5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Size

512KB
MD5

cdb98991a3502ab790fa12660a374660
SHA1

127d68007768510a61efc8e376c3ff538b67ed9a
SHA256

5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362
SHA512

e857c449ddbee8235de2b2930a9a3921d25b7485b60e2cbb4c41cd71c06d51608b8a64323f5c0dcc5e4f65b85c12eef600015872482f4fb589fd924dc98a623c
SSDEEP

6144:UjrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:hr/Ng1/Nblt01PBExK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcqpmep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faokjpfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egamfkdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbbkja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcqpmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfijnd32.exe

Executes dropped EXE 20 IoCs

pid	Process
1988	Chcqpmep.exe
3040	Cdlnkmha.exe
2668	Dbbkja32.exe
1236	Dkmmhf32.exe
2468	Dmafennb.exe
2460	Dfijnd32.exe
2808	Epfhbign.exe
2992	Egamfkdh.exe
1488	Faokjpfd.exe
2624	Fhkpmjln.exe
2632	Fbgmbg32.exe
844	Glaoalkh.exe
1108	Gobgcg32.exe
1676	Ghmiam32.exe
2876	Gmjaic32.exe
1028	Hcifgjgc.exe
1864	Hcplhi32.exe
2840	Icbimi32.exe
2284	Ieqeidnl.exe
2008	Iagfoe32.exe

Loads dropped DLL 44 IoCs

pid	Process
2336	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
2336	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
1988	Chcqpmep.exe
1988	Chcqpmep.exe
3040	Cdlnkmha.exe
3040	Cdlnkmha.exe
2668	Dbbkja32.exe
2668	Dbbkja32.exe
1236	Dkmmhf32.exe
1236	Dkmmhf32.exe
2468	Dmafennb.exe
2468	Dmafennb.exe
2460	Dfijnd32.exe
2460	Dfijnd32.exe
2808	Epfhbign.exe
2808	Epfhbign.exe
2992	Egamfkdh.exe
2992	Egamfkdh.exe
1488	Faokjpfd.exe
1488	Faokjpfd.exe
2624	Fhkpmjln.exe
2624	Fhkpmjln.exe
2632	Fbgmbg32.exe
2632	Fbgmbg32.exe
844	Glaoalkh.exe
844	Glaoalkh.exe
1108	Gobgcg32.exe
1108	Gobgcg32.exe
1676	Ghmiam32.exe
1676	Ghmiam32.exe
2876	Gmjaic32.exe
2876	Gmjaic32.exe
1028	Hcifgjgc.exe
1028	Hcifgjgc.exe
1864	Hcplhi32.exe
1864	Hcplhi32.exe
2840	Icbimi32.exe
2840	Icbimi32.exe
2284	Ieqeidnl.exe
2284	Ieqeidnl.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Faokjpfd.exe
File opened for modification	C:\Windows\SysWOW64\Dkmmhf32.exe	Dbbkja32.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Cdlnkmha.exe	Chcqpmep.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Ikkbnm32.dll	Faokjpfd.exe
File created	C:\Windows\SysWOW64\Pkjapnke.dll	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Cdlnkmha.exe	Chcqpmep.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Bnpmlfkm.dll	Epfhbign.exe
File opened for modification	C:\Windows\SysWOW64\Egamfkdh.exe	Epfhbign.exe
File created	C:\Windows\SysWOW64\Dmafennb.exe	Dkmmhf32.exe
File opened for modification	C:\Windows\SysWOW64\Epfhbign.exe	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Nlbodgap.dll	Chcqpmep.exe
File opened for modification	C:\Windows\SysWOW64\Dfijnd32.exe	Dmafennb.exe
File created	C:\Windows\SysWOW64\Cgcmfjnn.dll	Dmafennb.exe
File created	C:\Windows\SysWOW64\Chcphm32.dll	Dfijnd32.exe
File opened for modification	C:\Windows\SysWOW64\Faokjpfd.exe	Egamfkdh.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Chcqpmep.exe	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dfijnd32.exe	Dmafennb.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Dbbkja32.exe	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Dkmmhf32.exe	Dbbkja32.exe
File created	C:\Windows\SysWOW64\Cqmnhocj.dll	Egamfkdh.exe
File created	C:\Windows\SysWOW64\Epfhbign.exe	Dfijnd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmafennb.exe	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Chcqpmep.exe	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jpbpbqda.dll	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Egamfkdh.exe	Epfhbign.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Dbbkja32.exe	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Epgnljad.dll	Dbbkja32.exe
File created	C:\Windows\SysWOW64\Faokjpfd.exe	Egamfkdh.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Faokjpfd.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gbhfilfi.dll	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	2008	WerFault.exe	47

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcqpmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll"	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faokjpfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epfhbign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epfhbign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll"	Dbbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll"	Faokjpfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll"	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll"	Epfhbign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll"	Chcqpmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll"	Egamfkdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcqpmep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1988	2336	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe	28
PID 2336 wrote to memory of 1988	2336	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe	28
PID 2336 wrote to memory of 1988	2336	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe	28
PID 2336 wrote to memory of 1988	2336	5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe	28
PID 1988 wrote to memory of 3040	1988	Chcqpmep.exe	29
PID 1988 wrote to memory of 3040	1988	Chcqpmep.exe	29
PID 1988 wrote to memory of 3040	1988	Chcqpmep.exe	29
PID 1988 wrote to memory of 3040	1988	Chcqpmep.exe	29
PID 3040 wrote to memory of 2668	3040	Cdlnkmha.exe	30
PID 3040 wrote to memory of 2668	3040	Cdlnkmha.exe	30
PID 3040 wrote to memory of 2668	3040	Cdlnkmha.exe	30
PID 3040 wrote to memory of 2668	3040	Cdlnkmha.exe	30
PID 2668 wrote to memory of 1236	2668	Dbbkja32.exe	31
PID 2668 wrote to memory of 1236	2668	Dbbkja32.exe	31
PID 2668 wrote to memory of 1236	2668	Dbbkja32.exe	31
PID 2668 wrote to memory of 1236	2668	Dbbkja32.exe	31
PID 1236 wrote to memory of 2468	1236	Dkmmhf32.exe	32
PID 1236 wrote to memory of 2468	1236	Dkmmhf32.exe	32
PID 1236 wrote to memory of 2468	1236	Dkmmhf32.exe	32
PID 1236 wrote to memory of 2468	1236	Dkmmhf32.exe	32
PID 2468 wrote to memory of 2460	2468	Dmafennb.exe	33
PID 2468 wrote to memory of 2460	2468	Dmafennb.exe	33
PID 2468 wrote to memory of 2460	2468	Dmafennb.exe	33
PID 2468 wrote to memory of 2460	2468	Dmafennb.exe	33
PID 2460 wrote to memory of 2808	2460	Dfijnd32.exe	34
PID 2460 wrote to memory of 2808	2460	Dfijnd32.exe	34
PID 2460 wrote to memory of 2808	2460	Dfijnd32.exe	34
PID 2460 wrote to memory of 2808	2460	Dfijnd32.exe	34
PID 2808 wrote to memory of 2992	2808	Epfhbign.exe	35
PID 2808 wrote to memory of 2992	2808	Epfhbign.exe	35
PID 2808 wrote to memory of 2992	2808	Epfhbign.exe	35
PID 2808 wrote to memory of 2992	2808	Epfhbign.exe	35
PID 2992 wrote to memory of 1488	2992	Egamfkdh.exe	36
PID 2992 wrote to memory of 1488	2992	Egamfkdh.exe	36
PID 2992 wrote to memory of 1488	2992	Egamfkdh.exe	36
PID 2992 wrote to memory of 1488	2992	Egamfkdh.exe	36
PID 1488 wrote to memory of 2624	1488	Faokjpfd.exe	37
PID 1488 wrote to memory of 2624	1488	Faokjpfd.exe	37
PID 1488 wrote to memory of 2624	1488	Faokjpfd.exe	37
PID 1488 wrote to memory of 2624	1488	Faokjpfd.exe	37
PID 2624 wrote to memory of 2632	2624	Fhkpmjln.exe	38
PID 2624 wrote to memory of 2632	2624	Fhkpmjln.exe	38
PID 2624 wrote to memory of 2632	2624	Fhkpmjln.exe	38
PID 2624 wrote to memory of 2632	2624	Fhkpmjln.exe	38
PID 2632 wrote to memory of 844	2632	Fbgmbg32.exe	39
PID 2632 wrote to memory of 844	2632	Fbgmbg32.exe	39
PID 2632 wrote to memory of 844	2632	Fbgmbg32.exe	39
PID 2632 wrote to memory of 844	2632	Fbgmbg32.exe	39
PID 844 wrote to memory of 1108	844	Glaoalkh.exe	40
PID 844 wrote to memory of 1108	844	Glaoalkh.exe	40
PID 844 wrote to memory of 1108	844	Glaoalkh.exe	40
PID 844 wrote to memory of 1108	844	Glaoalkh.exe	40
PID 1108 wrote to memory of 1676	1108	Gobgcg32.exe	41
PID 1108 wrote to memory of 1676	1108	Gobgcg32.exe	41
PID 1108 wrote to memory of 1676	1108	Gobgcg32.exe	41
PID 1108 wrote to memory of 1676	1108	Gobgcg32.exe	41
PID 1676 wrote to memory of 2876	1676	Ghmiam32.exe	42
PID 1676 wrote to memory of 2876	1676	Ghmiam32.exe	42
PID 1676 wrote to memory of 2876	1676	Ghmiam32.exe	42
PID 1676 wrote to memory of 2876	1676	Ghmiam32.exe	42
PID 2876 wrote to memory of 1028	2876	Gmjaic32.exe	43
PID 2876 wrote to memory of 1028	2876	Gmjaic32.exe	43
PID 2876 wrote to memory of 1028	2876	Gmjaic32.exe	43
PID 2876 wrote to memory of 1028	2876	Gmjaic32.exe	43

C:\Users\Admin\AppData\Local\Temp\5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5855938c889e95c8bb02e629c51e9cbb8df99a689d60e180e2991ec0d49d5362_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Chcqpmep.exe
  C:\Windows\system32\Chcqpmep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\Cdlnkmha.exe
    C:\Windows\system32\Cdlnkmha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\Dbbkja32.exe
      C:\Windows\system32\Dbbkja32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Dkmmhf32.exe
        
        C:\Windows\system32\Dkmmhf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\SysWOW64\Dmafennb.exe
        
        C:\Windows\system32\Dmafennb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Dfijnd32.exe
        
        C:\Windows\system32\Dfijnd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Epfhbign.exe
        
        C:\Windows\system32\Epfhbign.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Egamfkdh.exe
        
        C:\Windows\system32\Egamfkdh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Faokjpfd.exe
        
        C:\Windows\system32\Faokjpfd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        21⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
512KB

MD5
dcc67eda1695a3c97519c30418415da9

SHA1
82a8f1e913c3bbb9db8cc2c5af003db77bd63b56

SHA256
0c81575b5cebb52defa21e8bb39382ded02f19e9e88039c39a6c2f3ca0ee7287

SHA512
3a63bb92ac4df6acdfc0bb88e88ec90c608bcec92657ba62414c9ec64987f2c23ef4223aaebbb617b62f931b9ab2737a0c57da460322b40ddf4c1c52809db95f

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
512KB

MD5
350c336d185f7dec773a79c5db43f7aa

SHA1
951b4cda11457cd189428976baf5a80c6f35d81f

SHA256
9ae50e5e3acd1a4b5d71c6730ff2b5acfe7549bf9fa3af7a9612f85fdd861ed3

SHA512
697791495a2e62bf23d9b6098529c016e6a7d20879a364db14102b00f4058a289d668838af70f5cd2db937d652e2c6975d7122f7368b34a3adb4a3ed9b2c02a0

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
512KB

MD5
388a19c607843b9b4741e3f26da41ecc

SHA1
9b3341fac86baa64c6ea36e4adb2bcc16895b7b8

SHA256
53b738a49dd43a321f239c56955cfbbc165ee648c8a5b0882c1b4d3effda5111

SHA512
62faad65bcb625c3cb83151de8e105fce3dc8845f69cde1617246036168edc3b4dca7adc6fb62c2e432df7956aa2920a47e2a532d68d06e73e3100d2c2a4f7ca

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
512KB

MD5
a01f533289f24cfd3204dec8cf864750

SHA1
e03c80e852511a26f19660e9e155e84ef0878b38

SHA256
70109b6a6873013a9929b4e96617c3e40161d42a647f969171a621718ea2cfc3

SHA512
d7e4e44a01884b7b2fc7c24448d05ee4fef0321c2f7ff5962a84beba5b2de920fb80b8f379544f2f2e86b9fec894bce10b5d5ee32dcb194deb632b4aef56a8e7

Download Submit
\Windows\SysWOW64\Cdlnkmha.exe

Filesize
512KB

MD5
e005c80009221ff12d260546fd7e04b5

SHA1
59b10653e3ea72a4a8abb14fa9e1bdfb5479bcc8

SHA256
a0508da4a6506f2e2f7290de8ba153dee2579edf239d3961cf13292f9680ae00

SHA512
86dc0e0770c93214cc1e54baee21436535164e8377a4778e314affd9e713c35db462fe6220417652dddf890e0e1a99bd4d89d76c05f9abd2797e3ce2ab464ca3

Download Submit
\Windows\SysWOW64\Chcqpmep.exe

Filesize
512KB

MD5
9858e98105aa52caacc12f47a7f07ede

SHA1
77efeaa750ebdd787e55c9e87b18f7289a348416

SHA256
c4f162638c25cd539dbf62338a54577ae7081be83939494ec49fd3fd742fb3b3

SHA512
0f17741785fd1aed1c501ac45e8c26261e08345ba1d47df62508a66088fbe5125d9f178afbfac76207cb9948744bd2193dec8fdfadc0f45bb60f49dfa87507fb

Download Submit
\Windows\SysWOW64\Dbbkja32.exe

Filesize
512KB

MD5
49943d27c02a023eea47fd337f22e2bb

SHA1
34518801254f359507d13ba46377f215d692cafd

SHA256
1379e6b7a34bb8288b752bcf522e6f07b21d2363813092247cc76b53769c9564

SHA512
b510b64fc3c80cc71a545150da351e6a5a913d8c872dfb6f11ca4674372e8437f11e67ab84c49db4ce50ac1d7444596440457c789ef6afd682e7cf4a13d88a86

Download Submit
\Windows\SysWOW64\Dfijnd32.exe

Filesize
512KB

MD5
d38c3d6e70cfb805ef556b821676d0fd

SHA1
4d47dd976c892dde65e20eb1ff8d399c34a0ffe9

SHA256
231cb794b1c1260355753adda6cf6d1c18cb3021101b31882597dc36406ad57a

SHA512
7e10a6a477b81011f327e15680c57989bb66caf323c18d39ebd80cb2f685d71f41c1b3b71d4c38eb64afa88c6a401862204160ac41fd8c9e40574f638e1e1425

Download Submit
\Windows\SysWOW64\Dkmmhf32.exe

Filesize
512KB

MD5
36b2785c31b3f741fad66bcb78fa0e0a

SHA1
e30c79387cd6cb5f1c0ec9ace085367f8a720c41

SHA256
8e243bb4009e96274d7156e4d3571bc29b8847faea0f7f8e91b2f05e67c3cb95

SHA512
d364b946f953464ab0c44262072d8a8c8c24de0b78d767bd48f089e4439685707564ca774be2ec4001af6b7d80eebd398aa3ac5840c32e52b92c0500295006c4

Download Submit
\Windows\SysWOW64\Dmafennb.exe

Filesize
512KB

MD5
12c27d897571b0e64a40d4cd45277678

SHA1
fd7713bffaac2ca345cc98fa6b9a0bab520a7b9d

SHA256
749d1065df77fa291929e4c57181c7bc6ade3122d81fd9c878db431f2f58e665

SHA512
d78202cc630b87a90402cfc2f7513c6cc4c541235dea34326f69673e143e564a69decf29275b70c5e96c68b4e0ffdaa2ef85d6403fe6a69cd3c4a8582057e3e8

Download Submit
\Windows\SysWOW64\Egamfkdh.exe

Filesize
512KB

MD5
b47e485674d6d396e0f439b473d273dd

SHA1
52fdde0b1446dd41295a066c73154767a1293b6c

SHA256
74e79016748875948701200af319e672dbedc4c7c7084c3cb55e450cc206ed0a

SHA512
38a45a69ffe8a3a493578e6ba7f474ab15e1893b37707a5d241da1ae62f166858d7ed557617fdb641fc3929dbbb02806fc8f06997b9a35137b72f8089e6ab0d8

Download Submit
\Windows\SysWOW64\Epfhbign.exe

Filesize
512KB

MD5
80b79ed07dec6dca83b4192a0abc45d8

SHA1
9ed8931613973aa9eb094641015a9b76d0c203a4

SHA256
854a35003f43011df2b5eb3e30d33eb81db13a9369b1f6e6ce6f74f709f1c278

SHA512
ee67b4fa8f3d96d438fa18e697e62a90988e50a022cadf9a5987a0debfccf5c2167aa1455cd94abf1537d413c6b634c8e093925e45ba7cc98475446ddca49f6c

Download Submit
\Windows\SysWOW64\Faokjpfd.exe

Filesize
512KB

MD5
2ca2c9fa8754283856ea0db3a1ca3ef5

SHA1
cbc22e74f8a74038b9384e9a7915019f718b73f9

SHA256
59bf6e04eb6aaa033174b5e25ae9bf98fd632e2bc4cf7f1d1741792933e35e81

SHA512
3111f4eb1ac5f5208d5ce7b09ac4de7d3a33300e143016c2b3cf6511e75d38b23370a23dc8242c263d5e54f03aeb5568dfb967208a37deb2e4048633794b52a4

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
512KB

MD5
0858b114c7dfd069cfc5e6a1a2c36cce

SHA1
5738eff1ace53e3251d751b6f70b0a8ff5219b2d

SHA256
1d39f09ff6d306dd741e3a292986430a4a43f2ca29942048c9a94e450926e998

SHA512
4559a6178bf57440127eb93c2a3bafb7dca5b8b7d303143d86a465a87d2fc79c72797468d83a6da2e4aed49d63c8e4160b53752aafda9d29daec9d0c804c325c

Download Submit
\Windows\SysWOW64\Fhkpmjln.exe

Filesize
512KB

MD5
6acfe7bacda1acadcb25c126ce41fa36

SHA1
87bfd6ae49e9792940c81bbd1c5c0b02f9c17e33

SHA256
129a68a0b6e828954450792630f9b74f59fb08d414f1f4a505c1b3d615fbe49e

SHA512
69c6058fcde4e395775084cafb102196a4962701cd0b2e0ac3fc2770f8e9ae5655b27e0988e6916c298b273a84ba6342c5078178fc5e1b5b0292fcb9bff0d971

Download Submit
\Windows\SysWOW64\Ghmiam32.exe

Filesize
512KB

MD5
042e73386811de49fe866a7d5b034820

SHA1
cf61eedabf90f3f561360e5809df867b8ad0f6e6

SHA256
78e95e48883915033546189b7cdfc3a7d0e4b7cfd28c3036735a29a698289c7a

SHA512
51061ef1b8edd0b0ef11629ffc5879742f3e5a8b6e7eb046fc4ee7109fdf8fc5e23091212aa1b9633dadc92a5ac7af3b0e97751c1779e4ad08a2ddb2e8e5b72a

Download Submit
\Windows\SysWOW64\Glaoalkh.exe

Filesize
512KB

MD5
72e1a4e45beba8981ee21249bbb195a6

SHA1
5b8b4b4d6ab88ccd0155c9c318e0cefa406432d1

SHA256
e3a54dcc497a750e66af43f592e3227d90f7093293a46106983937871b72d25e

SHA512
f7b4816eef4fca97a25989140863c7bb6b0b48408a83085531ceb00d26bdfa48a2422559c3fb01b3808af3eb7d4c1e89a7c92bbab6f50be4a18b52422cf0f84a

Download Submit
\Windows\SysWOW64\Gmjaic32.exe

Filesize
512KB

MD5
f0515f9192eafec5b22617e879d241d1

SHA1
5a8745f7a0554b36302b95444f64c1aa9e8209e1

SHA256
c79a000bc0db3ffacdea8ecefa2f0b7f8c472f1dfc10947d586acd06ba145881

SHA512
bfc6da028bbbc08345cb773dd8262e2d49e6ce35b9565447bd0a9d11bc3b24e2b3fe8ba46285c436da343203ab80052616013583f45c9427cba2c5eeca72ca52

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
512KB

MD5
6faa5497cf079d862df49c4d09eea404

SHA1
5afe86715b3a8734448b7e2644792104d291e383

SHA256
47066da3a532a66358bf96da3d2492a5311f8fa5f01996e70de66e08539475f7

SHA512
ba73a5f280d86bf331b185ee267ab5a252108034616a61666bb6be2c55400891e3f962d199590decd2fe1597e23ace4acd14cca0dd9370f35df61f485fbae2aa

Download Submit
\Windows\SysWOW64\Hcifgjgc.exe

Filesize
512KB

MD5
d47fc6936117f3fc04fd2478d03b160b

SHA1
051149995e1d078e2c30781745a0ad758bac8f54

SHA256
7d375d6439d7ff60e2420b062f47e7b408a97405da9afa94527725cc2faba099

SHA512
656587bd909bb48f54eafa4fa108deec9d935a42b196097c152914a83dc1b338b65b481443e9d8a68d0b06125cfee3412b29aad11e46a4fe75e524f0221801fb

Download Submit
memory/844-173-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/844-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-229-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1028-233-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1028-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-193-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1108-192-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1108-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-72-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1488-137-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1488-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-210-0x0000000001F50000-0x0000000001F84000-memory.dmp

Filesize
208KB

Download
memory/1864-248-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1864-240-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1864-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-25-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1988-26-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2008-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-264-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2336-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-6-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2336-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-90-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2468-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-77-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2624-145-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2624-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-54-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2668-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-109-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2840-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-254-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2876-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-215-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2876-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-221-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2992-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-123-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/3040-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-34-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/3040-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads