njrat | 6e46e6237adf899904ecddfefc391a22df0f53e4ebe6dde5469b84ca526900d2

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
Size

337KB
MD5

13e0f7798a4473a52035d0154104be90
SHA1

25d97437132b25f2376c4029e6199918827616d1
SHA256

6e46e6237adf899904ecddfefc391a22df0f53e4ebe6dde5469b84ca526900d2
SHA512

8aea5b98386e1ca633077e957e791b68428246663c17da38b1eecc55a3b72d5468b3d304276ac0ab2db7dcc51d61bc92772efe90d75799962e40837cfe784771
SSDEEP

3072:t9rKXjdKSfdppppppppppppppppppppppppppppppppTppNpKppppppvpxp0xyhX:nrUqpWJ1+fIyG5jZkCwi8r

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epieghdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 32 IoCs

pid	Process
2284	Dfijnd32.exe
2680	Epaogi32.exe
2756	Ebbgid32.exe
2484	Enihne32.exe
2476	Epieghdk.exe
2948	Eloemi32.exe
856	Flabbihl.exe
2644	Fhhcgj32.exe
352	Fdoclk32.exe
1596	Fpfdalii.exe
1356	Ffpmnf32.exe
768	Fmlapp32.exe
1136	Gonnhhln.exe
1404	Gicbeald.exe
2440	Gbkgnfbd.exe
1736	Gacpdbej.exe
2420	Ghmiam32.exe
2904	Gphmeo32.exe
1932	Hiqbndpb.exe
2096	Hpkjko32.exe
108	Hgdbhi32.exe
896	Hpmgqnfl.exe
2872	Hckcmjep.exe
1604	Hejoiedd.exe
1988	Hlcgeo32.exe
1992	Hcnpbi32.exe
2648	Hpapln32.exe
2232	Hcplhi32.exe
2588	Hhmepp32.exe
2576	Icbimi32.exe
2596	Ilknfn32.exe
2656	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
1712	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
1712	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
2284	Dfijnd32.exe
2284	Dfijnd32.exe
2680	Epaogi32.exe
2680	Epaogi32.exe
2756	Ebbgid32.exe
2756	Ebbgid32.exe
2484	Enihne32.exe
2484	Enihne32.exe
2476	Epieghdk.exe
2476	Epieghdk.exe
2948	Eloemi32.exe
2948	Eloemi32.exe
856	Flabbihl.exe
856	Flabbihl.exe
2644	Fhhcgj32.exe
2644	Fhhcgj32.exe
352	Fdoclk32.exe
352	Fdoclk32.exe
1596	Fpfdalii.exe
1596	Fpfdalii.exe
1356	Ffpmnf32.exe
1356	Ffpmnf32.exe
768	Fmlapp32.exe
768	Fmlapp32.exe
1136	Gonnhhln.exe
1136	Gonnhhln.exe
1404	Gicbeald.exe
1404	Gicbeald.exe
2440	Gbkgnfbd.exe
2440	Gbkgnfbd.exe
1736	Gacpdbej.exe
1736	Gacpdbej.exe
2420	Ghmiam32.exe
2420	Ghmiam32.exe
2904	Gphmeo32.exe
2904	Gphmeo32.exe
1932	Hiqbndpb.exe
1932	Hiqbndpb.exe
2096	Hpkjko32.exe
2096	Hpkjko32.exe
108	Hgdbhi32.exe
108	Hgdbhi32.exe
896	Hpmgqnfl.exe
896	Hpmgqnfl.exe
2872	Hckcmjep.exe
2872	Hckcmjep.exe
1604	Hejoiedd.exe
1604	Hejoiedd.exe
1988	Hlcgeo32.exe
1988	Hlcgeo32.exe
1992	Hcnpbi32.exe
1992	Hcnpbi32.exe
2648	Hpapln32.exe
2648	Hpapln32.exe
2232	Hcplhi32.exe
2232	Hcplhi32.exe
2588	Hhmepp32.exe
2588	Hhmepp32.exe
2576	Icbimi32.exe
2576	Icbimi32.exe
2596	Ilknfn32.exe
2596	Ilknfn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Iecimppi.dll	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Lpbjlbfp.dll	Epieghdk.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfijnd32.exe	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Epaogi32.exe	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	Flabbihl.exe
File created	C:\Windows\SysWOW64\Dcdooi32.dll	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Cgcmfjnn.dll	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ebbgid32.exe	Epaogi32.exe
File created	C:\Windows\SysWOW64\Epieghdk.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	Flabbihl.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Fdoclk32.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Eloemi32.exe	Epieghdk.exe
File created	C:\Windows\SysWOW64\Fpfdalii.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Dfijnd32.exe	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ebbgid32.exe	Epaogi32.exe
File created	C:\Windows\SysWOW64\Jamfqeie.dll	Epaogi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2512	2656	WerFault.exe	59

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll"	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll"	Epaogi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2284	1712	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 2284	1712	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 2284	1712	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 2284	1712	13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 2680	2284	Dfijnd32.exe	29
PID 2284 wrote to memory of 2680	2284	Dfijnd32.exe	29
PID 2284 wrote to memory of 2680	2284	Dfijnd32.exe	29
PID 2284 wrote to memory of 2680	2284	Dfijnd32.exe	29
PID 2680 wrote to memory of 2756	2680	Epaogi32.exe	30
PID 2680 wrote to memory of 2756	2680	Epaogi32.exe	30
PID 2680 wrote to memory of 2756	2680	Epaogi32.exe	30
PID 2680 wrote to memory of 2756	2680	Epaogi32.exe	30
PID 2756 wrote to memory of 2484	2756	Ebbgid32.exe	31
PID 2756 wrote to memory of 2484	2756	Ebbgid32.exe	31
PID 2756 wrote to memory of 2484	2756	Ebbgid32.exe	31
PID 2756 wrote to memory of 2484	2756	Ebbgid32.exe	31
PID 2484 wrote to memory of 2476	2484	Enihne32.exe	32
PID 2484 wrote to memory of 2476	2484	Enihne32.exe	32
PID 2484 wrote to memory of 2476	2484	Enihne32.exe	32
PID 2484 wrote to memory of 2476	2484	Enihne32.exe	32
PID 2476 wrote to memory of 2948	2476	Epieghdk.exe	33
PID 2476 wrote to memory of 2948	2476	Epieghdk.exe	33
PID 2476 wrote to memory of 2948	2476	Epieghdk.exe	33
PID 2476 wrote to memory of 2948	2476	Epieghdk.exe	33
PID 2948 wrote to memory of 856	2948	Eloemi32.exe	34
PID 2948 wrote to memory of 856	2948	Eloemi32.exe	34
PID 2948 wrote to memory of 856	2948	Eloemi32.exe	34
PID 2948 wrote to memory of 856	2948	Eloemi32.exe	34
PID 856 wrote to memory of 2644	856	Flabbihl.exe	35
PID 856 wrote to memory of 2644	856	Flabbihl.exe	35
PID 856 wrote to memory of 2644	856	Flabbihl.exe	35
PID 856 wrote to memory of 2644	856	Flabbihl.exe	35
PID 2644 wrote to memory of 352	2644	Fhhcgj32.exe	36
PID 2644 wrote to memory of 352	2644	Fhhcgj32.exe	36
PID 2644 wrote to memory of 352	2644	Fhhcgj32.exe	36
PID 2644 wrote to memory of 352	2644	Fhhcgj32.exe	36
PID 352 wrote to memory of 1596	352	Fdoclk32.exe	37
PID 352 wrote to memory of 1596	352	Fdoclk32.exe	37
PID 352 wrote to memory of 1596	352	Fdoclk32.exe	37
PID 352 wrote to memory of 1596	352	Fdoclk32.exe	37
PID 1596 wrote to memory of 1356	1596	Fpfdalii.exe	38
PID 1596 wrote to memory of 1356	1596	Fpfdalii.exe	38
PID 1596 wrote to memory of 1356	1596	Fpfdalii.exe	38
PID 1596 wrote to memory of 1356	1596	Fpfdalii.exe	38
PID 1356 wrote to memory of 768	1356	Ffpmnf32.exe	39
PID 1356 wrote to memory of 768	1356	Ffpmnf32.exe	39
PID 1356 wrote to memory of 768	1356	Ffpmnf32.exe	39
PID 1356 wrote to memory of 768	1356	Ffpmnf32.exe	39
PID 768 wrote to memory of 1136	768	Fmlapp32.exe	40
PID 768 wrote to memory of 1136	768	Fmlapp32.exe	40
PID 768 wrote to memory of 1136	768	Fmlapp32.exe	40
PID 768 wrote to memory of 1136	768	Fmlapp32.exe	40
PID 1136 wrote to memory of 1404	1136	Gonnhhln.exe	41
PID 1136 wrote to memory of 1404	1136	Gonnhhln.exe	41
PID 1136 wrote to memory of 1404	1136	Gonnhhln.exe	41
PID 1136 wrote to memory of 1404	1136	Gonnhhln.exe	41
PID 1404 wrote to memory of 2440	1404	Gicbeald.exe	42
PID 1404 wrote to memory of 2440	1404	Gicbeald.exe	42
PID 1404 wrote to memory of 2440	1404	Gicbeald.exe	42
PID 1404 wrote to memory of 2440	1404	Gicbeald.exe	42
PID 2440 wrote to memory of 1736	2440	Gbkgnfbd.exe	43
PID 2440 wrote to memory of 1736	2440	Gbkgnfbd.exe	43
PID 2440 wrote to memory of 1736	2440	Gbkgnfbd.exe	43
PID 2440 wrote to memory of 1736	2440	Gbkgnfbd.exe	43

C:\Users\Admin\AppData\Local\Temp\13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13e0f7798a4473a52035d0154104be90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\Dfijnd32.exe
  C:\Windows\system32\Dfijnd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\Epaogi32.exe
    C:\Windows\system32\Epaogi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\Ebbgid32.exe
      C:\Windows\system32\Ebbgid32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\Epieghdk.exe
        
        C:\Windows\system32\Epieghdk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Eloemi32.exe
        
        C:\Windows\system32\Eloemi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Flabbihl.exe
        
        C:\Windows\system32\Flabbihl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Fhhcgj32.exe
        
        C:\Windows\system32\Fhhcgj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Fdoclk32.exe
        
        C:\Windows\system32\Fdoclk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:108
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        33⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 140
        34⤵
        Program crash
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbgid32.exe

Filesize
337KB

MD5
0166e3719145dd0f450ed8e74a268237

SHA1
265fc17bc6e5086db0467d83bca40611f63adb34

SHA256
045afb1556a83d85439f7d596380589feb546e4940fd2349f03ee68ab3d1a4df

SHA512
b7a72ca0768240c0a945291cfdf808bd36695ae25e341db96080389d2abce1b8a464dbb1bb3e59a64e7547cd32b0bd712e49a0912698c78cde7552dfbb4c2267

Download Submit
C:\Windows\SysWOW64\Epaogi32.exe

Filesize
337KB

MD5
899ff3aac25fc509822a169c0ed176af

SHA1
f190fa01d3a1ebd1b94ac1112f45205a06f736dd

SHA256
c9399683de8f3ba23d2c52046d4c2360e88b0353701ac433ebc8a66d11543834

SHA512
8dfc2739a782d41565ff872aa8bb7de98c08cf8492567237ec4920dbf8e0017ef55e6923d9fbe5f40ddbf6490bda8c92364f6938cf4a80fbbc1b3035e882c76b

Download Submit
C:\Windows\SysWOW64\Epieghdk.exe

Filesize
337KB

MD5
b8c317c99a84a2f5a44dbfeca0387beb

SHA1
45cce729f5a22f0569b71061e3d0a98137816be9

SHA256
0479f476803d66988640dcdd8c8a4c2752350714e4b548d6670d383f1afb946f

SHA512
0ba1bd491fa5c821356c93f0a1737dd729e04e91bd190320abd32401cfb316a647c26f871a81f5a69d4e9284f5c25559ac5e4163078c335bc3a40b6c6015fe81

Download Submit
C:\Windows\SysWOW64\Ffpmnf32.exe

Filesize
337KB

MD5
7fd6a69735ec778e72ddf4e107658144

SHA1
f4c5bad0da46807b31d161961ff2396c3cef6883

SHA256
1540dc3547704d77596b2a0597615d782ac2224d8714de96eecd55b922d48775

SHA512
81cf0f791ace72e9eb8e1baf7fb6d49909f628b176428f033b6d3586219e3cd6a4b3583b74b5b356a070a6756fbd76353564e4c5cd8633055afe52ecea19776c

Download Submit
C:\Windows\SysWOW64\Flabbihl.exe

Filesize
337KB

MD5
435986979391507f58d8723971f2196c

SHA1
31a34fdab9af3602cd03e5d5af22709fbdb1d9d2

SHA256
046f6d34ec0c47b02a95b4077107e99ed42988846affa179890874f0c70cd774

SHA512
b991d16c8c975bc92435edb3604c4408fb573eaeb472591a53c4029fb87ab5c720311cd9ec0ec2722105d128d48cfa63c098787b3b7ba20fd6eab4147f2ffb28

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
337KB

MD5
51c38c7fef6fdb499e9abe96b4de97e2

SHA1
75665d66a2195d8b063c1fe1424409ef55915f23

SHA256
4aed3c58967236f625e598920ef489977e378f4c28165549b57023cc0526a0a9

SHA512
cc1255b202f98605bdf71251baaf1ebceebbe5a78d30400acce8827b96a5d677305e7a473b08d03a6efedc3e1befbe13c421f6faf2ea1ff32b7d21048ec8b54f

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
337KB

MD5
bf762d88d5d591b310a97f8dba63cb67

SHA1
51a8beab7c98c3d2c327dfb9ad363430f415e639

SHA256
8c93970450ad4cbd6abc8d0f39c9e825aeb7e296447c7b79b6b95ce608ef818b

SHA512
f7df196f9ca700ddc5c20d1890296d87cf070c2f4e12fa3c010e626a4ca1bf1aefa43e022e86b01c81c352520699d78b14c8a7fe80205094f3568e8c8ca1ccd2

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
337KB

MD5
4c6ea62a7dc277a785c5e9992b5a579d

SHA1
bb581d6dc80dacbf61295e8d5fd4dad5fc8545d2

SHA256
669e5cdfa7b2352d5d2416e7096a34975be026b412cd80d2651951096bd86987

SHA512
004eaad5f9385ee6cb240038716b45ffc3a7f9b727649b12fcc71b3f8415de8d7a8db4c486fcc73c25f095dfb9363895af17e1e757fdab6a74caa46c1a9641ac

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
337KB

MD5
03133c6bd3ff652404a74487e9d21643

SHA1
42df9221bf460e0f7e8e043dc42b70686ab2f5e4

SHA256
f6bba82b52015b5d82dca7cae53e915a76af753ca4cbbe1715efb857a186a7c9

SHA512
6e2e616f7fc5a9fd057c475211d5035fedbebfecd186c7c383d60479eb61d7cef7f7f5f9bd24752ac5cbcaa4aaa2d6100190282a330fbfcf1e23d74766444930

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
337KB

MD5
b81bf8272df079bddb82aa549f517ad9

SHA1
f9896b8b5d31d12886a6f5d82986e8c699dbeff5

SHA256
c4be0704448f8a123a97b1153ba8315b11808bc2c070ea8da2656bc6ff4c51ca

SHA512
da8acf20bdea7f8fa1cce551ecfbd75661014f0b3e71b6df958da97199c46d9ff2ade83a27a336b67303b6bdc4bb5e447234f9fb4880bd9dc091ad645c27b7c8

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
337KB

MD5
ccf9d6cc49206f4d636de4cb9f9171ce

SHA1
ff2006826cdf3d6b803d51b50c6d6a5ebb5943ae

SHA256
092fa546aac12596ace6c685283e3337c03cb827fb823423ebaafbbd8d4f03cf

SHA512
7f1c7eea7ee93866489f4f743f465af35f8d65880ec9650a6f82b387a5a84db0ece02a398f30673f2b7a944adeb537e84981e4fac396a932909ce54b84daec81

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
337KB

MD5
978f1e30e3f87ca3eb7fd65c397add21

SHA1
2a6e49b33d1ee5083460cb9a537dcc9911ffeec9

SHA256
13b51db9025c4f3bd39dc74f3e2c9be47f2584d924fc0e9ddd716810f05ee705

SHA512
a4a8295a2ba3f991695a7502cf6226805ad8f8fab1e8de293d40220eda90918a57bc90c2c476ea76705d997a7b294165ab8d874fcb306b3131fb21625e524ee0

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
337KB

MD5
57fbeda7ec54b64b0d8a2ec10eee1ab3

SHA1
47261680be6bf29ebf1ed43760504004ed92ed64

SHA256
6ce784a398d735f4b581d0d815912f1f0aa622ad173094b9d6cccb4aa4dffed9

SHA512
2b1bee307bfd0bcd567f6b768a50fe8d526ce973f0ed56b0c0b3c2469c5cf95459ac6c113fb05dfc83b4158e3fe056aebef6df6ba58e03d46892c035dabacda0

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
337KB

MD5
5800c7b2baf2586aa863aceb575a4102

SHA1
17bda174827d5e395dd7ad17970b8153b8842050

SHA256
3bb83c77373de3c611631a5b1e0bedaab9996f3672e592fe3b0f51f991db8735

SHA512
b9e17f26bc51d9e90f1ef74341f937046a12676679de78b34a9dde5611b893289c421c210f3e1db7be52142408bb27f4466f5d220291146b68e5c3b7385197cc

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
337KB

MD5
80e573bcf9243126419b1795c30c48e8

SHA1
548833979c6ed090847fd8da7edca3963736e65a

SHA256
7c04025a894761d22df3b93b76a384117128b856d6fc2cea1f224d27475be0a1

SHA512
b28e4cfebe7eac6e84672d97a99b4a2e955cad9e7433a6932b12ac5d22367e94ccc255c3e9e5e50d26fa7db53f49c0bd12e3b63c5f0d60919e0c30ccf981a67c

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
337KB

MD5
a6e5e03884093a0197b0484d5f65ac8b

SHA1
c6f890d4617ec3625fcb80978b69cba68e530b5e

SHA256
af726b6eb97a4daf991812fbeb9e27a463d6fd1336414657c6caa724661414af

SHA512
57f9c6b946cedc889add3062f0fa96a993dc187c0ed695287764e7eea86a37eab9259af3c9038ce91abeb55d07ddd0f68de064c7cce9f2c919024d03fe13b964

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
337KB

MD5
18948a92215276b8c4b9b38af10c3ce4

SHA1
83fe5dffb49463e610357cabff9545007c6599b6

SHA256
b6bb8ec7b482f2c7b9d0c88c4577446fcc4fe600a1224b66ca20d7b0dca084f6

SHA512
c8c6db2122177010f1fde1f7a02127ce85c6b072fb8023c3f239da69e990a59285c214654d51f320da883d6b6b57b0e6723520882ea3ff1f3606038e2e984304

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
337KB

MD5
e330821a8c5d449aceaa0ab358955685

SHA1
b202b6309811f0012ec54f3bb38da927b43b340c

SHA256
65f9a60c58bb24c4fbbea06fe9a2bda5c332aae54d219967c85e9cd6d3361d24

SHA512
542d1d1cd700004013fef4cf6dd48fd0b0491202f3270dfed28171e37d97f1bebfe6c8f1ba181b75d0cb9aaf2a29f67f297d638baece8b1048cb721b19897e9c

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
337KB

MD5
68daf75be64f524fec396f1fd8217292

SHA1
73af1d32b4b458b945b2003bae05db876271fc70

SHA256
cf3c878217b4e13fb426ceab4a5a936426aa357fe446aaf0e4c35aa3b61c620a

SHA512
f0c6136ff643b9330776d73d8e62328f7e198a3cf42004e10a3013e82b12f719b67eb5bf512e7da410de7dba23963ecf9c79973acf3f51008ef31b32b470c125

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
337KB

MD5
8a0edef5c6c91e7434f91bc4fbe7a1a2

SHA1
67010acb76abce04b08e0cd0a80209390b62c9e0

SHA256
bc3785c96c63659985679ff43b38441fe8b7e0921f4351fed908db44927df243

SHA512
f7aca8759d7605c2497d4483cabe0409b5ac3eea581196354c89a1b3d566f9fcf63827ceffffe436ad577fec24ae245bb8d46ec96feddf2bf1e901ea273be5b6

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
337KB

MD5
552f202dd4b947e81a84a17a4a121190

SHA1
766c04679226a351e615edba47b52dca04dac5ef

SHA256
9ba8ce703d894a87b19d30e9f1d36c75c5e358bcd5de41231b370f5df9fe1ae3

SHA512
cf374c948059f37e67309eb2ae9ff873e02965ddb90ed68daabb57f05cd28cada818283edd4e9bcf927b469cfbfc8a4e5c79ec797f7a8f79340d1bfc5b4a65b4

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
337KB

MD5
f1520a998de8a983c9508edcb1b690e8

SHA1
e089a8bd824be6f3baa42642e736c4e187b5e600

SHA256
a536ecb225d9df34e3794464ac45e0a058737ba185ec93aaaefb1f6b26c9f694

SHA512
c7fbda59007e0993862cb0526208de88d8647c8ff5d69d2539d5c63e4366f2a3ddd2bc49893acb773cf85f28e8b70c9f1e1bd8a1d3b156e3f1c3da6db0eb0e2c

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
337KB

MD5
11f89e4000ef67570aad1e168debee71

SHA1
fcb396ed2efe77d80abbb1c030d55ff1a34829c8

SHA256
af008a301186b57be721518c35978bf7f7e9643d9df49fb204f083533d6490fc

SHA512
cd102ee16e69356f09a29482f83b1a81160079f43014881efa1b1d9a116bbe3b26ed8bd556da58cb1c16119d69d5783ba33ed563968fc1253a3378e0dd2b30e2

Download Submit
\Windows\SysWOW64\Dfijnd32.exe

Filesize
337KB

MD5
56dd52c7366dc4300f24845f2e32450d

SHA1
86f96b8162117f9c7c8b1485b9f7bd371695fe9f

SHA256
a254916836b163ed25c4a9e276d8d707151c9c435a183d91a28a6ff4ee87ae55

SHA512
aa5378f8037dfbfe4a059ca1f57c7ba7c8ee65b78db2cae90c166b08fb9f176e68a30c26905f5ce187752cc15aaf91942cafa967ca19020f68a3fec72ddadb67

Download Submit
\Windows\SysWOW64\Eloemi32.exe

Filesize
337KB

MD5
a075ccdc17cf660099806e7bdfdd60fe

SHA1
b600d475351ed36ff4496cc0745ce38af6c89173

SHA256
cded406271de3ccff92a37c0b091282d98132547724983f9ed05d2771c227432

SHA512
4a2bd46cb6e7819fa3210c9dc68ce8d1ce5ef41ecbea34b0ecd470c854641c0c4ca5a78a1e7ed1ec630df247b06bf0df934119e4fdf752f7f6a0e0139eb233d5

Download Submit
\Windows\SysWOW64\Enihne32.exe

Filesize
337KB

MD5
5495cb4c486046b5a531b684340e7380

SHA1
1afbf124c302b276394015255bbd6f021af16eb3

SHA256
112e36ec3078df565d1f34a9b026cf7a7a90bc741d259170b106351f7fa2f93f

SHA512
6b8db700540929850fe59e66195650fa3a83a583774fdefcb2959e7b2ee4a2ade0ab55fa3e562019ca33ebf7cd6e9a3a39fbe9200156ce7c0321c8f009dc2ee4

Download Submit
\Windows\SysWOW64\Fdoclk32.exe

Filesize
337KB

MD5
98eb06d6838ecf66531ed726ddc038bf

SHA1
5e0fedb9093c43cf4e235ba67dd7ac8337300da0

SHA256
56dc4fdec23a7802b9c480d31033a95821ba9a98193d763a903e3b7689108cad

SHA512
f1e257305162d835545b405bdebe24e8c139c831fee4ac3889d252c6ae0e951b30780073837d25d6bfdd3d77ea78fc14a8bd0ea12bf1b253611941ffc520160d

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
337KB

MD5
d2efe1fbace91c5721a6b563a6caf375

SHA1
c11a5f09d1db79c181e2538b0483c78796305208

SHA256
366fa71223efea75a40dc838902bb61129a7ae735206d670c9d892c94a1b8912

SHA512
d28c1d3ec6f7e5e6dabfa6d9e7c15e62e286c328ec1329d62f57796999437f2b72a0eebd78bf8e6af8fd8eaec01b200760a7d82d5a80f96c919dd441dff8ca3d

Download Submit
\Windows\SysWOW64\Fmlapp32.exe

Filesize
337KB

MD5
da75d7f6667458ddfc2030415dc02870

SHA1
bc81c814a35e4c8109b9b255cbc0243f758cc1cb

SHA256
e93c0d9d784d84b43dd0a9c40448b173352fcd11af4aeca318c4b9d9efa9ccb0

SHA512
8514351d7f493fe1ab9f3de0f02b4876b7ea5992b3a46aa7d450d5f4d9162f07a2f277beea7b36a351c9e431390faada917213c14e8889a727357a0b3f749929

Download Submit
\Windows\SysWOW64\Fpfdalii.exe

Filesize
337KB

MD5
c2da88ee13a05c695392357f7529a2cb

SHA1
dd7172840af95f249a747063586e3b329f06014b

SHA256
bd566154b268a605483fb1aa38ef99eb9f750bf8afc98b14c6ac1e4f90189a04

SHA512
9bcc485aca99ac09d2559aa241f741d6014523663fef1939d74065916d4ffa42d28401e87645f169064173ef5224bf0aaab83898d00c73b4b1462215d82852df

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
337KB

MD5
f7efb3caea96c1d275e0f179140e612e

SHA1
9ca334e827caf10a77319d59f18332d1867f2e2d

SHA256
176660bb57376c9edea12fccd72e4921230f29ae475d6956735bc444512f7be7

SHA512
096dd0d8b851c255d46e2ed1e4947c765a3aaefee38e9e3d14869e03ebde7816fe442bea1b13a56c3f6a724ad7f650d8639859afb2e0c783b68f09347151db65

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
337KB

MD5
6449d4217dbfe5e137aa3a66ce4fb378

SHA1
708a0b97e3a36f8bf50e36a1ef099b1103186059

SHA256
9890345b4a540e9fe5be1788711a3a54524d5da13bc4c81c69c90be756209a69

SHA512
7e71e13dfc7f07877f7b092de5e3bfa7fb8b0cf1d2d71fa31d55dc88397da81a6a5353b678bf2b03bb2bcbddc6068edf627ce8940e63ed85db1e091ab222f4f5

Download Submit
memory/108-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/108-291-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/352-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/352-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/352-140-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/768-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-110-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/856-111-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/896-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-197-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1136-196-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1356-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-169-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1404-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-210-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1596-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-154-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1596-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-317-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1604-320-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1604-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1712-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-235-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1932-267-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1932-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-266-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1988-327-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/1988-326-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/1988-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-338-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1992-337-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1992-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-365-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2232-359-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2232-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2420-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-245-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2420-246-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2420-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-225-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2440-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2476-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-81-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2484-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-68-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-381-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2576-382-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2576-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-371-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2588-370-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2588-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-393-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2596-392-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2644-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-121-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2644-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-353-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2648-350-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2656-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-40-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2756-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-53-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2872-309-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2872-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-256-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2904-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-97-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2948-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads