b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Size

94KB
MD5

a966a801e0a174e9e8ac9b0609dcfd50
SHA1

1dbb3259a67b16bf05b4bc83ccbfb0088b288068
SHA256

b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95
SHA512

5b9cc9386abf44f25201376ed4c12c5f7903446d717f42f5a6f1c7931e97a28e931054fb36d400f3b30fcd5c6a6ffc311ee9ffcd6079b8a39f20b93f3d74012c
SSDEEP

1536:yg8irMG8ebUsDXeIIXIIdIIXIIXIIiIIiIIiIIS0IIIIIIIIIIm9IIrIIIIIIen/:yJEMG7Qsj1cpHYMQH2qC7ZQOlzSLUK64

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe

Executes dropped EXE 23 IoCs

pid	Process
2024	Hpkjko32.exe
2924	Hcifgjgc.exe
2648	Hgdbhi32.exe
2660	Hnojdcfi.exe
2528	Hpmgqnfl.exe
2544	Hckcmjep.exe
2580	Hejoiedd.exe
1624	Hiekid32.exe
848	Hlcgeo32.exe
2832	Hobcak32.exe
1928	Hellne32.exe
2240	Hhjhkq32.exe
1528	Hpapln32.exe
2432	Hodpgjha.exe
1208	Henidd32.exe
2452	Hhmepp32.exe
2868	Iaeiieeb.exe
824	Ieqeidnl.exe
1540	Idceea32.exe
1444	Ilknfn32.exe
828	Ioijbj32.exe
1328	Inljnfkg.exe
2408	Iagfoe32.exe

Loads dropped DLL 50 IoCs

pid	Process
2056	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
2056	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
2024	Hpkjko32.exe
2024	Hpkjko32.exe
2924	Hcifgjgc.exe
2924	Hcifgjgc.exe
2648	Hgdbhi32.exe
2648	Hgdbhi32.exe
2660	Hnojdcfi.exe
2660	Hnojdcfi.exe
2528	Hpmgqnfl.exe
2528	Hpmgqnfl.exe
2544	Hckcmjep.exe
2544	Hckcmjep.exe
2580	Hejoiedd.exe
2580	Hejoiedd.exe
1624	Hiekid32.exe
1624	Hiekid32.exe
848	Hlcgeo32.exe
848	Hlcgeo32.exe
2832	Hobcak32.exe
2832	Hobcak32.exe
1928	Hellne32.exe
1928	Hellne32.exe
2240	Hhjhkq32.exe
2240	Hhjhkq32.exe
1528	Hpapln32.exe
1528	Hpapln32.exe
2432	Hodpgjha.exe
2432	Hodpgjha.exe
1208	Henidd32.exe
1208	Henidd32.exe
2452	Hhmepp32.exe
2452	Hhmepp32.exe
2868	Iaeiieeb.exe
2868	Iaeiieeb.exe
824	Ieqeidnl.exe
824	Ieqeidnl.exe
1540	Idceea32.exe
1540	Idceea32.exe
1444	Ilknfn32.exe
1444	Ilknfn32.exe
828	Ioijbj32.exe
828	Ioijbj32.exe
1328	Inljnfkg.exe
1328	Inljnfkg.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Inljnfkg.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process
2008	2408	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hiekid32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2024	2056	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 2024	2056	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 2024	2056	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 2024	2056	b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe	28
PID 2024 wrote to memory of 2924	2024	Hpkjko32.exe	29
PID 2024 wrote to memory of 2924	2024	Hpkjko32.exe	29
PID 2024 wrote to memory of 2924	2024	Hpkjko32.exe	29
PID 2024 wrote to memory of 2924	2024	Hpkjko32.exe	29
PID 2924 wrote to memory of 2648	2924	Hcifgjgc.exe	30
PID 2924 wrote to memory of 2648	2924	Hcifgjgc.exe	30
PID 2924 wrote to memory of 2648	2924	Hcifgjgc.exe	30
PID 2924 wrote to memory of 2648	2924	Hcifgjgc.exe	30
PID 2648 wrote to memory of 2660	2648	Hgdbhi32.exe	31
PID 2648 wrote to memory of 2660	2648	Hgdbhi32.exe	31
PID 2648 wrote to memory of 2660	2648	Hgdbhi32.exe	31
PID 2648 wrote to memory of 2660	2648	Hgdbhi32.exe	31
PID 2660 wrote to memory of 2528	2660	Hnojdcfi.exe	32
PID 2660 wrote to memory of 2528	2660	Hnojdcfi.exe	32
PID 2660 wrote to memory of 2528	2660	Hnojdcfi.exe	32
PID 2660 wrote to memory of 2528	2660	Hnojdcfi.exe	32
PID 2528 wrote to memory of 2544	2528	Hpmgqnfl.exe	33
PID 2528 wrote to memory of 2544	2528	Hpmgqnfl.exe	33
PID 2528 wrote to memory of 2544	2528	Hpmgqnfl.exe	33
PID 2528 wrote to memory of 2544	2528	Hpmgqnfl.exe	33
PID 2544 wrote to memory of 2580	2544	Hckcmjep.exe	34
PID 2544 wrote to memory of 2580	2544	Hckcmjep.exe	34
PID 2544 wrote to memory of 2580	2544	Hckcmjep.exe	34
PID 2544 wrote to memory of 2580	2544	Hckcmjep.exe	34
PID 2580 wrote to memory of 1624	2580	Hejoiedd.exe	35
PID 2580 wrote to memory of 1624	2580	Hejoiedd.exe	35
PID 2580 wrote to memory of 1624	2580	Hejoiedd.exe	35
PID 2580 wrote to memory of 1624	2580	Hejoiedd.exe	35
PID 1624 wrote to memory of 848	1624	Hiekid32.exe	36
PID 1624 wrote to memory of 848	1624	Hiekid32.exe	36
PID 1624 wrote to memory of 848	1624	Hiekid32.exe	36
PID 1624 wrote to memory of 848	1624	Hiekid32.exe	36
PID 848 wrote to memory of 2832	848	Hlcgeo32.exe	37
PID 848 wrote to memory of 2832	848	Hlcgeo32.exe	37
PID 848 wrote to memory of 2832	848	Hlcgeo32.exe	37
PID 848 wrote to memory of 2832	848	Hlcgeo32.exe	37
PID 2832 wrote to memory of 1928	2832	Hobcak32.exe	38
PID 2832 wrote to memory of 1928	2832	Hobcak32.exe	38
PID 2832 wrote to memory of 1928	2832	Hobcak32.exe	38
PID 2832 wrote to memory of 1928	2832	Hobcak32.exe	38
PID 1928 wrote to memory of 2240	1928	Hellne32.exe	39
PID 1928 wrote to memory of 2240	1928	Hellne32.exe	39
PID 1928 wrote to memory of 2240	1928	Hellne32.exe	39
PID 1928 wrote to memory of 2240	1928	Hellne32.exe	39
PID 2240 wrote to memory of 1528	2240	Hhjhkq32.exe	40
PID 2240 wrote to memory of 1528	2240	Hhjhkq32.exe	40
PID 2240 wrote to memory of 1528	2240	Hhjhkq32.exe	40
PID 2240 wrote to memory of 1528	2240	Hhjhkq32.exe	40
PID 1528 wrote to memory of 2432	1528	Hpapln32.exe	41
PID 1528 wrote to memory of 2432	1528	Hpapln32.exe	41
PID 1528 wrote to memory of 2432	1528	Hpapln32.exe	41
PID 1528 wrote to memory of 2432	1528	Hpapln32.exe	41
PID 2432 wrote to memory of 1208	2432	Hodpgjha.exe	42
PID 2432 wrote to memory of 1208	2432	Hodpgjha.exe	42
PID 2432 wrote to memory of 1208	2432	Hodpgjha.exe	42
PID 2432 wrote to memory of 1208	2432	Hodpgjha.exe	42
PID 1208 wrote to memory of 2452	1208	Henidd32.exe	43
PID 1208 wrote to memory of 2452	1208	Henidd32.exe	43
PID 1208 wrote to memory of 2452	1208	Henidd32.exe	43
PID 1208 wrote to memory of 2452	1208	Henidd32.exe	43

C:\Users\Admin\AppData\Local\Temp\b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b3f687f1b95a66825afd0af31ed706378803ce992b10f72c20e12408a9e1dc95_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\Hpkjko32.exe
  C:\Windows\system32\Hpkjko32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\Hcifgjgc.exe
    C:\Windows\system32\Hcifgjgc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\Hgdbhi32.exe
      C:\Windows\system32\Hgdbhi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Inljnfkg.exe
        
        C:\Windows\system32\Inljnfkg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        24⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
94KB

MD5
83b433fe65a3a784a049071cc7d9507e

SHA1
fee5a416a8790b913c0d260b396cb959626e171e

SHA256
52bd0eb3d57ffd471b16fbe3637737dd5d2270e8b2128f1ff1762dd9ee254eec

SHA512
c79c4cdde985b56a34732d6425a1c98aabf02b1269d1eced3cdda39d6756b21a6a7a47bb2c12994aa0b4c47efddb3214e5c43abc74bf7fdeec32dee94f0d2276

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
94KB

MD5
4ec982aaa22fff6016ce67fe785dc0aa

SHA1
7897157fe4929748386304f94dee5b014efe4a95

SHA256
b20d97ad311e21a2bfd86600348a4f378185c8fed1771bb12e7a62fa979c57ac

SHA512
370c509994fa8d1875c53580265862ff97a51effdf7e61b468d53b03217d1a827bc13452e28a6959962b932e14133507d176b5ac864330009dedf0b229d80ac9

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
94KB

MD5
3da3188de8e765d89751eaa6e2975c55

SHA1
29330f8a12df157831facb68e6ecd67c0e83dee5

SHA256
3e273815fcf71c8eb6199f1341345bbe140338eb6d3deedc4441aef6e845397e

SHA512
a7a37cba3837fc15cc3dfcbd24331d03247040b68f621b252561d5fe32d70b25b9af703c50a491ae40b62550e9674e017e82a87207662a41bf794a6cc8bd9f6e

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
94KB

MD5
46eea4d368c0e83ccb5cc1285aadd6d1

SHA1
717cfc77afb182892b486133c011b721e05ec597

SHA256
db672c305da244af0258f57005c08089c623fcac1f23efd386314bdb32ac2b69

SHA512
8be286847940944ee8303c3c7796cd36585fee05a9117e12c51c0b95e0d1f4224c11468ea7c03096663f7ced9080e73db3b7821b9fb80b36487701fdf57e8048

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
94KB

MD5
444683b6f6b69db9f63e61e80773a59d

SHA1
fd03f09d6468cfb25c52fe1715961dcd6173f4c6

SHA256
501ece9e16120f5652574c3a63ccbfe9fafc863d801c7415da40a5ae832b0e78

SHA512
1ae9c038d774e657a5f37340c8d4a8617fa84d8c807e6beb9f8e0a8cf9cc3c3b6a69341f1e72f7ea1f926d52cd13aae35bcc1a1d9d2d85c0209673dd2bb61d58

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
94KB

MD5
5a499ca56f5628707b4d81fd0ff7ff4b

SHA1
c452940832f726ee150518ed7a36008dabb347ed

SHA256
b31b9222ef45202702a7304b5d61c89b30b71f1f9681341fbad799aecb3ced02

SHA512
f3c91f2423ca4cca40c20493060b1fb24f9a97944f9f98642ae3f54264ca7d1d6fcc5bedb97d0d2c09429b3e18f2030c897673773e8c150ccac83dea924640ff

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
94KB

MD5
79ac22bf4aa635e4065b3c6224069e7d

SHA1
51169d3272bbee4131831ed28ef3a8572510f8bc

SHA256
fabda4edbd815cfb9418336bc142728e9052a64bfc078e59d16324d67e8cdae3

SHA512
ec402912feb41c33617bebf3aa0d512dc4750fc8331170fcf3b05895b358bb0152211eeb7fe7e99bdc80e52edb72b785980ce1d59925c9553645f4075563d040

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
94KB

MD5
7182ee98e7b7671b598093d1dfa8e3a5

SHA1
5e0cfaeac201280e6d9fda44a550cd955fab9985

SHA256
93f101e8b85fc122c4fc428b35f326a85183eda4f7359e645d1eb3add7610603

SHA512
a4c0c59de09e539b7cce7f9dfc6d98feee059489189d1449dedec92b9b1f409b6388fda3f0a9ed00d0a4b35c4fac06d23e067a4269e640985117455f9fadc8df

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
94KB

MD5
ba5ad30c1d00b38442dca753241d8103

SHA1
c0c38322ca13b6f2893f1153c691312ce6392d29

SHA256
15bfee1715a90f349db2cebe676ba3c7957ee0faad85f7d2877a76c1f1d46775

SHA512
c6b258ef436b04bf84e2e7dc295392bc806dbbb004693dd6ca107826b0f4dfb8ba9611c3bf4348afd21a4cbd71a01a782667ca13fe98a4fa78838b06cd7fe8be

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
94KB

MD5
048aa19143a3f8933d1bf74a1f3e2cd3

SHA1
5067493dbfa814618a47ff4ab398c5784e800763

SHA256
f1fe9da0208209e2b773b822581d7dc2a80c3efe6ef8f40a9a10a0670e92d8b7

SHA512
752fbb1c54baf17cd3577b0fe63809d2eed8e03e9d49cdb7abd01c3333a4358b7d5420c231018cc03a231dc0770243ef34cb52e63415dbee24281b103e9cb5d1

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
94KB

MD5
e35b72c45691cb1a6a1909be8071e288

SHA1
b69a386650f1478d3a61ea15c1077d723abc9421

SHA256
5b2f48cac63ed4bb4c8aa0e22f0ec8f16a7d03506cd3ede8ee64714b557f15f7

SHA512
5ef48da4f48795dc42aa686473ab522427db8dfacc3246f0c218e9e13270a3269532584d7f2cc0c095cfaeb14fb4c0403a52de6bbc86937498860f4bcd40df8e

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
94KB

MD5
8f61d165597a46ec9d3595f16950339d

SHA1
f3b4e49bb89241104bba74f180b8bc5ae0b78a12

SHA256
596bb194a33af327236b5a321094a3b3038a61f5d0626e4213e4126ecb7ba3b7

SHA512
273da19ef1495989009ecc41de6a7a9f1dfd665c71ce3b27a178b44cea61684e9990095c7fd93fa2a857f958d2b8535885d4f35fed4f50b22d1623c3019546f0

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
94KB

MD5
e8f52bab84c57528798f9c635091d06a

SHA1
d27b5438eaf4c9c747c71a77849581e6c582038c

SHA256
440f81d23f686c8ad4ed07d3e83425d73add2c7f1a681689b29a8e18fdeaea4e

SHA512
2278ce0c28cb1b77e43135217a9e1f9d1cb9f62d26c531e0c99d4c40c0de6e2b5865161d04b4c19c1e86a430c06cdae68993f312d0b5f0dfdc0e3f2c0593e492

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
94KB

MD5
61916921b9b1d962078c9eb0826401c1

SHA1
e1f6f727f25b45e75468ae16ec74c7a9a3a0099c

SHA256
79f6b34e95dbe5a073ecc05b720bab634b09bd2176acc38ee94281ed0d82f261

SHA512
0a917070d1b79c8aeaebe3cb5faec006fc12b449761a58e170822cb051661167ad5377b961698eda22d34c9a5513716b826af0b39aebc8cb8ee757f6555891db

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
94KB

MD5
48efc2d4d169a71b6eb651a16d29f06f

SHA1
77504cfa5f7472afc366a1f6ae2bb8bbe3d8aa04

SHA256
346c07474d37732a06dd1c52a4be4cccf2fe29d6aa3a271f423a1077a6ce9e95

SHA512
9c169f41d5494349382ecf820db16da7495bb2bae7bed7814d09c9393dfb38d655b38a528d247533226285e151af9cb153fee1c253519a97bbd62429d081f2bc

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
94KB

MD5
2690bd4ad549a33de9d881e03a765302

SHA1
086d8478719fe91527ffe5f21aa76cdaea528489

SHA256
051372bef07655be449c671fa3a497bd9826b996b80f9be2eaa04e8469b8d9b6

SHA512
0469dc980247177805001dddaf05df12418a0573cc29394b709c46055cf74d46580a616dafaa071ff99eae51cf99da022e1926bc4a5f799f0f077f018e29aa07

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
94KB

MD5
125b49fba177e8f47b94f45510313b97

SHA1
9b38fa9b0008b2cfa0d44ed008d53c7acce24423

SHA256
6ade7186f3e365c8b5a2a20cbda78f0b9c0a1c4d4c3f0f0e64b5f625bc19b340

SHA512
c13e8cab7cd47947e5b3ea2c0e6c62d3ef17cbddb3d35515960dc72e88af559489cfb53e9130bd9f716443990b87668a8524995835753b75ddd2185908e8d1a2

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
94KB

MD5
03b304df53b3118dc7eeba26f9e5351c

SHA1
1a1a668c2c36fb4cba7402143d07946ce9423af9

SHA256
025aa0b5346a4e7ad538ecf0a616accaadbc71550401f0d3d58c0d3186bbde36

SHA512
d9488e2dc42693e260058358f85ceb4133e97a4523cf80fd228622af811b416ae08aea3338ff403d88be03315a4a7f71dc032c5f872ed273dba717d5a5380708

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
94KB

MD5
1e82845832106d54bfbc0c366b21848a

SHA1
643ff457d94033a61f585c98cfa67247b4efdd5c

SHA256
5e03fc7487c02dbe5065ef2d3e94c66982086184d3a109d500208e7beda972dc

SHA512
5ccf8ba2c31e8ab315be0d4dd37e1aa5418823d9d7c3b918606dbb5dc408d0a204ebe0b7adf9eac89d6ca4d088d64f36aa284dc04e36525c63d333f719bb52f9

Download Submit
\Windows\SysWOW64\Hejoiedd.exe

Filesize
94KB

MD5
c279733da002a836c3737efd30085fc3

SHA1
a87d8458eccb79700a43bb44f030c33d11b6de22

SHA256
be0c3eb8cb99951d3ce3423f4265db287d449f624666436e2ec3bd6ac5203db9

SHA512
2ef5e4dc21ae46b9c7d51183f8fc73c0a7a7ce441673cc2e181ea021a9f8ae4d3c6bbf0d412573a6d04188ce09366c17d6c0f94d30cdcb59f78eac244cd529fc

Download Submit
\Windows\SysWOW64\Hobcak32.exe

Filesize
94KB

MD5
36829f380593d7d95b1233f2f3108dd6

SHA1
b390383ac5b0bc8d271748658d1f2bf3a30a5f38

SHA256
01953ce44e0a5ac60688a2d9e1a372cce35888cbd43111d493169f33b0de6943

SHA512
5f9e466b2b1fddee8b9dc2c538ea4a033850c546cf72a1dbc598ab1190b2319329566cbd862c7afe7c6e92b53bb97b5a6eb3f4052b6acc47490f47bf2bec801a

Download Submit
\Windows\SysWOW64\Hpapln32.exe

Filesize
94KB

MD5
47d65e54276c6aa8fcc7ac1a2240a46b

SHA1
6a64ec2b35be2b6d7235fc6417e11963b77a5e41

SHA256
7980f14306e624c01e0917833f3325ada3bc0c3c729e0ce2d3653de5e7ec532c

SHA512
0bea96ba537dedb0f99357cf76f06db25829c66cdc6c935c8c31e47556c24e008a6b95b97ce758105314385d46acaf6c3544b2dcfb4542f6d5ab385580e6351c

Download Submit
\Windows\SysWOW64\Hpkjko32.exe

Filesize
94KB

MD5
d7ce81a596670d17e669f00c6f9ff66f

SHA1
78f6fcdc7438d787af3ecae02b969a396dac4381

SHA256
a9e79d6b5414923a472364c64c1162a3b26c397a92868b2b7a23876c3d1acca9

SHA512
bbf702e9144470dadf8cd289ecdbcdbc1857beacfb224d7664ad3155c63a464bde37145c67d8fca281757eaa5de01150f672eecceca00dea3e1b901f9f57b2d4

Download Submit
memory/824-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-285-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/828-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-301-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/848-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/848-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1528-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1528-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-161-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2024-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-6-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2056-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-18-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2240-180-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2240-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-215-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2432-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-84-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-98-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2580-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2648-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2648-48-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2648-134-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2648-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-150-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2832-147-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2832-224-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2832-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-245-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2868-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads