334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/06/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Size

576KB
MD5

dab505c3bca96f9d6de161852af5e3d0
SHA1

7a592d58921e3d58eea93910b029742b11c7850b
SHA256

334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b
SHA512

640b5839fea1507fc8245f5f4b5f20baa9b9dedc168cd4b9605bb6c2d090ec04d0cbc3a49a65eb54924d908c79b4697713eb7bf8f7457b7791bcab7954e20a8f
SSDEEP

12288:yGcEBCGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:yNEBCGyXsGG1ws5ipX6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clcflkic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcbqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmcfkme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eijcpoac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgpgce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpgce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmcfkme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epieghdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe

Executes dropped EXE 23 IoCs

pid	Process
2004	Bpcbqk32.exe
2584	Cgpgce32.exe
2024	Cciemedf.exe
2728	Clcflkic.exe
2612	Dhmcfkme.exe
2516	Dnlidb32.exe
2912	Dfijnd32.exe
2788	Eijcpoac.exe
2064	Eeqdep32.exe
1608	Epieghdk.exe
2684	Fjgoce32.exe
1268	Ffnphf32.exe
812	Gonnhhln.exe
2080	Gpmjak32.exe
688	Gdamqndn.exe
1352	Gphmeo32.exe
1240	Hggomh32.exe
1088	Hpocfncj.exe
2188	Hpapln32.exe
1524	Hacmcfge.exe
756	Hlhaqogk.exe
556	Iaeiieeb.exe
2824	Iagfoe32.exe

Loads dropped DLL 50 IoCs

pid	Process
2232	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
2232	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
2004	Bpcbqk32.exe
2004	Bpcbqk32.exe
2584	Cgpgce32.exe
2584	Cgpgce32.exe
2024	Cciemedf.exe
2024	Cciemedf.exe
2728	Clcflkic.exe
2728	Clcflkic.exe
2612	Dhmcfkme.exe
2612	Dhmcfkme.exe
2516	Dnlidb32.exe
2516	Dnlidb32.exe
2912	Dfijnd32.exe
2912	Dfijnd32.exe
2788	Eijcpoac.exe
2788	Eijcpoac.exe
2064	Eeqdep32.exe
2064	Eeqdep32.exe
1608	Epieghdk.exe
1608	Epieghdk.exe
2684	Fjgoce32.exe
2684	Fjgoce32.exe
1268	Ffnphf32.exe
1268	Ffnphf32.exe
812	Gonnhhln.exe
812	Gonnhhln.exe
2080	Gpmjak32.exe
2080	Gpmjak32.exe
688	Gdamqndn.exe
688	Gdamqndn.exe
1352	Gphmeo32.exe
1352	Gphmeo32.exe
1240	Hggomh32.exe
1240	Hggomh32.exe
1088	Hpocfncj.exe
1088	Hpocfncj.exe
2188	Hpapln32.exe
2188	Hpapln32.exe
1524	Hacmcfge.exe
1524	Hacmcfge.exe
756	Hlhaqogk.exe
756	Hlhaqogk.exe
556	Iaeiieeb.exe
556	Iaeiieeb.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Bpcbqk32.exe	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Clcflkic.exe	Cciemedf.exe
File created	C:\Windows\SysWOW64\Fjgoce32.exe	Epieghdk.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Epieghdk.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Dfijnd32.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Epieghdk.exe	Eeqdep32.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Cciemedf.exe	Cgpgce32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Dfijnd32.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Nejeco32.dll	Cgpgce32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmcfkme.exe	Clcflkic.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Mbiiek32.dll	Cciemedf.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Dnlidb32.exe	Dhmcfkme.exe
File opened for modification	C:\Windows\SysWOW64\Eijcpoac.exe	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Dnlidb32.exe	Dhmcfkme.exe
File opened for modification	C:\Windows\SysWOW64\Eeqdep32.exe	Eijcpoac.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Qinopgfb.dll	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Cgpgce32.exe	Bpcbqk32.exe
File opened for modification	C:\Windows\SysWOW64\Clcflkic.exe	Cciemedf.exe
File created	C:\Windows\SysWOW64\Dhmcfkme.exe	Clcflkic.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Cciemedf.exe	Cgpgce32.exe
File created	C:\Windows\SysWOW64\Ndkakief.dll	Eijcpoac.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Ddgkcd32.dll	Clcflkic.exe
File created	C:\Windows\SysWOW64\Hecjkifm.dll	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Lpdhmlbj.dll	Eeqdep32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Cgcmfjnn.dll	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Eeqdep32.exe	Eijcpoac.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Epieghdk.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Gclcefmh.dll	Bpcbqk32.exe
File created	C:\Windows\SysWOW64\Cgqjffca.dll	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Bpcbqk32.exe	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cgpgce32.exe	Bpcbqk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	2824	WerFault.exe	50

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinopgfb.dll"	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll"	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll"	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll"	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgkcd32.dll"	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll"	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmcfkme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll"	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll"	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll"	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll"	Dfijnd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2004	2232	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2004	2232	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2004	2232	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2004	2232	334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe	28
PID 2004 wrote to memory of 2584	2004	Bpcbqk32.exe	29
PID 2004 wrote to memory of 2584	2004	Bpcbqk32.exe	29
PID 2004 wrote to memory of 2584	2004	Bpcbqk32.exe	29
PID 2004 wrote to memory of 2584	2004	Bpcbqk32.exe	29
PID 2584 wrote to memory of 2024	2584	Cgpgce32.exe	30
PID 2584 wrote to memory of 2024	2584	Cgpgce32.exe	30
PID 2584 wrote to memory of 2024	2584	Cgpgce32.exe	30
PID 2584 wrote to memory of 2024	2584	Cgpgce32.exe	30
PID 2024 wrote to memory of 2728	2024	Cciemedf.exe	31
PID 2024 wrote to memory of 2728	2024	Cciemedf.exe	31
PID 2024 wrote to memory of 2728	2024	Cciemedf.exe	31
PID 2024 wrote to memory of 2728	2024	Cciemedf.exe	31
PID 2728 wrote to memory of 2612	2728	Clcflkic.exe	32
PID 2728 wrote to memory of 2612	2728	Clcflkic.exe	32
PID 2728 wrote to memory of 2612	2728	Clcflkic.exe	32
PID 2728 wrote to memory of 2612	2728	Clcflkic.exe	32
PID 2612 wrote to memory of 2516	2612	Dhmcfkme.exe	33
PID 2612 wrote to memory of 2516	2612	Dhmcfkme.exe	33
PID 2612 wrote to memory of 2516	2612	Dhmcfkme.exe	33
PID 2612 wrote to memory of 2516	2612	Dhmcfkme.exe	33
PID 2516 wrote to memory of 2912	2516	Dnlidb32.exe	34
PID 2516 wrote to memory of 2912	2516	Dnlidb32.exe	34
PID 2516 wrote to memory of 2912	2516	Dnlidb32.exe	34
PID 2516 wrote to memory of 2912	2516	Dnlidb32.exe	34
PID 2912 wrote to memory of 2788	2912	Dfijnd32.exe	35
PID 2912 wrote to memory of 2788	2912	Dfijnd32.exe	35
PID 2912 wrote to memory of 2788	2912	Dfijnd32.exe	35
PID 2912 wrote to memory of 2788	2912	Dfijnd32.exe	35
PID 2788 wrote to memory of 2064	2788	Eijcpoac.exe	36
PID 2788 wrote to memory of 2064	2788	Eijcpoac.exe	36
PID 2788 wrote to memory of 2064	2788	Eijcpoac.exe	36
PID 2788 wrote to memory of 2064	2788	Eijcpoac.exe	36
PID 2064 wrote to memory of 1608	2064	Eeqdep32.exe	37
PID 2064 wrote to memory of 1608	2064	Eeqdep32.exe	37
PID 2064 wrote to memory of 1608	2064	Eeqdep32.exe	37
PID 2064 wrote to memory of 1608	2064	Eeqdep32.exe	37
PID 1608 wrote to memory of 2684	1608	Epieghdk.exe	38
PID 1608 wrote to memory of 2684	1608	Epieghdk.exe	38
PID 1608 wrote to memory of 2684	1608	Epieghdk.exe	38
PID 1608 wrote to memory of 2684	1608	Epieghdk.exe	38
PID 2684 wrote to memory of 1268	2684	Fjgoce32.exe	39
PID 2684 wrote to memory of 1268	2684	Fjgoce32.exe	39
PID 2684 wrote to memory of 1268	2684	Fjgoce32.exe	39
PID 2684 wrote to memory of 1268	2684	Fjgoce32.exe	39
PID 1268 wrote to memory of 812	1268	Ffnphf32.exe	40
PID 1268 wrote to memory of 812	1268	Ffnphf32.exe	40
PID 1268 wrote to memory of 812	1268	Ffnphf32.exe	40
PID 1268 wrote to memory of 812	1268	Ffnphf32.exe	40
PID 812 wrote to memory of 2080	812	Gonnhhln.exe	41
PID 812 wrote to memory of 2080	812	Gonnhhln.exe	41
PID 812 wrote to memory of 2080	812	Gonnhhln.exe	41
PID 812 wrote to memory of 2080	812	Gonnhhln.exe	41
PID 2080 wrote to memory of 688	2080	Gpmjak32.exe	42
PID 2080 wrote to memory of 688	2080	Gpmjak32.exe	42
PID 2080 wrote to memory of 688	2080	Gpmjak32.exe	42
PID 2080 wrote to memory of 688	2080	Gpmjak32.exe	42
PID 688 wrote to memory of 1352	688	Gdamqndn.exe	43
PID 688 wrote to memory of 1352	688	Gdamqndn.exe	43
PID 688 wrote to memory of 1352	688	Gdamqndn.exe	43
PID 688 wrote to memory of 1352	688	Gdamqndn.exe	43

C:\Users\Admin\AppData\Local\Temp\334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\Bpcbqk32.exe
  C:\Windows\system32\Bpcbqk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\Cgpgce32.exe
    C:\Windows\system32\Cgpgce32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\Cciemedf.exe
      C:\Windows\system32\Cciemedf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\SysWOW64\Clcflkic.exe
        
        C:\Windows\system32\Clcflkic.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\SysWOW64\Dhmcfkme.exe
        
        C:\Windows\system32\Dhmcfkme.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Dnlidb32.exe
        
        C:\Windows\system32\Dnlidb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Dfijnd32.exe
        
        C:\Windows\system32\Dfijnd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Eijcpoac.exe
        
        C:\Windows\system32\Eijcpoac.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Eeqdep32.exe
        
        C:\Windows\system32\Eeqdep32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Epieghdk.exe
        
        C:\Windows\system32\Epieghdk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        24⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Clcflkic.exe

Filesize
576KB

MD5
be206b635541849b072bf50512982a25

SHA1
093eadb3e3d17c2e8b84d4f901ea00245300ed74

SHA256
f57197785f0719a3d3ce982a450bd5f38dde825e712dc101b0ed8e34999c64a1

SHA512
0193e057a41eab24ab4877c4d49e49a270eb7c0bc389a727c2b50057289c50c677e8454c2cb5133099cfb474a4e7f44b4b5b91928224af06c9cb36a4c4865eb4

Download Submit
C:\Windows\SysWOW64\Ddgkcd32.dll

Filesize
7KB

MD5
1bbc266ec9b99601a59bdc41f3348ef1

SHA1
d5a76f498c522a16666a8b0e78d9de7489a9f956

SHA256
4cc0f90cbdcf8febaa59800ce84f085cec57770c64f625ae9d771973d6dffcf4

SHA512
55e4e57429215f9f3a7468b04770c13d5acc05bce10e4ef9b6a30b27adb0569bfcc487a5cdab663156167568b303b9e366c22119f0da3f40e377a5f4f4bead76

Download Submit
C:\Windows\SysWOW64\Epieghdk.exe

Filesize
576KB

MD5
56080bb85b83f8aa2aed548f76338671

SHA1
be3eefdfbdb3d8fde9f358d7d3dbf327e7487e5a

SHA256
b76b229db2fb77be3cf0af68f3ee5cd4f9fc65d450c2e588951271689e32bbc3

SHA512
8494656dbfb9f53cd66566a77c4eb639dbbb793a121f3ed8beb08e251ac77e79e7ea8bbeeae7f4f857e656b6842dea85470b62114efc97e1ff3d0449d8777523

Download Submit
C:\Windows\SysWOW64\Ffnphf32.exe

Filesize
576KB

MD5
10d8d779e01dff4a27630077a52e815b

SHA1
2723991893a34959bf6ea8e103ba389fdf37452e

SHA256
dbc0576b1cbbb76cf80a240101877c8094ae1006c6a732192d097adc08581367

SHA512
989aa873f45eeef9080d54b771cd43cc63283a7d18d07d1f7b25fe7b19bd883648447ab72ec5f750de232afc8dd2e7b686ff1d6ebc8005601ef2295e9b1e7f73

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
576KB

MD5
d0887b1429e1b51137376a274b77c1ab

SHA1
e9b3a60c327fc6867eb87e5133431b2f95a3ff6b

SHA256
a5004d5b1c986615235826ac278bb79c75ef14217b80da5ad1710971896ba8d8

SHA512
6d4f40e44a688d742c04aaf1197bf8d62601fe288cfdfdb38d8e290503d9c057f8273a1963bb456605170e2fd96084f801db4ec54ada3c51172b57ff7011dd5d

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
576KB

MD5
c7ae4452da6f20bc08722cc9f0ddb02e

SHA1
5c5f133d7c9c0282f484775a8d85891de444f24e

SHA256
b8ba7070686441fad9e6f9c5cfb5e51a110373af5c10cf5545c9749228a72fef

SHA512
524d7bc0e00b04b1e83a05e1673b0632004d928c32e4bd4f0c45562848efda4c44dd1df212d916554be9fc7706eb74f85254272547ff6e8bd09e5c8a3187eac7

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
576KB

MD5
7f3126b14aede80108601ad7b453ac82

SHA1
d4002b6d912197a24e75615d6b3523aa1c124a47

SHA256
1aad6af750369b65b0c56de634844eec2156144f5c9252986cc1684c6489949b

SHA512
1e709e044f11faf2d9a21592857c39a5e326b1a39eb8594fbe3aff1395d73d4950eb05327873e108a4581b95860efb269f1813dfcb9ac7e0ce8aa27f43ff8a40

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
576KB

MD5
1783f717df6ab84f6c06c0db07885917

SHA1
0fb63a43df1e33fa73e39a81ba18f8793338d2e8

SHA256
4ac38499ee3db99ee393472dba5c34ffcf344d201caa73d759b0ac22a2bcad19

SHA512
cb055794bce7294cff147348efecaa8940d9df2e17c6bf98e4cc3919946bb0d2920a300d013cdaccbc79b3072b6dc38e5a2d280cc223b545a38ed49de0fbdc32

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
576KB

MD5
7e63de2b8c6a5465b8662bf8db3b0e4b

SHA1
3388d1c2e282c929aadd91eab57afdd20d25b728

SHA256
0b0945376137b51183fa1d28a34b7219720f8da9457ba78a712289f9d7880268

SHA512
8400e11125d3e1ebfcd46ff13df9fed87eeb15dbecef28f47151381d61b1b2bc99969353e54cfc9de2df18436b5cc02f0e8ef81c5d0d629031eabb064b42cced

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
576KB

MD5
81a967d71edd394dcd7e33f8464f256e

SHA1
87c700fb51b8c27cbe32842f2522fbb99208ceac

SHA256
273858da2b50fae262656c909b724024d89dca9fbbb5f1362760cb0947033508

SHA512
053ba7fd226c673a092d466c5fd81b329b2473ec2a281118ee2e72d8d912ba7520645bb68a2f6d4bc874ba3b8b714dc129eefb654bdb3ba954fd084dc9f3b9c4

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
576KB

MD5
8804308d87389349269310416cf462e8

SHA1
748bda277027d4d880cc5dba7e436f2721a69cf8

SHA256
d5a5ae90787d53e8a99296aaac65a354e2e66cec3927a89e2b66913e80d1e05c

SHA512
b7dbcf867539e46b37428bb85653107c75748a8f4979d9af3603167b20e907c6dba7dacb01ec8d3826e735a86274c836bb7ab496d06efaec359bb9ddbdbbdfb6

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
576KB

MD5
3c4362754f7a5a5022ae6d483bdf359b

SHA1
c507057131cb00ef883c68e6410ff1a8d22c4270

SHA256
115b947d77d5a0593afc795bc0594774fa198f27f9c0d1ba168911e00343a0a5

SHA512
b36e6bac389a60cbda4fd57bdda6ca27286ae0d7deb7897ab3664bcb829bb30c4c5432a4909ba1ff14b14db7c7f171a6c8a7f1e3fe01449b041af73f21241aec

Download Submit
\Windows\SysWOW64\Bpcbqk32.exe

Filesize
576KB

MD5
7bbf7663ba2f0be3a8d8d2d86549db1d

SHA1
2737b46202332760fdf1ed8c953451a7f05a61d9

SHA256
9cb7ce2ae5ddfa863b482307f036aebcdea081babef24369ba16e0163cb56f70

SHA512
82f37f68fb466b3db1824a1f9bf170a06bf79b9efdde9d63c757411f93483cbee7831af7668dcffb8ffa96c73f7d09a28fef939ebd30beb33796ac422b70a577

Download Submit
\Windows\SysWOW64\Cciemedf.exe

Filesize
576KB

MD5
9d0cbc8285069bfdddc2981e93149330

SHA1
8eb877aadb39753b146d292df87782cf2e16f4ab

SHA256
2612040be28915f39040a77a29183ce810c7fed401f585d562c249bcfc4201c8

SHA512
4e00f16dc05d1744de21db130ae30d0f1256e491263d6924fc7f413611ee3218c12013354cd4432938d3af3e255eb89d910d335ed4eb3be67023dc18ea37c9a6

Download Submit
\Windows\SysWOW64\Cgpgce32.exe

Filesize
576KB

MD5
f96f4441635a8fd962dc55eddacd87c4

SHA1
914185ea40d7dd44d12aa7b571e54a2ec26ec412

SHA256
5c8747198dd3024d61c25ac3a17c126aa5fbf5294da9969176d60ff9d79a16ef

SHA512
7f3ca7069702f3210dfab27e05d1e83607756c938b68eefc484facdd1efb5533f28523eea56a7b4088f767a7322b630ed8b73b672ba9bdd13f0f0ac02c3bfbe9

Download Submit
\Windows\SysWOW64\Dfijnd32.exe

Filesize
576KB

MD5
4baf815f1dcb0556ad810003099215b4

SHA1
6e0c2f4bfe49f26acdee4406ee58ace69d2321b3

SHA256
fa1148ae435029ff6dfba8fff9b8131a7689b56826d52803e05023366977ce75

SHA512
26665d363fc9a355c0f1d494bba119071f9f57a1d117d64ae9e8d499d36bbe4a74be6191e760ce3c3c40aa740025cc108695aef29736dc4aa60d5534324d97fa

Download Submit
\Windows\SysWOW64\Dhmcfkme.exe

Filesize
576KB

MD5
acb3be5c9868c7a74f0e104b91628e49

SHA1
dc660073bac00e182574fc6c83e32a45620e9400

SHA256
f3ba32f1bfc4ac25c8916298194f4127406f35d695833ce7cf3ca761fba7e5cc

SHA512
425320ca69e9b3ff99ae153909d0569dd444c27d09fac7d32235dcf7b5d9c793819dfe71767071fefb66cb09e344b4419209be949d9ecaf891d59ca787206f44

Download Submit
\Windows\SysWOW64\Dnlidb32.exe

Filesize
576KB

MD5
d74c9c442228da4844e07dff1b654eea

SHA1
47f0d81f928acfa9dc4e2f7a6843b9c945871df9

SHA256
055b49976c9902e54faf1eed349cb2422e5d4bf122e4d3d02071e6c94d86758d

SHA512
eb9226f4de30c055318f7d3fbbd3307085538a4a189e33bb6b429a1acd52d42c55e2b90c41051fc059eee7c0d789927835ceb13b13f0baf9efdb3157d9bff7bb

Download Submit
\Windows\SysWOW64\Eeqdep32.exe

Filesize
576KB

MD5
a445106f041da8d711805053434c87c2

SHA1
5af1d077e506a94ec55208006e9d8b5ce85cc929

SHA256
0529013239058d050635f2734a506370d332255c27af5ab6ea44beb91f3e2829

SHA512
f607661fc49ca111a2b3ae99de545aaaad605cd7648b8930706e7f102a2de6b42f4a8c88e3e6d790fdfa51fd19b69909f91869929d44ccc12ffc8701b2af37ea

Download Submit
\Windows\SysWOW64\Eijcpoac.exe

Filesize
576KB

MD5
4cbbcd5e307d584978b1cc8ab3cea511

SHA1
0eed94e7ffce06dfa9fcc6fc77c68d479e2c3508

SHA256
c06a632986b238b078de7ba0d4a202d81f7f16f2de70b665e723cf3e7040eb5f

SHA512
b2cc05ec133a313088e8a01f7db1230e6d542e5a26d32aaf381c041d38497cb657b59a7f4fe972bce95e6ef9320991d1c2c1e8ce8a83541985939fa6d1435bba

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
576KB

MD5
8d2e16f8cbcaea14a7dd462d7bb164bf

SHA1
c6dd06677144f6785f9e8e3185b553808329aedc

SHA256
8b61e32888fa07649b0aff8c567fc40af060d5996f419e74412ad31a65ab85ed

SHA512
78549c6f4b16815ae68dae8d46b92e311b115a09f48d156cfb486099b2006351aeb52f4a58470b640eb527b37700246486dcae866b94a17e350330233adaa66f

Download Submit
\Windows\SysWOW64\Gdamqndn.exe

Filesize
576KB

MD5
53e915e8b2fd1d19d4df01f417b38d8a

SHA1
590228a67916d8b9f68324bbc4be62d6f986af2d

SHA256
c9edee912c81c402f487da2e2ebb0ea19f59b96259eb82da9abf76580b83b6fe

SHA512
637eb897e1e40f516dbd7199064d0440be000c2ff0bac6788b8bcf8c926fd1b6d1f9732b013b2acee9292a382db4f2755cd7d748fe6d99f54abeb9a466c3e863

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
576KB

MD5
f52a2b5a996425c9ec2477dcdfb9a2c4

SHA1
7e9f69509a7620733fe71c5c56b005b13ede4123

SHA256
4488d321b73d0884049973f24795c008b979c3a4a1724a3f457ef1958ade5eb9

SHA512
e29bb3bbffd7b44af548f1fdbef5d1b44bcbe71db017e5a5e5bc15c60aec0540d65b82df5ac930269aefff7dcd9ca94cf7773ca99ddbb250fc485fa9eaef01a1

Download Submit
\Windows\SysWOW64\Gpmjak32.exe

Filesize
576KB

MD5
5f6136fb13cd1681441bb86df8dc9499

SHA1
782999ff130a71bb03c1edd641c67c7dff552742

SHA256
ff095c3a53578f6bca765115ec38ad1eef7dbf26c6aa4acba654c13a5622a7e9

SHA512
f9ebf48d7ccd032fa86adabb8e8bc2214a82a5d9389323391bb4d48c7310fc1576cfd1ea5a6e3a3bee12089c4f3215498237c71e5510a6cb21d246b9c7f49e84

Download Submit
memory/556-290-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/556-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-220-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/756-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-280-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/812-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-188-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/812-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-248-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1240-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-174-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1268-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-236-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1524-273-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1524-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-145-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2004-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-23-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2024-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-51-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2024-53-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2064-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-137-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2080-201-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2080-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-260-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2188-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-6-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2232-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-89-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2516-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-33-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2612-80-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2612-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-164-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2684-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-61-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2728-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-121-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2788-122-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2824-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-103-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads