34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Size

76KB
MD5

baf32ab35e1eafe75bb22592753e77f0
SHA1

1932fcad2065453835c804765e4bae9a6187f5c9
SHA256

34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f
SHA512

94011c68dfac1b8ac7f58a14494b7717d98681308f8b525e87ede9587f87f2b7c3076b789638d2809d3d0ad75e9ba8375050c7de74f02183b4f841a9f8dabcab
SSDEEP

1536:K1o5RLSDcLkE5uEuQK5eeKsi7yAERHioQV+/eCeyvCQ:1R+AkE5u/jeex61ERHrk+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exeEiaiqn32.exeFckjalhj.exeGddifnbk.exeHgilchkf.exeFmekoalh.exeHejoiedd.exeHodpgjha.exeDcknbh32.exeGhhofmql.exeGeolea32.exeHhmepp32.exeInljnfkg.exeEfppoc32.exeGfefiemq.exeHpkjko32.exeEfncicpm.exeFdapak32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efppoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe

Executes dropped EXE 18 IoCs

Processes:

Dcknbh32.exeEfncicpm.exeEfppoc32.exeEiaiqn32.exeFckjalhj.exeFmekoalh.exeFdapak32.exeGfefiemq.exeGhhofmql.exeGeolea32.exeGddifnbk.exeHpkjko32.exeHejoiedd.exeHgilchkf.exeHodpgjha.exeHhmepp32.exeInljnfkg.exeIagfoe32.exe

pid	process
2780	Dcknbh32.exe
2980	Efncicpm.exe
2680	Efppoc32.exe
2472	Eiaiqn32.exe
2688	Fckjalhj.exe
1676	Fmekoalh.exe
2420	Fdapak32.exe
1504	Gfefiemq.exe
2848	Ghhofmql.exe
1900	Geolea32.exe
1012	Gddifnbk.exe
2340	Hpkjko32.exe
1824	Hejoiedd.exe
2140	Hgilchkf.exe
1948	Hodpgjha.exe
384	Hhmepp32.exe
1092	Inljnfkg.exe
816	Iagfoe32.exe

Loads dropped DLL 40 IoCs

Processes:

34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exeDcknbh32.exeEfncicpm.exeEfppoc32.exeEiaiqn32.exeFckjalhj.exeFmekoalh.exeFdapak32.exeGfefiemq.exeGhhofmql.exeGeolea32.exeGddifnbk.exeHpkjko32.exeHejoiedd.exeHgilchkf.exeHodpgjha.exeHhmepp32.exeInljnfkg.exeWerFault.exe

pid	process
1984	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
1984	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
2780	Dcknbh32.exe
2780	Dcknbh32.exe
2980	Efncicpm.exe
2980	Efncicpm.exe
2680	Efppoc32.exe
2680	Efppoc32.exe
2472	Eiaiqn32.exe
2472	Eiaiqn32.exe
2688	Fckjalhj.exe
2688	Fckjalhj.exe
1676	Fmekoalh.exe
1676	Fmekoalh.exe
2420	Fdapak32.exe
2420	Fdapak32.exe
1504	Gfefiemq.exe
1504	Gfefiemq.exe
2848	Ghhofmql.exe
2848	Ghhofmql.exe
1900	Geolea32.exe
1900	Geolea32.exe
1012	Gddifnbk.exe
1012	Gddifnbk.exe
2340	Hpkjko32.exe
2340	Hpkjko32.exe
1824	Hejoiedd.exe
1824	Hejoiedd.exe
2140	Hgilchkf.exe
2140	Hgilchkf.exe
1948	Hodpgjha.exe
1948	Hodpgjha.exe
384	Hhmepp32.exe
384	Hhmepp32.exe
1092	Inljnfkg.exe
1092	Inljnfkg.exe
1832	WerFault.exe
1832	WerFault.exe
1832	WerFault.exe
1832	WerFault.exe

Drops file in System32 directory 54 IoCs

Processes:

Eiaiqn32.exeFckjalhj.exeGeolea32.exe34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exeGfefiemq.exeGddifnbk.exeHpkjko32.exeHejoiedd.exeHhmepp32.exeEfncicpm.exeHgilchkf.exeGhhofmql.exeInljnfkg.exeDcknbh32.exeFmekoalh.exeEfppoc32.exeHodpgjha.exeFdapak32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Jiiegafd.dll	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Fckjalhj.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Pafagk32.dll	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Inljnfkg.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Fckjalhj.exe	Eiaiqn32.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Inljnfkg.exe
File opened for modification	C:\Windows\SysWOW64\Efppoc32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Lkojpojq.dll	Dcknbh32.exe
File created	C:\Windows\SysWOW64\Fckjalhj.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File opened for modification	C:\Windows\SysWOW64\Efncicpm.exe	Dcknbh32.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Eiaiqn32.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Dcknbh32.exe	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Dcknbh32.exe	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Fdapak32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Efncicpm.exe	Dcknbh32.exe
File created	C:\Windows\SysWOW64\Nopodm32.dll	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Bibckiab.dll	Efppoc32.exe
File created	C:\Windows\SysWOW64\Fmekoalh.exe	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Fdapak32.exe
File created	C:\Windows\SysWOW64\Gbolehjh.dll	Efncicpm.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hodpgjha.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1832 816 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
1832	816	WerFault.exe	Iagfoe32.exe

Modifies registry class 57 IoCs

Processes:

Fdapak32.exeGeolea32.exeGfefiemq.exeGhhofmql.exeGddifnbk.exeFckjalhj.exe34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exeDcknbh32.exeHgilchkf.exeHodpgjha.exeHhmepp32.exeEiaiqn32.exeHpkjko32.exeHejoiedd.exeFmekoalh.exeInljnfkg.exeEfncicpm.exeEfppoc32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll"	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll"	Dcknbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1984 wrote to memory of 2780	1984	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe	Dcknbh32.exe
PID 1984 wrote to memory of 2780	1984	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe	Dcknbh32.exe
PID 1984 wrote to memory of 2780	1984	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe	Dcknbh32.exe
PID 1984 wrote to memory of 2780	1984	34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe	Dcknbh32.exe
PID 2780 wrote to memory of 2980	2780	Dcknbh32.exe	Efncicpm.exe
PID 2780 wrote to memory of 2980	2780	Dcknbh32.exe	Efncicpm.exe
PID 2780 wrote to memory of 2980	2780	Dcknbh32.exe	Efncicpm.exe
PID 2780 wrote to memory of 2980	2780	Dcknbh32.exe	Efncicpm.exe
PID 2980 wrote to memory of 2680	2980	Efncicpm.exe	Efppoc32.exe
PID 2980 wrote to memory of 2680	2980	Efncicpm.exe	Efppoc32.exe
PID 2980 wrote to memory of 2680	2980	Efncicpm.exe	Efppoc32.exe
PID 2980 wrote to memory of 2680	2980	Efncicpm.exe	Efppoc32.exe
PID 2680 wrote to memory of 2472	2680	Efppoc32.exe	Eiaiqn32.exe
PID 2680 wrote to memory of 2472	2680	Efppoc32.exe	Eiaiqn32.exe
PID 2680 wrote to memory of 2472	2680	Efppoc32.exe	Eiaiqn32.exe
PID 2680 wrote to memory of 2472	2680	Efppoc32.exe	Eiaiqn32.exe
PID 2472 wrote to memory of 2688	2472	Eiaiqn32.exe	Fckjalhj.exe
PID 2472 wrote to memory of 2688	2472	Eiaiqn32.exe	Fckjalhj.exe
PID 2472 wrote to memory of 2688	2472	Eiaiqn32.exe	Fckjalhj.exe
PID 2472 wrote to memory of 2688	2472	Eiaiqn32.exe	Fckjalhj.exe
PID 2688 wrote to memory of 1676	2688	Fckjalhj.exe	Fmekoalh.exe
PID 2688 wrote to memory of 1676	2688	Fckjalhj.exe	Fmekoalh.exe
PID 2688 wrote to memory of 1676	2688	Fckjalhj.exe	Fmekoalh.exe
PID 2688 wrote to memory of 1676	2688	Fckjalhj.exe	Fmekoalh.exe
PID 1676 wrote to memory of 2420	1676	Fmekoalh.exe	Fdapak32.exe
PID 1676 wrote to memory of 2420	1676	Fmekoalh.exe	Fdapak32.exe
PID 1676 wrote to memory of 2420	1676	Fmekoalh.exe	Fdapak32.exe
PID 1676 wrote to memory of 2420	1676	Fmekoalh.exe	Fdapak32.exe
PID 2420 wrote to memory of 1504	2420	Fdapak32.exe	Gfefiemq.exe
PID 2420 wrote to memory of 1504	2420	Fdapak32.exe	Gfefiemq.exe
PID 2420 wrote to memory of 1504	2420	Fdapak32.exe	Gfefiemq.exe
PID 2420 wrote to memory of 1504	2420	Fdapak32.exe	Gfefiemq.exe
PID 1504 wrote to memory of 2848	1504	Gfefiemq.exe	Ghhofmql.exe
PID 1504 wrote to memory of 2848	1504	Gfefiemq.exe	Ghhofmql.exe
PID 1504 wrote to memory of 2848	1504	Gfefiemq.exe	Ghhofmql.exe
PID 1504 wrote to memory of 2848	1504	Gfefiemq.exe	Ghhofmql.exe
PID 2848 wrote to memory of 1900	2848	Ghhofmql.exe	Geolea32.exe
PID 2848 wrote to memory of 1900	2848	Ghhofmql.exe	Geolea32.exe
PID 2848 wrote to memory of 1900	2848	Ghhofmql.exe	Geolea32.exe
PID 2848 wrote to memory of 1900	2848	Ghhofmql.exe	Geolea32.exe
PID 1900 wrote to memory of 1012	1900	Geolea32.exe	Gddifnbk.exe
PID 1900 wrote to memory of 1012	1900	Geolea32.exe	Gddifnbk.exe
PID 1900 wrote to memory of 1012	1900	Geolea32.exe	Gddifnbk.exe
PID 1900 wrote to memory of 1012	1900	Geolea32.exe	Gddifnbk.exe
PID 1012 wrote to memory of 2340	1012	Gddifnbk.exe	Hpkjko32.exe
PID 1012 wrote to memory of 2340	1012	Gddifnbk.exe	Hpkjko32.exe
PID 1012 wrote to memory of 2340	1012	Gddifnbk.exe	Hpkjko32.exe
PID 1012 wrote to memory of 2340	1012	Gddifnbk.exe	Hpkjko32.exe
PID 2340 wrote to memory of 1824	2340	Hpkjko32.exe	Hejoiedd.exe
PID 2340 wrote to memory of 1824	2340	Hpkjko32.exe	Hejoiedd.exe
PID 2340 wrote to memory of 1824	2340	Hpkjko32.exe	Hejoiedd.exe
PID 2340 wrote to memory of 1824	2340	Hpkjko32.exe	Hejoiedd.exe
PID 1824 wrote to memory of 2140	1824	Hejoiedd.exe	Hgilchkf.exe
PID 1824 wrote to memory of 2140	1824	Hejoiedd.exe	Hgilchkf.exe
PID 1824 wrote to memory of 2140	1824	Hejoiedd.exe	Hgilchkf.exe
PID 1824 wrote to memory of 2140	1824	Hejoiedd.exe	Hgilchkf.exe
PID 2140 wrote to memory of 1948	2140	Hgilchkf.exe	Hodpgjha.exe
PID 2140 wrote to memory of 1948	2140	Hgilchkf.exe	Hodpgjha.exe
PID 2140 wrote to memory of 1948	2140	Hgilchkf.exe	Hodpgjha.exe
PID 2140 wrote to memory of 1948	2140	Hgilchkf.exe	Hodpgjha.exe
PID 1948 wrote to memory of 384	1948	Hodpgjha.exe	Hhmepp32.exe
PID 1948 wrote to memory of 384	1948	Hodpgjha.exe	Hhmepp32.exe
PID 1948 wrote to memory of 384	1948	Hodpgjha.exe	Hhmepp32.exe
PID 1948 wrote to memory of 384	1948	Hodpgjha.exe	Hhmepp32.exe

C:\Users\Admin\AppData\Local\Temp\34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34a373094c420621244d81dbd1d18b48cb7adbf10baa4f3bdf4ea9d755fda28f_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\Dcknbh32.exe
C:\Windows\system32\Dcknbh32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\Efncicpm.exe
C:\Windows\system32\Efncicpm.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\Efppoc32.exe
C:\Windows\system32\Efppoc32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\Fckjalhj.exe
C:\Windows\system32\Fckjalhj.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\Fmekoalh.exe
C:\Windows\system32\Fmekoalh.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\Gfefiemq.exe
C:\Windows\system32\Gfefiemq.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\Ghhofmql.exe
C:\Windows\system32\Ghhofmql.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\Geolea32.exe
C:\Windows\system32\Geolea32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\Hpkjko32.exe
C:\Windows\system32\Hpkjko32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\Hodpgjha.exe
C:\Windows\system32\Hodpgjha.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:384

C:\Windows\SysWOW64\Inljnfkg.exe
C:\Windows\system32\Inljnfkg.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1092

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
19⤵
- Executes dropped EXE
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 140
20⤵
- Loads dropped DLL
- Program crash
PID:1832

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efncicpm.exe
Filesize
76KB

MD5
8610bf09a1d555e2a0655d04d1edfd2d

SHA1
729572d92d71a03edae19593ec66dee66ada5100

SHA256
5814a1ffecfc5423537024ce0229efed2c0dcdefbbda0c8e690ef4ca9e4ccb6f

SHA512
44e0d958f1dba58431bd927dcdff01238b7350afedeb0d2d1e948ccbf32acca29d4aa88e3a42680203ab659df05e89be2405606a92d8cf63b15e0d8bd5a1d004

Download Submit
C:\Windows\SysWOW64\Efppoc32.exe
Filesize
76KB

MD5
3dce8c2e1611b2f4ea50b6dc089f6b61

SHA1
541fb93d684e89ca0216e828deda00284855b9e5

SHA256
16f97c6cc59e61e6bae00e1ea9deaf52c53c539526c0c39f07b6ef870f445aa9

SHA512
cc185c45aa591173c239b5a0dc41266c3aaf944f75201a58608b2bcda9a35a7001550e2cdf5a5260bd99da8ec92833d6f253e8042e6fb7a7a59d85a6128a8b57

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe
Filesize
76KB

MD5
8c35977f14025b6fd4fd142e0062b70f

SHA1
cab3156b5254cf6cc34e18c4d8b48d68eb5d8a1f

SHA256
02f41cec9caeaf4909e5a499320958f2d5b5ec98bad458ff88c645c430b1b118

SHA512
9bcc771682ba8360b5b09c3be5feabe065709b5d924fc4eab92cf30f8105080e3e18c4169cbe14884ef3fc00ea29c9e4e2dd617752a9f329d16914e09b1ebf3f

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe
Filesize
76KB

MD5
04a9c7328cbc6b9532ccd0d40345a85c

SHA1
f4b83b1d0e74daa2809a57106b52212bd21e76da

SHA256
8b3ac476cce7bf0d10f78bef1d9c1d4ed7d2d5e2c42809e568e859ed9809bb72

SHA512
be6c0153eb785534b3a22fd093076b2ab1a32f99394844a8bf7b5f34235d4c3930c1e8ff0bacc9c9564edcb101a806e6f4a4330862f9881e1ab497a6a695ea6b

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
76KB

MD5
180e718deb4d9bed6c4ad429a49fd6b9

SHA1
5150af3b33be4bb250290f2e488a19c271c89dfb

SHA256
9e3f1c72a8d2251162a6b5528e95973eb48799349c9ea09eeb4095e50d5cb6f9

SHA512
c560c7d88e933cfaa98af14944cf2c915b152b3c5f73a9f7e293ecd4bb3b852527c52a60ef5f62e580aa2244b1cd444b42782372da8046415ea9763d09ed901a

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe
Filesize
76KB

MD5
bc5d7940e0bbcf045afbb98dc62cfa32

SHA1
03b6e6c9267a583edba8cf16d1b466f073199bc5

SHA256
17bba3d85b9120e1c26b742a5a8610271abc78c0976252733cc9402417156bc9

SHA512
00ede2eefd0b3079c4806cc0fda453860d2c581c1116c67dc41f2fb768d1566acf2376ad7a24746653139c1fda444f565d15f4aeed2df0ffdde9086df0e5a977

Download Submit
\Windows\SysWOW64\Dcknbh32.exe
Filesize
76KB

MD5
c418aabf675b1c317d0728513e0b9b90

SHA1
c70c6fb44381ac3f47b0890ba48f11377cdca8db

SHA256
847e1fb9f06d67d722b985b14f54f8c1c2ab3d307a9d46a6399cf324b8a29cd9

SHA512
3938f11cb18604f5c61c1bb68273bd44234e9a8558af7e7a767b78a9b1f7b49775ae91cdb413dd483d9511bad030bd331221bf8c8bfbb6fdeec11d8139cbdd64

Download Submit
\Windows\SysWOW64\Eiaiqn32.exe
Filesize
76KB

MD5
521dacb30a3a8544c6e2eeb8ed4c3066

SHA1
b15225de740439ebed5eb32fb9c320e8895eb7e1

SHA256
de08adbd94a48e04ec7cdbac7c8da4cd9369bf5b982eb2176e290fd9653b998f

SHA512
2ed7ec1edd89455b9646ca3a2d26c5cdd76ae2fccd83cfce2d3eef38981b9185c116c2220364a0e906824793784a8722dfb69312763ded7375f90297e4f13357

Download Submit
\Windows\SysWOW64\Fckjalhj.exe
Filesize
76KB

MD5
285a72c5c38ea836f4f4029a9b779509

SHA1
5c518700663c69f46b59395ef99d0c226ff48cdf

SHA256
546fa09ac5399754ebbd509f93c5909d6f768818830071bae9cc32aac3b762c8

SHA512
858a54e8961eff68f291a6c61447d7e226172d02fb2804819d8c262b0ad719bc422f1c6c6f6b9710300d88f6b32bd5e311e6a4c18d2b07345e0f53180286cb55

Download Submit
\Windows\SysWOW64\Fdapak32.exe
Filesize
76KB

MD5
ae1ff3579f12e68dfea27c6c79924139

SHA1
7b32b1dfcee04bcc054d811ffedc5b2331cafacc

SHA256
ddc48958cd6df53dd60b0da28497e10ba8eb774bc6fe090ea18e1e2f24b3a8a0

SHA512
dc27a7427319c6a23c11977bc886971fae6a9eb6020c4c1999d1de37b948c845be755ee8f2f530a1eb8249568cd24779d49cae6fc22eef4c2f003111ace6fb31

Download Submit
\Windows\SysWOW64\Fmekoalh.exe
Filesize
76KB

MD5
98d9cedd6d428072f59f6ce17ca4b983

SHA1
2e2aaace2cfce3fb081167c30edfd33e2814635b

SHA256
7eef36ad3e85307ffd56d8b84bcf89e05efbe130637f9e0a0f8fcd1f502ff71e

SHA512
a4a82ccd9e6ea96e7ebc4b4f5d185e287277c6a95489eda497836fec5020749af7a7a1679daafeaaff7191e41b42f9d261777c5696a052e8e2500181976607f3

Download Submit
\Windows\SysWOW64\Gddifnbk.exe
Filesize
76KB

MD5
a32837433433c6ce6238135fe6e33870

SHA1
62852b88586a311f9b77ed40e3f60330985627e3

SHA256
9ef56be44fc0c663e2c612a89f706ddf271535a71d145a3e1cc5705c725f1290

SHA512
e22aa1ff6926614040dc99eceb4d3ac1593d3f92be1a3066a5d4540dcbcbd7bc06f774fbb5e03bf3e2915e7b77a94637a9959541cc30b849b9126e4817f31954

Download Submit
\Windows\SysWOW64\Geolea32.exe
Filesize
76KB

MD5
142559409af9416daebe789bc83bd5eb

SHA1
18889bf5e504f9b67109ce04142b15e0f8c86db0

SHA256
611c43549e444ba518b8a3b7bef2718c7ba7cfce69986384b86e8f2515a3b14d

SHA512
7151b65b2cf3cdfc8a624d8c8331ac2a9bff10385d69a37c00efc43f711693042235c7498d246e5bc55577b0f5b9d1885e7172394513c6311cd2fee24fdfa588

Download Submit
\Windows\SysWOW64\Gfefiemq.exe
Filesize
76KB

MD5
b53cb6bc82cdff464e416a6440026e55

SHA1
6c1a4d1e0ee9544e412f60aca1b5107879927d67

SHA256
563ade5e8b1829c21d5874e4d8737ceafcc313f30b1f56242f197049f3c114ce

SHA512
78f6fb16c701b6068f3f064351b78751a4f7fc7a2eba64b6bf9c99a9613d0bc42c69a74a6487992ec4d9a76724be3d5742918790c138228aef5357ecda20fd2e

Download Submit
\Windows\SysWOW64\Ghhofmql.exe
Filesize
76KB

MD5
00a3ac86babfaaec4924a6859d9751c7

SHA1
9af6b1be6694dd5ca318c89c906d2d3d6d8c8813

SHA256
10769d3ff3eb0282253c399098a923681a7757f900db14092bd88b8779265fcf

SHA512
cd187eb4c797cc61b8cdcc2a5beab7953c8a3e4c52ef23c9bc7a5f2d42591ffa8bbb8cc601b611c6c42dfd9513278604969485cc8e38a7f6f381ad768d789051

Download Submit
\Windows\SysWOW64\Hejoiedd.exe
Filesize
76KB

MD5
a653c66868db9462ac86aba495bf9ad1

SHA1
5deaf5ad97f752284eeff95a1d89cefb41ae20f3

SHA256
5e167b46b91211952846a651ad04cab06a9d2d27c83bd94d9df06c4b86060a98

SHA512
9642067980dbd7bd1b4cea8bbc94083f43d31325eb20f07cb25cbfc03a9a91d574d569f56f6e2d043d7f12c3285d0becaabcf503ac5287cbfa928521585965c1

Download Submit
\Windows\SysWOW64\Hgilchkf.exe
Filesize
76KB

MD5
1ad2746a775501085146051ff6d4f305

SHA1
a954818e4025555a4f2e4e9f83bfd0468ad4937c

SHA256
2418957f97188a60055b6c78774346b6a18a8c02f1953a562a6a14b759cb53a0

SHA512
379dcbd46ed0dfddebfd59df9e3fea240ab71e17df89c2de37962e7147f97953c66e4f4548628323badbc5f8fa363cbada733545bf094452998d367a37e0c8e2

Download Submit
\Windows\SysWOW64\Hodpgjha.exe
Filesize
76KB

MD5
7ecab66a423d1ffbd445708d8d9402a0

SHA1
7f9d918c09652424c95efa474bb4a6a89f26d2b4

SHA256
76bc936b701702118846bcf09c7c8513d36abf9bc80366740ec4636645b6490f

SHA512
ac77ae896dd4fa82bce535f3153efd6698f4efb93e13a6ffa6f0cfd550e7e2381f711e1ae7b46124243562b00da7da33f270e6efd8f4d4c43371d3fa611b37d4

Download Submit
memory/384-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-115-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/1676-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-88-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1676-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-211-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1948-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-6-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2140-199-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2140-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-193-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2340-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-62-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2472-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-53-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2680-47-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2688-74-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2688-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-25-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2780-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-34-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2980-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads