of 2484 2700 Fbdqmghm.exe Fddmgjpo.exe PID 2700 wrote to memory of 2484 2700 Fbdqmghm.exe Fddmgjpo.exe PID 2700 wrote to memory of 2484 2700 Fbdqmghm.exe Fddmgjpo.exe PID 2484 wrote to memory of 2552 2484 Fddmgjpo.exe Gpknlk32.exe PID 2484 wrote to memory of 2552 2484 Fddmgjpo.exe Gpknlk32.exe PID 2484 wrote to memory of 2552 2484 Fddmgjpo.exe Gpknlk32.exe PID 2484 wrote to memory of 2552 2484 Fddmgjpo.exe Gpknlk32.exe PID 2552 wrote to memory of 792 2552 Gpknlk32.exe Gbijhg32.exe PID 2552 wrote to memory of 792 2552 Gpknlk32.exe Gbijhg32.exe PID 2552 wrote to memory of 792 2552 Gpknlk32.exe Gbijhg32.exe PID 2552 wrote to memory of 792 2552 Gpknlk32.exe Gbijhg32.exe PID 792 wrote to memory of 1688 792 Gbijhg32.exe Gkgkbipp.exe PID 792 wrote to memory of 1688 792 Gbijhg32.exe Gkgkbipp.exe PID 792 wrote to memory of 1688 792 Gbijhg32.exe Gkgkbipp.exe PID 792 wrote to memory of 1688 792 Gbijhg32.exe Gkgkbipp.exe PID 1688 wrote to memory of 1848 1688 Gkgkbipp.exe Gdopkn32.exe PID 1688 wrote to memory of 1848 1688 Gkgkbipp.exe Gdopkn32.exe PID 1688 wrote to memory of 1848 1688 Gkgkbipp.exe Gdopkn32.exe PID 1688 wrote to memory of 1848 1688 Gkgkbipp.exe Gdopkn32.exe PID 1848 wrote to memory of 1632 1848 Gdopkn32.exe Gacpdbej.exe PID 1848 wrote to memory of 1632 1848 Gdopkn32.exe Gacpdbej.exe PID 1848 wrote to memory of 1632 1848 Gdopkn32.exe Gacpdbej.exe PID 1848 wrote to memory of 1632 1848 Gdopkn32.exe Gacpdbej.exe PID 1632 wrote to memory of 1700 1632 Gacpdbej.exe Gkkemh32.exe PID 1632 wrote to memory of 1700 1632 Gacpdbej.exe Gkkemh32.exe PID 1632 wrote to memory of 1700 1632 Gacpdbej.exe Gkkemh32.exe PID 1632 wrote to memory of 1700 1632 Gacpdbej.exe Gkkemh32.exe PID 1700 wrote to memory of 664 1700 Gkkemh32.exe Hgbebiao.exe PID 1700 wrote to memory of 664 1700 Gkkemh32.exe Hgbebiao.exe PID 1700 wrote to memory of 664 1700 Gkkemh32.exe Hgbebiao.exe PID 1700 wrote to memory of 664 1700 Gkkemh32.exe Hgbebiao.exe PID 664 wrote to memory of 1508 664 Hgbebiao.exe Hdfflm32.exe PID 664 wrote to memory of 1508 664 Hgbebiao.exe Hdfflm32.exe PID 664 wrote to memory of 1508 664 Hgbebiao.exe Hdfflm32.exe PID 664 wrote to memory of 1508 664 Hgbebiao.exe Hdfflm32.exe PID 1508 wrote to memory of 1248 1508 Hdfflm32.exe Hpmgqnfl.exe PID 1508 wrote to memory of 1248 1508 Hdfflm32.exe Hpmgqnfl.exe PID 1508 wrote to memory of 1248 1508 Hdfflm32.exe Hpmgqnfl.exe PID 1508 wrote to memory of 1248 1508 Hdfflm32.exe Hpmgqnfl.exe PID 1248 wrote to memory of 2688 1248 Hpmgqnfl.exe Hnagjbdf.exe PID 1248 wrote to memory of 2688 1248 Hpmgqnfl.exe Hnagjbdf.exe PID 1248 wrote to memory of 2688 1248 Hpmgqnfl.exe Hnagjbdf.exe PID 1248 wrote to memory of 2688 1248 Hpmgqnfl.exe Hnagjbdf.exe PID 2688 wrote to memory of 2996 2688 Hnagjbdf.exe Hpocfncj.exe PID 2688 wrote to memory of 2996 2688 Hnagjbdf.exe Hpocfncj.exe PID 2688 wrote to memory of 2996 2688 Hnagjbdf.exe Hpocfncj.exe PID 2688 wrote to memory of 2996 2688 Hnagjbdf.exe Hpocfncj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Iagfoe32.exeC:\Windows\system32\Iagfoe32.exe23⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 14024⤵
- Loads dropped DLL
- Program crash
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
337KB
MD5cc9fcf1a2234ac0af85913b1d6894753
SHA175ba9963dc0b9b289456296e6ea00a6c29639976
SHA256c71bc9ff0aed3431b77bdb5357924b56878b281de060f7e4a8785f242d653774
SHA51276914980f656ccffe90e412428a51a83529392731fd5d2e9c4b93b133a3a42dff9052166094c34a3bf17cfc33f97fceeacb3e43f1517c050594ec6c86703e69c
-
Filesize
337KB
MD5e2043fe45de03f92bb703e764d093f98
SHA197e22d98568452f9dce934b64fe4330cd26bf413
SHA25660f5255ef5c85e419b22b0d8fcef1ef6532615916812330f6a67bad8d37ede2b
SHA512aa5d8a8fd7481bd0664c50847ac87886bd0a9dc72a9143e396f5eda52689ea339eb1813d75c83bd2dd61fce98e8025ac5c9618c5d653dd9319e9ff8a170e94ba
-
Filesize
337KB
MD5eaf5068692a203802e96a0b579370bdc
SHA115a45a3ed6e925433d932a4230dc1a62c338cec7
SHA256fb10a480bc48813b3c0bdc33bae4076cd4b1e3490acd4bd543cbf6a9be89a889
SHA5124f36bcfbb12704e9677338a0975588d9e787f432186fb5ea888561fffb28b9ec356c873a3c9fb0274cc7c620bc31a55fc0ee2ff4efc403d733e64b6879dae126
-
Filesize
337KB
MD550463861c60bd94d96703c6ada97545e
SHA1fa6e7900c41ba938e518eb0b41f9322497975fea
SHA256f1a7272162c6c9b133d0c45cf1b50ea590daa2d3d0b3b9518fb09765b29d6213
SHA51204142becce2b5fe4a5a7da43687f9f220b2bc76e340b7b56166db6de89d29b552dd6b249d6fa7d57b4442721a237963cac4d47547f9b7271577916b755d3c48f
-
Filesize
337KB
MD5c7a39bec42d1767759b36f2161520064
SHA166999deca1e4e7b13cc37a17b346fdd0ca59d7ac
SHA2563286e454b431c135556c6ad6073fbfb1bdddb43e8cce5613c1cf2f25af38f6f9
SHA51204b8260b2fe4370033512544d3865a27ceba5bc54ece73fd52e414bc07fbce7eb0cdd7f701f2c77fda9050efd524a725cf774e599530b718a28c2ccd3e4652b0
-
Filesize
337KB
MD543997ba81f4c9c4c0c4f4321431b5a8b
SHA15b9a5fe2a114fbf3f3496eb2b9a8b19989e56905
SHA2561e6352c653cb0a2334b4892f863e3ea688aae0f14a7938a2ee1753941c982106
SHA512ddb87644aecf46473493fa521d275ab0283aee79a0d7a83d288227591d1fc79036e0cf381d1f1ada3265e520b3912c8ace998e560c0e7298a80e8165616030ea
-
Filesize
337KB
MD5e330821a8c5d449aceaa0ab358955685
SHA1b202b6309811f0012ec54f3bb38da927b43b340c
SHA25665f9a60c58bb24c4fbbea06fe9a2bda5c332aae54d219967c85e9cd6d3361d24
SHA512542d1d1cd700004013fef4cf6dd48fd0b0491202f3270dfed28171e37d97f1bebfe6c8f1ba181b75d0cb9aaf2a29f67f297d638baece8b1048cb721b19897e9c
-
Filesize
337KB
MD527c9460138baba5bd1e90c280b2ba9e3
SHA179ab5e9aad4939984824a5972be84c73bc6865f0
SHA256a32e5cea3824043a4954cf54f70972f724433c7af517e0b4e7e15a2ac098088f
SHA512728fa660d9bdee185e62a4dfba1533d87d96d22954b8c17df30c326429de618f7babff2ca5a79ec9b930029a9813ed5f62a9c6b788257b21805214bd61af79e3
-
Filesize
337KB
MD5cfb3bd1bc9156dc2ae12181df5d4f4ce
SHA1f8107550253b443916f3ad51b062429115a5f88e
SHA256085f2aeeddaafb3e0a3ce088ef068364eb021c32679653dac6beeac7e16f9bba
SHA512d99bed7c565ab3d18997d37a5152bb874cfbb94742d74d00c13ae38a564b1770b06b553acf407ca3e6c87052c73fb5f2e6850119927db05823943c35744e4672
-
Filesize
337KB
MD59b3e498cc2da318441be1479847473cc
SHA17f3962716856e398cf3609fdb3f58b8c0e9df462
SHA2565b03eae948df1282022b622962ee1d117dd90e7dad5bbb9a9acb29379ae51a22
SHA51227ba4c9839d0b383c48fff29b7db14738f9376cf41e248c8c22ce76e70ff79dbfe79a0c85774a9ea59679771f7184ebd6b93344af721a35e1f440952f855dbf2
-
Filesize
337KB
MD56e12c94619463fda8bc43d2d3407d8e2
SHA16f2773fa644c73e12f626d0cc04a760734fcc917
SHA25640cf60331741a5a0f94b4f43106dcd4c97c3d0e7202b37b96d2b773b626f2925
SHA5126ed60abc8d260b413ef513daed559ad304c8233e72ad0bbc46fb64794308779615863e27af698fa8b7368262ba611004c391ee66f25730da3caa1cb1e1ff85ae
-
Filesize
337KB
MD5e1d6879597a9b2c477cdaff2ca892591
SHA131b74a95cf1dea8b4c4f2bbe272cbf820f0f972e
SHA2566b7455857bd40d55aa4f10d2eb6d00c8e61cc706354d837e1671854089054bfd
SHA5126dcc3a87977407f8317e238476cca56126b3a32d879db93a6ef78b346feb45c3ac75da8b6fd905f7cc474818c0ba49cbc27c693dc73371a8674fc33b9f1ea5d1
-
Filesize
337KB
MD5c750c63e9ba3b914bb3fe149ef4f1dfc
SHA17ec4de0c2c5463ee7e16286755894cca3d1607b1
SHA2564843a915590b2722cb4bceabf412aab78dfce2313bc9cb21bd310b9d749135e6
SHA51289a84b0bc20fe17e7cd37e8fa5ea74e9ee50077eb639c469e251cfa1eac7dcc4453f80f58b96222c9ea2856c45fe1142ede6ae898f9bf6b03905b502c31aa2c3
-
Filesize
337KB
MD5dc12af8a33dfc23e169de5af22939bbf
SHA1e1702688272735da594750d7e09e485d99dc9fd2
SHA256474bc2b8d8d1fb9ba97a4473a87c4e2e850d53ad3acea7100ae5bdbc5dee7a97
SHA5124ebee594e1f70f96edbd1368d85755ea7c827260c3ded57f59b50c216b7de8c651b09a9d5cdb95c1c477afd2167894c23a980e2afaf6c663bd1226472e260012
-
Filesize
337KB
MD5f7efb3caea96c1d275e0f179140e612e
SHA19ca334e827caf10a77319d59f18332d1867f2e2d
SHA256176660bb57376c9edea12fccd72e4921230f29ae475d6956735bc444512f7be7
SHA512096dd0d8b851c255d46e2ed1e4947c765a3aaefee38e9e3d14869e03ebde7816fe442bea1b13a56c3f6a724ad7f650d8639859afb2e0c783b68f09347151db65
-
Filesize
337KB
MD5821b60b297cde6bb8fd0adae8ce4fb82
SHA152f5ebd774d398e883efef418c26e1d0e9650c07
SHA256ff30b0d3b03aa4a46adbc2f696a6306693805f1c0946deba81a334fa32ae12a6
SHA5123043289d7c55ff8075e4c16c6456d4d95aa7bafccd065240a6b52183a64af406755dfe9039cd75928dfad56f24333ba959e211978241b067c53eeacd796b5c78
-
Filesize
337KB
MD59db6d446bcbb22db9acbe502955d74b1
SHA1f6cfdd8ebf6df900a160897799b60ab9fecfc769
SHA2561590907ace54d0c79d82985109a6fdd57ceec3eefa994d3068617866eeb91fa6
SHA512f5a495907d878a4d52fcc10836557c3abecc6939533181ab2977d4e0c524f36db7c1a574f9a3cbf0f30a7851c857fd386288c388c62ae22c4ea950a7248529ab
-
Filesize
337KB
MD5546206933446fecbe08b979fdd2f46b5
SHA1ef8446e4337465c7e70cf3a3509f99d27c1649aa
SHA2568172a3c76dbf9ae0e3b232957ad42b9aedfef555bab47016d43ec5ad6cd1865f
SHA512f89ebaa2a8539a28374843059d892955fd0f2d689905a5fc744d4494eb3446c5bf6d0f0d906db110498374d945cb2fa639e15339b262d0327bb1fb8de6e5250f
-
Filesize
337KB
MD50163dc3de4a733d082cad26983b78158
SHA1775beafe2a0d44126278083004f1fdd9707e0c08
SHA2565c146e05c932a0f87682496ecb0f36d56caf9208f40f48e250a612f229ec8a1d
SHA51232c48892fdd65b2b03d07f308df677092e27f01f423486098e864ad10a7b07d655806109464018bf3f5b0ff136f5cc9041193c524a320a1d64978f64fd91f4a5
-
Filesize
337KB
MD5bff851106b8861b378f64094b97db62a
SHA14c3bb4b786f0c8c1ab3cbee9a19576149c1b694f
SHA2563a1015e3e05d9dba529bc55ef186b7af1fbc0465b6747f66b2fb9d4eece9b777
SHA51215ed4f82a6253249899c810c4054843bebeb6f66ba0692636b6437e2e8fd673eee1dbaf439878673612d95f22579cec61255d9387c3b34a3b988d01de0c4e618
-
Filesize
337KB
MD508d99251eb62f33a9789dcc83ac0536b
SHA1d1471a462baaf2c8ab81dc34ed64b900527321c3
SHA256cad4235c2dec879f081c1364fd9b041bf140f5a63e385dcc3b598dc9e3c413ed
SHA512a886b1f235f8287573b73a09fa35a80116b1a7d7199ad30ba39579151cf1ef851aa171ae082249328ce49c7149d27f219150789136700132e25f070341c39e04
-
Filesize
337KB
MD53243f0187667f919cf1350adc3b6528c
SHA100ac3edb0556c5ac0b29b1bebd9db0f7c4867e48
SHA2567ebae41c4f7124295ba8843c45f664382e893bf298bb8100494f2be6513a1631
SHA512e1cd23bce3fb147ef12662dbf78661ed7f0b8e9432d58707de0ef561fa118320e7b973fd91b030dae685da5b6654c913bac30ea657020e8d2c5048091f11c2e6