251874db161612c4896a3cc698dd9b1be9a6254ce3e37abaae59d2a9ea408954

Analysis

max time kernel
216s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 18:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
Size

81KB
MD5

dd130ae3fac85936f6694868cf754b96
SHA1

ecc1cec85c5fb90b10bb1c7b6140b71b54e8d14c
SHA256

251874db161612c4896a3cc698dd9b1be9a6254ce3e37abaae59d2a9ea408954
SHA512

2ddae9babab074b8b98cf92e25f013847a46158b51d89d71535d490c2fb204192a8961c659723146d5108cc3e81ca38594a804ef1d6675f166d52cef67f72a4c
SSDEEP

1536:BoWs0JSUOqpG7oED7DIK8X80222222223sS7lth7m4LO++/+1m6KadhYxU33HX0L:Ts0UqpAfD7DRLuLh/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpniaool.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaciafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihhejjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlooef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjblcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhenp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imlime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggldnkoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmdfpbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djcoko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onochbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaciafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfmdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfmdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhfcbfdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpomoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjomeikm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oegejc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khfdedfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifmjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdfpbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmnbpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfaaogcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfaaogcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kndodehf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onochbjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhfcbfdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpniaool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cifmjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjqjfnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdblhcmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfdedfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpomoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihhejjce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggldnkoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlooef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjomeikm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cqkkmmmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imlime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjqjfnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djcoko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cqkkmmmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kndodehf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegejc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhenp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olicbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olicbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdblhcmk.exe

Executes dropped EXE 29 IoCs

pid	Process
3952	Bpniaool.exe
1340	Cifmjd32.exe
1012	Cmdfpbkc.exe
4132	Kndodehf.exe
3384	Mlooef32.exe
3984	Djcoko32.exe
4472	Oegejc32.exe
4908	Kjblcj32.exe
2276	Opnbjk32.exe
3584	Onochbjl.exe
1332	Opqopj32.exe
436	Pfmdbd32.exe
3824	Pmnbpm32.exe
2432	Pjaciafc.exe
2836	Qhfcbfdl.exe
2508	Khfdedfp.exe
1764	Bpomoc32.exe
556	Ihhejjce.exe
3480	Nkpbie32.exe
4592	Cjomeikm.exe
2780	Njhenp32.exe
1328	Cqkkmmmk.exe
4928	Imlime32.exe
4144	Olicbp32.exe
1908	Fnjmog32.exe
416	Ggldnkoo.exe
2648	Gjjqjfnc.exe
2904	Gfaaogcg.exe
2792	Mdblhcmk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Opnbjk32.exe	Kjblcj32.exe
File created	C:\Windows\SysWOW64\Onochbjl.exe	Opnbjk32.exe
File created	C:\Windows\SysWOW64\Opqopj32.exe	Onochbjl.exe
File opened for modification	C:\Windows\SysWOW64\Ihhejjce.exe	Bpomoc32.exe
File created	C:\Windows\SysWOW64\Egamkf32.dll	Njhenp32.exe
File created	C:\Windows\SysWOW64\Gfaaogcg.exe	Gjjqjfnc.exe
File opened for modification	C:\Windows\SysWOW64\Cifmjd32.exe	Bpniaool.exe
File created	C:\Windows\SysWOW64\Cmdfpbkc.exe	Cifmjd32.exe
File opened for modification	C:\Windows\SysWOW64\Oegejc32.exe	Djcoko32.exe
File opened for modification	C:\Windows\SysWOW64\Onochbjl.exe	Opnbjk32.exe
File created	C:\Windows\SysWOW64\Cjomeikm.exe	Nkpbie32.exe
File created	C:\Windows\SysWOW64\Ppbendph.dll	Nkpbie32.exe
File created	C:\Windows\SysWOW64\Imlime32.exe	Cqkkmmmk.exe
File created	C:\Windows\SysWOW64\Ohdpel32.dll	Imlime32.exe
File created	C:\Windows\SysWOW64\Cdaemjcg.dll	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
File created	C:\Windows\SysWOW64\Oolcfbhh.dll	Bpniaool.exe
File created	C:\Windows\SysWOW64\Keiohfgm.dll	Fnjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mdblhcmk.exe	Gfaaogcg.exe
File created	C:\Windows\SysWOW64\Oegejc32.exe	Djcoko32.exe
File opened for modification	C:\Windows\SysWOW64\Cjomeikm.exe	Nkpbie32.exe
File created	C:\Windows\SysWOW64\Cqkkmmmk.exe	Njhenp32.exe
File created	C:\Windows\SysWOW64\Gjjqjfnc.exe	Ggldnkoo.exe
File created	C:\Windows\SysWOW64\Abggfq32.exe	Mdblhcmk.exe
File created	C:\Windows\SysWOW64\Mlooef32.exe	Kndodehf.exe
File opened for modification	C:\Windows\SysWOW64\Mlooef32.exe	Kndodehf.exe
File created	C:\Windows\SysWOW64\Pjaciafc.exe	Pmnbpm32.exe
File created	C:\Windows\SysWOW64\Bpomoc32.exe	Khfdedfp.exe
File created	C:\Windows\SysWOW64\Ciindcfi.dll	Ggldnkoo.exe
File opened for modification	C:\Windows\SysWOW64\Bpniaool.exe	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
File opened for modification	C:\Windows\SysWOW64\Djcoko32.exe	Mlooef32.exe
File created	C:\Windows\SysWOW64\Pmnbpm32.exe	Pfmdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Qhfcbfdl.exe	Pjaciafc.exe
File created	C:\Windows\SysWOW64\Nkpbie32.exe	Ihhejjce.exe
File created	C:\Windows\SysWOW64\Olicbp32.exe	Imlime32.exe
File created	C:\Windows\SysWOW64\Efacmeeg.dll	Gfaaogcg.exe
File created	C:\Windows\SysWOW64\Hfokkjmf.dll	Mdblhcmk.exe
File created	C:\Windows\SysWOW64\Eadgok32.dll	Mlooef32.exe
File created	C:\Windows\SysWOW64\Acahge32.dll	Djcoko32.exe
File opened for modification	C:\Windows\SysWOW64\Nkpbie32.exe	Ihhejjce.exe
File created	C:\Windows\SysWOW64\Jlkfpbpd.dll	Gjjqjfnc.exe
File created	C:\Windows\SysWOW64\Kjblcj32.exe	Oegejc32.exe
File opened for modification	C:\Windows\SysWOW64\Kjblcj32.exe	Oegejc32.exe
File opened for modification	C:\Windows\SysWOW64\Gfaaogcg.exe	Gjjqjfnc.exe
File created	C:\Windows\SysWOW64\Kfdhlhfj.dll	Pfmdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Imlime32.exe	Cqkkmmmk.exe
File created	C:\Windows\SysWOW64\Iphcpdeb.dll	Pmnbpm32.exe
File created	C:\Windows\SysWOW64\Jmbcka32.dll	Pjaciafc.exe
File created	C:\Windows\SysWOW64\Jhlcfn32.dll	Khfdedfp.exe
File created	C:\Windows\SysWOW64\Lclkmp32.dll	Ihhejjce.exe
File opened for modification	C:\Windows\SysWOW64\Njhenp32.exe	Cjomeikm.exe
File created	C:\Windows\SysWOW64\Ggldnkoo.exe	Fnjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Pfmdbd32.exe	Opqopj32.exe
File opened for modification	C:\Windows\SysWOW64\Pjaciafc.exe	Pmnbpm32.exe
File opened for modification	C:\Windows\SysWOW64\Khfdedfp.exe	Qhfcbfdl.exe
File created	C:\Windows\SysWOW64\Fnjmog32.exe	Olicbp32.exe
File created	C:\Windows\SysWOW64\Bkieampj.dll	Cmdfpbkc.exe
File created	C:\Windows\SysWOW64\Mbpboj32.dll	Oegejc32.exe
File created	C:\Windows\SysWOW64\Djcoko32.exe	Mlooef32.exe
File opened for modification	C:\Windows\SysWOW64\Opqopj32.exe	Onochbjl.exe
File created	C:\Windows\SysWOW64\Pfpbkj32.dll	Onochbjl.exe
File created	C:\Windows\SysWOW64\Ihhejjce.exe	Bpomoc32.exe
File created	C:\Windows\SysWOW64\Icpfkh32.dll	Bpomoc32.exe
File created	C:\Windows\SysWOW64\Bpniaool.exe	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
File opened for modification	C:\Windows\SysWOW64\Cmdfpbkc.exe	Cifmjd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolcfbhh.dll"	Bpniaool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cifmjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kndodehf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjblcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foikga32.dll"	Kjblcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njhenp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cqkkmmmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olicbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmnbpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjnhe32.dll"	Cqkkmmmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiohfgm.dll"	Fnjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjjqjfnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfaaogcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onochbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpniaool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpniaool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkieampj.dll"	Cmdfpbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djcoko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjblcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opnbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfmdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihhejjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohdpel32.dll"	Imlime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olicbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbcka32.dll"	Pjaciafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khfdedfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjomeikm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imlime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggldnkoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfaaogcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdblhcmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kndodehf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djcoko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpboj32.dll"	Oegejc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpbkj32.dll"	Onochbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihhejjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmckljpg.dll"	Cjomeikm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njghcg32.dll"	Kndodehf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpfkh32.dll"	Bpomoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclkmp32.dll"	Ihhejjce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjqjfnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfokkjmf.dll"	Mdblhcmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebihiaml.dll"	Cifmjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlooef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acahge32.dll"	Djcoko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eboieeff.dll"	Opqopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpbie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqofjd32.dll"	Opnbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciindcfi.dll"	Ggldnkoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efacmeeg.dll"	Gfaaogcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmdfpbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlooef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaciafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egamkf32.dll"	Njhenp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaqfdbp.dll"	Olicbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggldnkoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdaemjcg.dll"	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opqopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpomoc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3952	1984	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe	89
PID 1984 wrote to memory of 3952	1984	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe	89
PID 1984 wrote to memory of 3952	1984	NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe	89
PID 3952 wrote to memory of 1340	3952	Bpniaool.exe	90
PID 3952 wrote to memory of 1340	3952	Bpniaool.exe	90
PID 3952 wrote to memory of 1340	3952	Bpniaool.exe	90
PID 1340 wrote to memory of 1012	1340	Cifmjd32.exe	91
PID 1340 wrote to memory of 1012	1340	Cifmjd32.exe	91
PID 1340 wrote to memory of 1012	1340	Cifmjd32.exe	91
PID 1012 wrote to memory of 4132	1012	Cmdfpbkc.exe	92
PID 1012 wrote to memory of 4132	1012	Cmdfpbkc.exe	92
PID 1012 wrote to memory of 4132	1012	Cmdfpbkc.exe	92
PID 4132 wrote to memory of 3384	4132	Kndodehf.exe	93
PID 4132 wrote to memory of 3384	4132	Kndodehf.exe	93
PID 4132 wrote to memory of 3384	4132	Kndodehf.exe	93
PID 3384 wrote to memory of 3984	3384	Mlooef32.exe	94
PID 3384 wrote to memory of 3984	3384	Mlooef32.exe	94
PID 3384 wrote to memory of 3984	3384	Mlooef32.exe	94
PID 3984 wrote to memory of 4472	3984	Djcoko32.exe	97
PID 3984 wrote to memory of 4472	3984	Djcoko32.exe	97
PID 3984 wrote to memory of 4472	3984	Djcoko32.exe	97
PID 4472 wrote to memory of 4908	4472	Oegejc32.exe	98
PID 4472 wrote to memory of 4908	4472	Oegejc32.exe	98
PID 4472 wrote to memory of 4908	4472	Oegejc32.exe	98
PID 4908 wrote to memory of 2276	4908	Kjblcj32.exe	99
PID 4908 wrote to memory of 2276	4908	Kjblcj32.exe	99
PID 4908 wrote to memory of 2276	4908	Kjblcj32.exe	99
PID 2276 wrote to memory of 3584	2276	Opnbjk32.exe	101
PID 2276 wrote to memory of 3584	2276	Opnbjk32.exe	101
PID 2276 wrote to memory of 3584	2276	Opnbjk32.exe	101
PID 3584 wrote to memory of 1332	3584	Onochbjl.exe	102
PID 3584 wrote to memory of 1332	3584	Onochbjl.exe	102
PID 3584 wrote to memory of 1332	3584	Onochbjl.exe	102
PID 1332 wrote to memory of 436	1332	Opqopj32.exe	103
PID 1332 wrote to memory of 436	1332	Opqopj32.exe	103
PID 1332 wrote to memory of 436	1332	Opqopj32.exe	103
PID 436 wrote to memory of 3824	436	Pfmdbd32.exe	104
PID 436 wrote to memory of 3824	436	Pfmdbd32.exe	104
PID 436 wrote to memory of 3824	436	Pfmdbd32.exe	104
PID 3824 wrote to memory of 2432	3824	Pmnbpm32.exe	105
PID 3824 wrote to memory of 2432	3824	Pmnbpm32.exe	105
PID 3824 wrote to memory of 2432	3824	Pmnbpm32.exe	105
PID 2432 wrote to memory of 2836	2432	Pjaciafc.exe	106
PID 2432 wrote to memory of 2836	2432	Pjaciafc.exe	106
PID 2432 wrote to memory of 2836	2432	Pjaciafc.exe	106
PID 2836 wrote to memory of 2508	2836	Qhfcbfdl.exe	108
PID 2836 wrote to memory of 2508	2836	Qhfcbfdl.exe	108
PID 2836 wrote to memory of 2508	2836	Qhfcbfdl.exe	108
PID 2508 wrote to memory of 1764	2508	Khfdedfp.exe	109
PID 2508 wrote to memory of 1764	2508	Khfdedfp.exe	109
PID 2508 wrote to memory of 1764	2508	Khfdedfp.exe	109
PID 1764 wrote to memory of 556	1764	Bpomoc32.exe	110
PID 1764 wrote to memory of 556	1764	Bpomoc32.exe	110
PID 1764 wrote to memory of 556	1764	Bpomoc32.exe	110
PID 556 wrote to memory of 3480	556	Ihhejjce.exe	111
PID 556 wrote to memory of 3480	556	Ihhejjce.exe	111
PID 556 wrote to memory of 3480	556	Ihhejjce.exe	111
PID 3480 wrote to memory of 4592	3480	Nkpbie32.exe	112
PID 3480 wrote to memory of 4592	3480	Nkpbie32.exe	112
PID 3480 wrote to memory of 4592	3480	Nkpbie32.exe	112
PID 4592 wrote to memory of 2780	4592	Cjomeikm.exe	113
PID 4592 wrote to memory of 2780	4592	Cjomeikm.exe	113
PID 4592 wrote to memory of 2780	4592	Cjomeikm.exe	113
PID 2780 wrote to memory of 1328	2780	Njhenp32.exe	116

C:\Users\Admin\AppData\Local\Temp\NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dd130ae3fac85936f6694868cf754b96_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\Bpniaool.exe
  C:\Windows\system32\Bpniaool.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\Cifmjd32.exe
    C:\Windows\system32\Cifmjd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\Cmdfpbkc.exe
      C:\Windows\system32\Cmdfpbkc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\Kndodehf.exe
        
        C:\Windows\system32\Kndodehf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SysWOW64\Mlooef32.exe
        
        C:\Windows\system32\Mlooef32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Djcoko32.exe
        
        C:\Windows\system32\Djcoko32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Oegejc32.exe
        
        C:\Windows\system32\Oegejc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Kjblcj32.exe
        
        C:\Windows\system32\Kjblcj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Opnbjk32.exe
        
        C:\Windows\system32\Opnbjk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Onochbjl.exe
        
        C:\Windows\system32\Onochbjl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Opqopj32.exe
        
        C:\Windows\system32\Opqopj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Pfmdbd32.exe
        
        C:\Windows\system32\Pfmdbd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Pmnbpm32.exe
        
        C:\Windows\system32\Pmnbpm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Pjaciafc.exe
        
        C:\Windows\system32\Pjaciafc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Qhfcbfdl.exe
        
        C:\Windows\system32\Qhfcbfdl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Khfdedfp.exe
        
        C:\Windows\system32\Khfdedfp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Bpomoc32.exe
        
        C:\Windows\system32\Bpomoc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Ihhejjce.exe
        
        C:\Windows\system32\Ihhejjce.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Nkpbie32.exe
        
        C:\Windows\system32\Nkpbie32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Cjomeikm.exe
        
        C:\Windows\system32\Cjomeikm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Njhenp32.exe
        
        C:\Windows\system32\Njhenp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Cqkkmmmk.exe
        
        C:\Windows\system32\Cqkkmmmk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Imlime32.exe
        
        C:\Windows\system32\Imlime32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Olicbp32.exe
        
        C:\Windows\system32\Olicbp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Fnjmog32.exe
        
        C:\Windows\system32\Fnjmog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Ggldnkoo.exe
        
        C:\Windows\system32\Ggldnkoo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Gjjqjfnc.exe
        
        C:\Windows\system32\Gjjqjfnc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Gfaaogcg.exe
        
        C:\Windows\system32\Gfaaogcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Mdblhcmk.exe
        
        C:\Windows\system32\Mdblhcmk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bpniaool.exe

Filesize
81KB

MD5
b457fc2cee323e461dc9c76f9a6b2e16

SHA1
6b740877a2ee944da6c505a9ded28b6c39e88b81

SHA256
2cacfb6e58ba40b77d2f67cbc81d0bc478780f075cf3b0d7ef4f2bd5553ebf83

SHA512
7096c8f5ccc75b7ae1087f18f561c7db05e69ef7c975f3df25ff828c9c0e597aadd50ffd5a30dfac149b105f72a97095173226a3be376c9c8def745d172f8f2d

Download Submit
C:\Windows\SysWOW64\Bpniaool.exe

Filesize
81KB

MD5
b457fc2cee323e461dc9c76f9a6b2e16

SHA1
6b740877a2ee944da6c505a9ded28b6c39e88b81

SHA256
2cacfb6e58ba40b77d2f67cbc81d0bc478780f075cf3b0d7ef4f2bd5553ebf83

SHA512
7096c8f5ccc75b7ae1087f18f561c7db05e69ef7c975f3df25ff828c9c0e597aadd50ffd5a30dfac149b105f72a97095173226a3be376c9c8def745d172f8f2d

Download Submit
C:\Windows\SysWOW64\Bpomoc32.exe

Filesize
81KB

MD5
c6d66e4e8394db8523e81b02aba778b9

SHA1
6532004cd7d9e363b01c203bdfd05b6bc64f2c75

SHA256
867e959a0c262885015c15857687fbe2b390ba41e746ea823802fa79ad49a988

SHA512
1de3bdc7ad9c5489db51893dd4c9deec8b1337f3cfbbcb327b6f27325d04baf153d4462ba018c9ecf33308d49ef49a56eb255c326452961fd6dd46d7eb7161ef

Download Submit
C:\Windows\SysWOW64\Bpomoc32.exe

Filesize
81KB

MD5
c6d66e4e8394db8523e81b02aba778b9

SHA1
6532004cd7d9e363b01c203bdfd05b6bc64f2c75

SHA256
867e959a0c262885015c15857687fbe2b390ba41e746ea823802fa79ad49a988

SHA512
1de3bdc7ad9c5489db51893dd4c9deec8b1337f3cfbbcb327b6f27325d04baf153d4462ba018c9ecf33308d49ef49a56eb255c326452961fd6dd46d7eb7161ef

Download Submit
C:\Windows\SysWOW64\Cifmjd32.exe

Filesize
81KB

MD5
305840f08c33bdf90a2e660c60692196

SHA1
45f1585dd082bb191a85feae92f2740579f8a57f

SHA256
3db354a491dd304d4f5251a07bf3ce6133bfb7dfe83332fef28a331253456faf

SHA512
7003bc824039515ca447f691c83669938c31b286ba24c82f349aa5d20ff504ba12129447b78901b22ae53a8750c516c4f240443109034216f25e3cbedcdb9f20

Download Submit
C:\Windows\SysWOW64\Cifmjd32.exe

Filesize
81KB

MD5
305840f08c33bdf90a2e660c60692196

SHA1
45f1585dd082bb191a85feae92f2740579f8a57f

SHA256
3db354a491dd304d4f5251a07bf3ce6133bfb7dfe83332fef28a331253456faf

SHA512
7003bc824039515ca447f691c83669938c31b286ba24c82f349aa5d20ff504ba12129447b78901b22ae53a8750c516c4f240443109034216f25e3cbedcdb9f20

Download Submit
C:\Windows\SysWOW64\Cjomeikm.exe

Filesize
81KB

MD5
8c5b189aa0e0a1a0465dddc00159158a

SHA1
d06d1c6b5abb232e77d9847e14ef939a6d408dea

SHA256
717b98f6b1d0a9eae1bb5742394854d364a5c31121d25812a0040edad582a819

SHA512
877c1ce56b86d493ac4c150b039ca05e82129405533e5dc5288f1c1b9482e5abfc9b07b074963015d3e25c2727484617283f60723fad6055c56fe5075aeaa1f4

Download Submit
C:\Windows\SysWOW64\Cjomeikm.exe

Filesize
81KB

MD5
22e96c261330a92d49e3219dcf1a32d5

SHA1
be502fad40b54e4545b1d3c2cdec833969ff6b14

SHA256
cdf34dbb02110db276baa9fbc7973dd2b9ae24be46d38dc4ef2a5a67893739e6

SHA512
440435f8ea1591c84a354c516c45d78c453d6f4688db4dedd043da1e10a17ede7311de5d07e23001e4bf5e7f5ec920692af677124727a91182e5362f80544f43

Download Submit
C:\Windows\SysWOW64\Cjomeikm.exe

Filesize
81KB

MD5
22e96c261330a92d49e3219dcf1a32d5

SHA1
be502fad40b54e4545b1d3c2cdec833969ff6b14

SHA256
cdf34dbb02110db276baa9fbc7973dd2b9ae24be46d38dc4ef2a5a67893739e6

SHA512
440435f8ea1591c84a354c516c45d78c453d6f4688db4dedd043da1e10a17ede7311de5d07e23001e4bf5e7f5ec920692af677124727a91182e5362f80544f43

Download Submit
C:\Windows\SysWOW64\Cmdfpbkc.exe

Filesize
81KB

MD5
e97099ecc40f7d7eb558d0454c5ae65d

SHA1
85e7264675638828b5d433d6eea21d2319147c33

SHA256
2018e2d42d2acf28992286bc9b6120145c262d3ec0abd9ab57ec2181ac82c0bb

SHA512
5e1f864ec9bc703b3177b23901c4ee86d6992ca607d34eb679454407aa625f98beea9bd9c2a4b15e7f9fcd3d26bf1a31601a6bf53fcf04570140b9b55971316e

Download Submit
C:\Windows\SysWOW64\Cmdfpbkc.exe

Filesize
81KB

MD5
e97099ecc40f7d7eb558d0454c5ae65d

SHA1
85e7264675638828b5d433d6eea21d2319147c33

SHA256
2018e2d42d2acf28992286bc9b6120145c262d3ec0abd9ab57ec2181ac82c0bb

SHA512
5e1f864ec9bc703b3177b23901c4ee86d6992ca607d34eb679454407aa625f98beea9bd9c2a4b15e7f9fcd3d26bf1a31601a6bf53fcf04570140b9b55971316e

Download Submit
C:\Windows\SysWOW64\Cqkkmmmk.exe

Filesize
81KB

MD5
c6a1e44dbeafc2968d3bae4e19125f67

SHA1
d7c5f7799c0581985a2670a8f3706a032c83eae1

SHA256
4f34d4d1e37b245e8b0ecf85a2e0061aad808781477ddec7331f2bbf76ea375b

SHA512
4786de34c34887a9f8cf6a0b551d5b8183a4030caecdb329c6b775c7e678f65ee5662af28528e8897e3a2e65cc68764d792869b37126f3e968542b42026d8567

Download Submit
C:\Windows\SysWOW64\Cqkkmmmk.exe

Filesize
81KB

MD5
c6a1e44dbeafc2968d3bae4e19125f67

SHA1
d7c5f7799c0581985a2670a8f3706a032c83eae1

SHA256
4f34d4d1e37b245e8b0ecf85a2e0061aad808781477ddec7331f2bbf76ea375b

SHA512
4786de34c34887a9f8cf6a0b551d5b8183a4030caecdb329c6b775c7e678f65ee5662af28528e8897e3a2e65cc68764d792869b37126f3e968542b42026d8567

Download Submit
C:\Windows\SysWOW64\Djcoko32.exe

Filesize
81KB

MD5
0e3a1c9e140f52180366829d7a1c751d

SHA1
f804bf4978d23c6ffe4540ae36097ba5c3e81aea

SHA256
a63e9c1cc633c20b2e566e372186413b8933add20d11399ee3b2a5169324484d

SHA512
72864adc22c3408c3cf8bd0a924ac395e892bd44684ec29b94a3b8d783d9d0659ac906248940ae5ead7990eafed48c7227bc4657808bd0ca380cf25289f7782f

Download Submit
C:\Windows\SysWOW64\Djcoko32.exe

Filesize
81KB

MD5
0e3a1c9e140f52180366829d7a1c751d

SHA1
f804bf4978d23c6ffe4540ae36097ba5c3e81aea

SHA256
a63e9c1cc633c20b2e566e372186413b8933add20d11399ee3b2a5169324484d

SHA512
72864adc22c3408c3cf8bd0a924ac395e892bd44684ec29b94a3b8d783d9d0659ac906248940ae5ead7990eafed48c7227bc4657808bd0ca380cf25289f7782f

Download Submit
C:\Windows\SysWOW64\Fnjmog32.exe

Filesize
81KB

MD5
71e8d0ed86ddd3489d8ae616da7fdeb7

SHA1
45ba34abc075a66c5e76f972fe3b82541f994439

SHA256
16632f3a930563e89480fb39406995132f97d2bf9078a5150479b5aa5b537684

SHA512
1312aaa2ebfdc3e5a4bcf0561d4a7d66c57de9f6683d7bcf0da9eaaebe704d99a9c9927d7310c4286948c3071731933b8d310912029025826a72348fc47c9613

Download Submit
C:\Windows\SysWOW64\Fnjmog32.exe

Filesize
81KB

MD5
71e8d0ed86ddd3489d8ae616da7fdeb7

SHA1
45ba34abc075a66c5e76f972fe3b82541f994439

SHA256
16632f3a930563e89480fb39406995132f97d2bf9078a5150479b5aa5b537684

SHA512
1312aaa2ebfdc3e5a4bcf0561d4a7d66c57de9f6683d7bcf0da9eaaebe704d99a9c9927d7310c4286948c3071731933b8d310912029025826a72348fc47c9613

Download Submit
C:\Windows\SysWOW64\Fnjmog32.exe

Filesize
81KB

MD5
71e8d0ed86ddd3489d8ae616da7fdeb7

SHA1
45ba34abc075a66c5e76f972fe3b82541f994439

SHA256
16632f3a930563e89480fb39406995132f97d2bf9078a5150479b5aa5b537684

SHA512
1312aaa2ebfdc3e5a4bcf0561d4a7d66c57de9f6683d7bcf0da9eaaebe704d99a9c9927d7310c4286948c3071731933b8d310912029025826a72348fc47c9613

Download Submit
C:\Windows\SysWOW64\Gfaaogcg.exe

Filesize
81KB

MD5
087c098e56ed60dd12fb5f70e6114570

SHA1
f9bb67aa90ba806e13a20519b368515418e19c70

SHA256
a2fde0ff4b900f80a6ef309d9858e9bfa1e44df4497e88dc5ab178c1929e8498

SHA512
0f38c9f1535a753243c529a825a4ba462907e67fc16e326342944fc7546a684bc93663027bb70f674a3cd8d9e292d78fa3fe9357b027ec87aa2d20c4698be396

Download Submit
C:\Windows\SysWOW64\Gfaaogcg.exe

Filesize
81KB

MD5
087c098e56ed60dd12fb5f70e6114570

SHA1
f9bb67aa90ba806e13a20519b368515418e19c70

SHA256
a2fde0ff4b900f80a6ef309d9858e9bfa1e44df4497e88dc5ab178c1929e8498

SHA512
0f38c9f1535a753243c529a825a4ba462907e67fc16e326342944fc7546a684bc93663027bb70f674a3cd8d9e292d78fa3fe9357b027ec87aa2d20c4698be396

Download Submit
C:\Windows\SysWOW64\Gfaaogcg.exe

Filesize
81KB

MD5
087c098e56ed60dd12fb5f70e6114570

SHA1
f9bb67aa90ba806e13a20519b368515418e19c70

SHA256
a2fde0ff4b900f80a6ef309d9858e9bfa1e44df4497e88dc5ab178c1929e8498

SHA512
0f38c9f1535a753243c529a825a4ba462907e67fc16e326342944fc7546a684bc93663027bb70f674a3cd8d9e292d78fa3fe9357b027ec87aa2d20c4698be396

Download Submit
C:\Windows\SysWOW64\Ggldnkoo.exe

Filesize
81KB

MD5
8bc33d817d581b1d9fc8134db7d8dc44

SHA1
1ee7c6ccb144493b2f5ead38e8e184e433e81a8e

SHA256
941b0e2f923616c512a26fdbd69f2e23e5b20a17f3c23d9831c3fe22661e267d

SHA512
07e989ad0a6dc1c232f6f61f9ea8586ec859a05a8a6fb2e543c1fa8ba3565765b415e2779f81aa5bc8d4da21c8f59f5db2101a0b4d797a11f38431a436f6d462

Download Submit
C:\Windows\SysWOW64\Ggldnkoo.exe

Filesize
81KB

MD5
8bc33d817d581b1d9fc8134db7d8dc44

SHA1
1ee7c6ccb144493b2f5ead38e8e184e433e81a8e

SHA256
941b0e2f923616c512a26fdbd69f2e23e5b20a17f3c23d9831c3fe22661e267d

SHA512
07e989ad0a6dc1c232f6f61f9ea8586ec859a05a8a6fb2e543c1fa8ba3565765b415e2779f81aa5bc8d4da21c8f59f5db2101a0b4d797a11f38431a436f6d462

Download Submit
C:\Windows\SysWOW64\Gjjqjfnc.exe

Filesize
81KB

MD5
78382b3162b639327f52cc76f82e785d

SHA1
2761472c117744bbbde0c98447450a6200499023

SHA256
6ef16fabb46d96e8572a8daac851ebdb303088f0d6dc3d709e74931797671e71

SHA512
c07496ddf5c3aef9caadd12c0712a9534573f06562b637e7f258dd52c5861246ec4ed3357022f50cb8ad747f4b3be9bc4de517d06fae9661a386e14568308849

Download Submit
C:\Windows\SysWOW64\Gjjqjfnc.exe

Filesize
81KB

MD5
78382b3162b639327f52cc76f82e785d

SHA1
2761472c117744bbbde0c98447450a6200499023

SHA256
6ef16fabb46d96e8572a8daac851ebdb303088f0d6dc3d709e74931797671e71

SHA512
c07496ddf5c3aef9caadd12c0712a9534573f06562b637e7f258dd52c5861246ec4ed3357022f50cb8ad747f4b3be9bc4de517d06fae9661a386e14568308849

Download Submit
C:\Windows\SysWOW64\Ihhejjce.exe

Filesize
81KB

MD5
311686a879b264586a6f1d807c7540ac

SHA1
f59d6b1e22b9eb65124127a8a13806ec3f559954

SHA256
d74da0ad9c49fb06c0b55ea1797269ca345764f584b81ab8b185df1273e8589d

SHA512
f2a7dcd5012056d2f372b4e2ef23880be0d170844b9185601a74c0b0c03f04c026228aaa431243423f6daf6b85e756a3ae8103788396201f919d0ac69755840c

Download Submit
C:\Windows\SysWOW64\Ihhejjce.exe

Filesize
81KB

MD5
311686a879b264586a6f1d807c7540ac

SHA1
f59d6b1e22b9eb65124127a8a13806ec3f559954

SHA256
d74da0ad9c49fb06c0b55ea1797269ca345764f584b81ab8b185df1273e8589d

SHA512
f2a7dcd5012056d2f372b4e2ef23880be0d170844b9185601a74c0b0c03f04c026228aaa431243423f6daf6b85e756a3ae8103788396201f919d0ac69755840c

Download Submit
C:\Windows\SysWOW64\Imlime32.exe

Filesize
81KB

MD5
6f6020645cc289660b4cfb0d3f7fba4e

SHA1
f3dd74a6cf4f1eed24f14d091f47664f253cc8c3

SHA256
5b0788433e94f393313bec80d8a070575b939abb2c90f09fc9b55d15bc920eff

SHA512
2eaa9e3947083cf75a079a0cdbc30205f93500788b641cbd8c4ac0614c1836043f3575b305d5e3a8584c5fef124c056a85493df27dd4a1d297cc356fd34d7b67

Download Submit
C:\Windows\SysWOW64\Imlime32.exe

Filesize
81KB

MD5
6f6020645cc289660b4cfb0d3f7fba4e

SHA1
f3dd74a6cf4f1eed24f14d091f47664f253cc8c3

SHA256
5b0788433e94f393313bec80d8a070575b939abb2c90f09fc9b55d15bc920eff

SHA512
2eaa9e3947083cf75a079a0cdbc30205f93500788b641cbd8c4ac0614c1836043f3575b305d5e3a8584c5fef124c056a85493df27dd4a1d297cc356fd34d7b67

Download Submit
C:\Windows\SysWOW64\Khfdedfp.exe

Filesize
81KB

MD5
7333b3913ec69bee5e41bec56896c500

SHA1
132a9c70adf1975cba0c8f59e8709a18322037f4

SHA256
8b963f133b40c8d5808bd8e592368b56b542a979322cb7b445b8ddd5f41cc373

SHA512
7fe043092e00b546c28349b712d147f184f9f692b885a2a6a5d5c3457fc2f629b3920386c4826c971890141cb7eb31197268e397e01ae9f1135276e96f9d8055

Download Submit
C:\Windows\SysWOW64\Khfdedfp.exe

Filesize
81KB

MD5
7333b3913ec69bee5e41bec56896c500

SHA1
132a9c70adf1975cba0c8f59e8709a18322037f4

SHA256
8b963f133b40c8d5808bd8e592368b56b542a979322cb7b445b8ddd5f41cc373

SHA512
7fe043092e00b546c28349b712d147f184f9f692b885a2a6a5d5c3457fc2f629b3920386c4826c971890141cb7eb31197268e397e01ae9f1135276e96f9d8055

Download Submit
C:\Windows\SysWOW64\Kjblcj32.exe

Filesize
81KB

MD5
a34fb4cd31b832b6884033e0dfb8f76f

SHA1
e90338242bf7af7ea95d12f438c025e1ddfd693b

SHA256
6aee61a7b2965ca09896812a57849d2a92e757649391db330c85a2f5b763db1e

SHA512
998934c254b5f1c54cdeadee89f7f21e086a84732fd7800197c995f830b0ec404b46db93f1dbf1ae967fcec7234a380d5b179789392ce98ade411ff6581bac36

Download Submit
C:\Windows\SysWOW64\Kjblcj32.exe

Filesize
81KB

MD5
a34fb4cd31b832b6884033e0dfb8f76f

SHA1
e90338242bf7af7ea95d12f438c025e1ddfd693b

SHA256
6aee61a7b2965ca09896812a57849d2a92e757649391db330c85a2f5b763db1e

SHA512
998934c254b5f1c54cdeadee89f7f21e086a84732fd7800197c995f830b0ec404b46db93f1dbf1ae967fcec7234a380d5b179789392ce98ade411ff6581bac36

Download Submit
C:\Windows\SysWOW64\Kndodehf.exe

Filesize
81KB

MD5
90d13a5dd4f0b0929abf531efd3e9786

SHA1
ace5421b23f69f5b9764a3917935cfbc1452a902

SHA256
81bacf480e801809be1ae8377fc837a77394d331c2b66ec516325c9d814407a0

SHA512
f6d9efb4f09bf997b949b11ee8641c9979453779f949c62ea1c5d7bf7897186312e476210b35495972257ddbf6513e289c4e5ed27bafcc2c5de0297484164cbd

Download Submit
C:\Windows\SysWOW64\Kndodehf.exe

Filesize
81KB

MD5
90d13a5dd4f0b0929abf531efd3e9786

SHA1
ace5421b23f69f5b9764a3917935cfbc1452a902

SHA256
81bacf480e801809be1ae8377fc837a77394d331c2b66ec516325c9d814407a0

SHA512
f6d9efb4f09bf997b949b11ee8641c9979453779f949c62ea1c5d7bf7897186312e476210b35495972257ddbf6513e289c4e5ed27bafcc2c5de0297484164cbd

Download Submit
C:\Windows\SysWOW64\Kndodehf.exe

Filesize
81KB

MD5
90d13a5dd4f0b0929abf531efd3e9786

SHA1
ace5421b23f69f5b9764a3917935cfbc1452a902

SHA256
81bacf480e801809be1ae8377fc837a77394d331c2b66ec516325c9d814407a0

SHA512
f6d9efb4f09bf997b949b11ee8641c9979453779f949c62ea1c5d7bf7897186312e476210b35495972257ddbf6513e289c4e5ed27bafcc2c5de0297484164cbd

Download Submit
C:\Windows\SysWOW64\Mdblhcmk.exe

Filesize
81KB

MD5
aaea6fe2bdc40d4f5096598f39f247c6

SHA1
611b943f604246aab01a55be448d9a33566faba6

SHA256
ef896d8f4b7ea85d64529efeb6648bb8c0fbedcb64d09e2d47d593291fd8a362

SHA512
2397a359c05a64b8ace81289ab0f16aa89bdb7259a0e122e45de9880516cc096f5dcbba5b834fac4adc8cfe108f12a75e7996fa7c5d80ae99fd029159d7d9508

Download Submit
C:\Windows\SysWOW64\Mdblhcmk.exe

Filesize
81KB

MD5
aaea6fe2bdc40d4f5096598f39f247c6

SHA1
611b943f604246aab01a55be448d9a33566faba6

SHA256
ef896d8f4b7ea85d64529efeb6648bb8c0fbedcb64d09e2d47d593291fd8a362

SHA512
2397a359c05a64b8ace81289ab0f16aa89bdb7259a0e122e45de9880516cc096f5dcbba5b834fac4adc8cfe108f12a75e7996fa7c5d80ae99fd029159d7d9508

Download Submit
C:\Windows\SysWOW64\Mlooef32.exe

Filesize
81KB

MD5
dfc96a07d0d5b118e342ac01eeb93502

SHA1
9fc378b358b3268391b821f1e5db7d62c784e02a

SHA256
ce80cd6254a4bdb51aa29dbfb7786747876871d8e6acf8bc87fa36926637e1c4

SHA512
5556cf844444e582d61a491407dec063e7abdbd10fa5f9b3793390f833dd6d8b257a3e92525e26d41b2e177f9bdf28543d56b7c74b7e33c0cada7e6bf6eb48a7

Download Submit
C:\Windows\SysWOW64\Mlooef32.exe

Filesize
81KB

MD5
dfc96a07d0d5b118e342ac01eeb93502

SHA1
9fc378b358b3268391b821f1e5db7d62c784e02a

SHA256
ce80cd6254a4bdb51aa29dbfb7786747876871d8e6acf8bc87fa36926637e1c4

SHA512
5556cf844444e582d61a491407dec063e7abdbd10fa5f9b3793390f833dd6d8b257a3e92525e26d41b2e177f9bdf28543d56b7c74b7e33c0cada7e6bf6eb48a7

Download Submit
C:\Windows\SysWOW64\Njhenp32.exe

Filesize
81KB

MD5
2d946baf4f9c73b4e3a6f78b7b10b723

SHA1
a20596988115098d56370e4fc97c00780e4f3a0d

SHA256
5bc8b9ff1a40af0c2179e0be957c6dfafd5a36fc1f642811b60fbc1b01afde49

SHA512
396d3571f1e6cd46e85e94bb261c694275535c8af4468782c6de712f26c5f61c5b2bf888c6bb4f23580a705f8c21b3d7564aa9d34837b55c00844f875df97e06

Download Submit
C:\Windows\SysWOW64\Njhenp32.exe

Filesize
81KB

MD5
2d946baf4f9c73b4e3a6f78b7b10b723

SHA1
a20596988115098d56370e4fc97c00780e4f3a0d

SHA256
5bc8b9ff1a40af0c2179e0be957c6dfafd5a36fc1f642811b60fbc1b01afde49

SHA512
396d3571f1e6cd46e85e94bb261c694275535c8af4468782c6de712f26c5f61c5b2bf888c6bb4f23580a705f8c21b3d7564aa9d34837b55c00844f875df97e06

Download Submit
C:\Windows\SysWOW64\Nkpbie32.exe

Filesize
81KB

MD5
8c5b189aa0e0a1a0465dddc00159158a

SHA1
d06d1c6b5abb232e77d9847e14ef939a6d408dea

SHA256
717b98f6b1d0a9eae1bb5742394854d364a5c31121d25812a0040edad582a819

SHA512
877c1ce56b86d493ac4c150b039ca05e82129405533e5dc5288f1c1b9482e5abfc9b07b074963015d3e25c2727484617283f60723fad6055c56fe5075aeaa1f4

Download Submit
C:\Windows\SysWOW64\Nkpbie32.exe

Filesize
81KB

MD5
8c5b189aa0e0a1a0465dddc00159158a

SHA1
d06d1c6b5abb232e77d9847e14ef939a6d408dea

SHA256
717b98f6b1d0a9eae1bb5742394854d364a5c31121d25812a0040edad582a819

SHA512
877c1ce56b86d493ac4c150b039ca05e82129405533e5dc5288f1c1b9482e5abfc9b07b074963015d3e25c2727484617283f60723fad6055c56fe5075aeaa1f4

Download Submit
C:\Windows\SysWOW64\Oegejc32.exe

Filesize
81KB

MD5
dc5380e9c1c92ce314cff18019f1205d

SHA1
3a494f35e431c10c2f36f0665822dfa6bccc017f

SHA256
f28e553fa144ea1b61ba1c511052c47993bfe3db2cb3aae9b6063932cb649eee

SHA512
03ec278d37eb28a7510b18e0d88e8415fb802a9176556f7a4fa5ca0ac882c7ebf0903389f9584b435a6c8d49ed8c9179115afe8b2732a53461995f1ee6a4c0e2

Download Submit
C:\Windows\SysWOW64\Oegejc32.exe

Filesize
81KB

MD5
dc5380e9c1c92ce314cff18019f1205d

SHA1
3a494f35e431c10c2f36f0665822dfa6bccc017f

SHA256
f28e553fa144ea1b61ba1c511052c47993bfe3db2cb3aae9b6063932cb649eee

SHA512
03ec278d37eb28a7510b18e0d88e8415fb802a9176556f7a4fa5ca0ac882c7ebf0903389f9584b435a6c8d49ed8c9179115afe8b2732a53461995f1ee6a4c0e2

Download Submit
C:\Windows\SysWOW64\Oegejc32.exe

Filesize
81KB

MD5
dc5380e9c1c92ce314cff18019f1205d

SHA1
3a494f35e431c10c2f36f0665822dfa6bccc017f

SHA256
f28e553fa144ea1b61ba1c511052c47993bfe3db2cb3aae9b6063932cb649eee

SHA512
03ec278d37eb28a7510b18e0d88e8415fb802a9176556f7a4fa5ca0ac882c7ebf0903389f9584b435a6c8d49ed8c9179115afe8b2732a53461995f1ee6a4c0e2

Download Submit
C:\Windows\SysWOW64\Olicbp32.exe

Filesize
81KB

MD5
1c3ed16fdc8ade1c3aa10b0e299db588

SHA1
27b1c09ad1bd64ced06d7e67603529e8f01ea384

SHA256
77d2ae9f629c3b1bc1583385038c9d855585ca0430d5b92c9d40fd388eea7eff

SHA512
3ff40b18709d994467a0e06ef50bffd3d2c75b4633ba662aade24d3735c4d4d0df9f70fd09c1dc34d9e94d93b30f14b5ba71035790346c1c82f71c7f2cb72505

Download Submit
C:\Windows\SysWOW64\Olicbp32.exe

Filesize
81KB

MD5
1c3ed16fdc8ade1c3aa10b0e299db588

SHA1
27b1c09ad1bd64ced06d7e67603529e8f01ea384

SHA256
77d2ae9f629c3b1bc1583385038c9d855585ca0430d5b92c9d40fd388eea7eff

SHA512
3ff40b18709d994467a0e06ef50bffd3d2c75b4633ba662aade24d3735c4d4d0df9f70fd09c1dc34d9e94d93b30f14b5ba71035790346c1c82f71c7f2cb72505

Download Submit
C:\Windows\SysWOW64\Onochbjl.exe

Filesize
81KB

MD5
817344a4244226b6ac0782ab7fae7965

SHA1
fbf34527774db6ad07e406c2c5fae1eabb4b579e

SHA256
9483f916c99da8c2605659a324fa61c6b3fc319dbd4acda8f53ef92fb1f5ae31

SHA512
b8c163a55d51ca240da87dc8c41b724a4162abb4918c52567cfbb70d846b719577d815ea174de4d1d69cd150985bde32cb9ee69d0b8ba7ae8f92334682b9a3c9

Download Submit
C:\Windows\SysWOW64\Onochbjl.exe

Filesize
81KB

MD5
817344a4244226b6ac0782ab7fae7965

SHA1
fbf34527774db6ad07e406c2c5fae1eabb4b579e

SHA256
9483f916c99da8c2605659a324fa61c6b3fc319dbd4acda8f53ef92fb1f5ae31

SHA512
b8c163a55d51ca240da87dc8c41b724a4162abb4918c52567cfbb70d846b719577d815ea174de4d1d69cd150985bde32cb9ee69d0b8ba7ae8f92334682b9a3c9

Download Submit
C:\Windows\SysWOW64\Opnbjk32.exe

Filesize
81KB

MD5
c3e13cfe5018404eb1789c6a29b4b02d

SHA1
3480288cca1239fe6d5fef521c4eefc57022cf2d

SHA256
9b636493bbed4e08c523b609f3d964e347eb4108cd80661f8acbc8b830fe88f2

SHA512
f8e513022c407717db838655f692655cb2f8048443cd724f23534860630eef6b2078744bc187fe7921437653b8a1ebb40c0ee3ccbc779939defb438a149335b0

Download Submit
C:\Windows\SysWOW64\Opnbjk32.exe

Filesize
81KB

MD5
c3e13cfe5018404eb1789c6a29b4b02d

SHA1
3480288cca1239fe6d5fef521c4eefc57022cf2d

SHA256
9b636493bbed4e08c523b609f3d964e347eb4108cd80661f8acbc8b830fe88f2

SHA512
f8e513022c407717db838655f692655cb2f8048443cd724f23534860630eef6b2078744bc187fe7921437653b8a1ebb40c0ee3ccbc779939defb438a149335b0

Download Submit
C:\Windows\SysWOW64\Opqopj32.exe

Filesize
81KB

MD5
eed54041172f4c94e7ed0da3b159b798

SHA1
8bbb1fe693bcb1ea9039db8107d68c27ad6e380a

SHA256
2aefe2c18da55b1124a580119e8009badf37b950a1f48bc4d08f052916fac634

SHA512
178a4ffc9489c7de4691ee43ff15bc73256c8b00d45cf366b6e0890827d5c91dd9de4b3030329202d5e12f1c9dde3ae89bc08989f3155cf97bf0f1a591c12957

Download Submit
C:\Windows\SysWOW64\Opqopj32.exe

Filesize
81KB

MD5
eed54041172f4c94e7ed0da3b159b798

SHA1
8bbb1fe693bcb1ea9039db8107d68c27ad6e380a

SHA256
2aefe2c18da55b1124a580119e8009badf37b950a1f48bc4d08f052916fac634

SHA512
178a4ffc9489c7de4691ee43ff15bc73256c8b00d45cf366b6e0890827d5c91dd9de4b3030329202d5e12f1c9dde3ae89bc08989f3155cf97bf0f1a591c12957

Download Submit
C:\Windows\SysWOW64\Pfmdbd32.exe

Filesize
81KB

MD5
72c0a1a18502cdfab4a93f0ad07d2d1e

SHA1
71d41794a8a3194683fdfa0128925d64117f6293

SHA256
24c823ad4c9180bd18cc70f7a6343287faa6384a2f4c17e59095f3d04d37ad27

SHA512
076a3f0bc8d7656bcf54d4e89ae72edf889826fd7ffe7f676e07b6e2f8e23a43536ab1be631720be2e9a55b03dc3c49b5b43fc1e058289fd269746366a375f42

Download Submit
C:\Windows\SysWOW64\Pfmdbd32.exe

Filesize
81KB

MD5
72c0a1a18502cdfab4a93f0ad07d2d1e

SHA1
71d41794a8a3194683fdfa0128925d64117f6293

SHA256
24c823ad4c9180bd18cc70f7a6343287faa6384a2f4c17e59095f3d04d37ad27

SHA512
076a3f0bc8d7656bcf54d4e89ae72edf889826fd7ffe7f676e07b6e2f8e23a43536ab1be631720be2e9a55b03dc3c49b5b43fc1e058289fd269746366a375f42

Download Submit
C:\Windows\SysWOW64\Pjaciafc.exe

Filesize
81KB

MD5
03ee85e6d47d50715266a3340bc9e95d

SHA1
b16403bee1764afba6274a74b5fad428bd5a5723

SHA256
af2ecd0e1d10c67873569a618eadaa62e21ebdd277c223c2341f7bfbf8976387

SHA512
f81c92f44a18d177fd0f17c58131c99a547ffb9df351d4aadcb346348b25ba6cf2609a254f77266aa1cfed399a37c9a958a1c64dc92b2c8dcfbdd7b275a9306c

Download Submit
C:\Windows\SysWOW64\Pjaciafc.exe

Filesize
81KB

MD5
03ee85e6d47d50715266a3340bc9e95d

SHA1
b16403bee1764afba6274a74b5fad428bd5a5723

SHA256
af2ecd0e1d10c67873569a618eadaa62e21ebdd277c223c2341f7bfbf8976387

SHA512
f81c92f44a18d177fd0f17c58131c99a547ffb9df351d4aadcb346348b25ba6cf2609a254f77266aa1cfed399a37c9a958a1c64dc92b2c8dcfbdd7b275a9306c

Download Submit
C:\Windows\SysWOW64\Pmnbpm32.exe

Filesize
81KB

MD5
afc734011976600444cc90fb3937ecba

SHA1
cfbef86ba1116da3392786fa801a3220ea6e5be3

SHA256
dbc9335a804f202bebb1df28ecf539eb73f41166fa5ed226eb87b45538c20bc4

SHA512
019aa0da0d4f64f96091705f53c3fc1e027755ca52caca07f8a9ae173cf1c57f88d49a6bd5b67e4b24ad9bd9f9df2a2ce8c4f3c0fae75cc418333df72eea3397

Download Submit
C:\Windows\SysWOW64\Pmnbpm32.exe

Filesize
81KB

MD5
afc734011976600444cc90fb3937ecba

SHA1
cfbef86ba1116da3392786fa801a3220ea6e5be3

SHA256
dbc9335a804f202bebb1df28ecf539eb73f41166fa5ed226eb87b45538c20bc4

SHA512
019aa0da0d4f64f96091705f53c3fc1e027755ca52caca07f8a9ae173cf1c57f88d49a6bd5b67e4b24ad9bd9f9df2a2ce8c4f3c0fae75cc418333df72eea3397

Download Submit
C:\Windows\SysWOW64\Qhfcbfdl.exe

Filesize
81KB

MD5
0b10dd49e27b7b439d3604f2d6d8d109

SHA1
a20008c452cd9bf294dd3a204958bf1ccd8fed7f

SHA256
9cdf9020db9ffe83503bc7d6d4bb3e314bd5f278c3e953808cdd421a07186bc8

SHA512
2b86c570f136a89f728d2cc73f63653179a39af4f6f3415bc9d60b295b916b2f9cf242e802b8985d48f61dfc2df11e4874e1a620dbf06ac4be6015511f5fc392

Download Submit
C:\Windows\SysWOW64\Qhfcbfdl.exe

Filesize
81KB

MD5
0b10dd49e27b7b439d3604f2d6d8d109

SHA1
a20008c452cd9bf294dd3a204958bf1ccd8fed7f

SHA256
9cdf9020db9ffe83503bc7d6d4bb3e314bd5f278c3e953808cdd421a07186bc8

SHA512
2b86c570f136a89f728d2cc73f63653179a39af4f6f3415bc9d60b295b916b2f9cf242e802b8985d48f61dfc2df11e4874e1a620dbf06ac4be6015511f5fc392

Download Submit
memory/416-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads