7bf857d596ed0a73f07fadf10b27843cd45336348a1d04a7d42a4fdf65b8e4dc

Analysis

max time kernel
137s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Size

85KB
MD5

feb8423a21492ce14ee547bfe8c3aadd
SHA1

d3e527e3eb47802b9fc8cf6f6d4c0dca4a3787e6
SHA256

7bf857d596ed0a73f07fadf10b27843cd45336348a1d04a7d42a4fdf65b8e4dc
SHA512

459f861cc3f58aaed3c2c4fd68aa85e9e1211fdbc6aadb790954c0ddfb602b6b5a36e56dcaec67997a4670805aa646617254e1ee599ccfd3d4f89e57f8b59ccd
SSDEEP

1536:OW9C8azYzO25Pcsf367aze+EqHpZ7e2LHrMQ262AjCsQ2PCZZrqOlNfVSLUK+:39hazh2RUwrjHrMQH2qC7ZQOlzSLUK+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moefdljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icfmci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboplo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbpnjdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnjecfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icfmci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blnjecfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe

Executes dropped EXE 27 IoCs

pid	Process
3236	Gbpnjdkg.exe
2432	Hannao32.exe
4128	Icfmci32.exe
4428	Jaqcnl32.exe
2092	Jacpcl32.exe
3148	Jlidpe32.exe
2068	Kbjbnnfg.exe
1180	Lolcnman.exe
4916	Lehhqg32.exe
4720	Moefdljc.exe
316	Mebkge32.exe
5084	Nchhfild.exe
4624	Nkeipk32.exe
4176	Ollljmhg.exe
408	Ohhfknjf.exe
3372	Piolkm32.exe
2260	Qppkhfec.exe
4016	Aijlgkjq.exe
244	Ammnhilb.exe
1424	Bboplo32.exe
4840	Blgddd32.exe
4296	Blnjecfl.exe
1524	Cefoni32.exe
2340	Cifdjg32.exe
2920	Cpqlfa32.exe
1892	Dpefaq32.exe
2080	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hannao32.exe	Gbpnjdkg.exe
File created	C:\Windows\SysWOW64\Blnjecfl.exe	Blgddd32.exe
File opened for modification	C:\Windows\SysWOW64\Ammnhilb.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Cefnemqj.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Bboplo32.exe	Ammnhilb.exe
File created	C:\Windows\SysWOW64\Mmhpkebp.dll	Ammnhilb.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Mbdpdane.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Gnggfhnm.dll	Nchhfild.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhfknjf.exe	Ollljmhg.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Nkeipk32.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Nchhfild.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Cimhefgb.dll	Piolkm32.exe
File created	C:\Windows\SysWOW64\Cefoni32.exe	Blnjecfl.exe
File opened for modification	C:\Windows\SysWOW64\Jacpcl32.exe	Jaqcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Lehhqg32.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Jjigocdh.dll	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Boipkd32.dll	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Lehhqg32.exe	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Nkeipk32.exe	Nchhfild.exe
File created	C:\Windows\SysWOW64\Blgddd32.exe	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Blgddd32.exe	Bboplo32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Jaqcnl32.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Moefdljc.exe	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Dpefaq32.exe	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Nchhfild.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Ammnhilb.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Kcgmiidl.dll	Cefoni32.exe
File created	C:\Windows\SysWOW64\Lgkkbg32.dll	Blnjecfl.exe
File created	C:\Windows\SysWOW64\Flbldfbp.dll	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
File created	C:\Windows\SysWOW64\Obcckehh.dll	Hannao32.exe
File created	C:\Windows\SysWOW64\Ollljmhg.exe	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Cifdjg32.exe	Cefoni32.exe
File opened for modification	C:\Windows\SysWOW64\Hannao32.exe	Gbpnjdkg.exe
File created	C:\Windows\SysWOW64\Hlcfmhdo.dll	Gbpnjdkg.exe
File created	C:\Windows\SysWOW64\Icfmci32.exe	Hannao32.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Piolkm32.exe
File opened for modification	C:\Windows\SysWOW64\Blnjecfl.exe	Blgddd32.exe
File opened for modification	C:\Windows\SysWOW64\Jlidpe32.exe	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Moefdljc.exe	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Jlidpe32.exe	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mebkge32.exe	Moefdljc.exe
File opened for modification	C:\Windows\SysWOW64\Cpqlfa32.exe	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cefoni32.exe
File created	C:\Windows\SysWOW64\Gbpnjdkg.exe	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Hannao32.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Aojbfccl.dll	Moefdljc.exe
File opened for modification	C:\Windows\SysWOW64\Ollljmhg.exe	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Bboplo32.exe	Ammnhilb.exe
File opened for modification	C:\Windows\SysWOW64\Gbpnjdkg.exe	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Icfmci32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4172	2080	WerFault.exe	111

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbfccl.dll"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcfmhdo.dll"	Gbpnjdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnemqj.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boipkd32.dll"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkkbg32.dll"	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll"	Icfmci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboplo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpdane.dll"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obcckehh.dll"	Hannao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnggfhnm.dll"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpefaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mebkge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhpkebp.dll"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbldfbp.dll"	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaeig32.dll"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqoppk32.dll"	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll"	Mebkge32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 3236	4860	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe	85
PID 4860 wrote to memory of 3236	4860	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe	85
PID 4860 wrote to memory of 3236	4860	NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe	85
PID 3236 wrote to memory of 2432	3236	Gbpnjdkg.exe	86
PID 3236 wrote to memory of 2432	3236	Gbpnjdkg.exe	86
PID 3236 wrote to memory of 2432	3236	Gbpnjdkg.exe	86
PID 2432 wrote to memory of 4128	2432	Hannao32.exe	87
PID 2432 wrote to memory of 4128	2432	Hannao32.exe	87
PID 2432 wrote to memory of 4128	2432	Hannao32.exe	87
PID 4128 wrote to memory of 4428	4128	Icfmci32.exe	88
PID 4128 wrote to memory of 4428	4128	Icfmci32.exe	88
PID 4128 wrote to memory of 4428	4128	Icfmci32.exe	88
PID 4428 wrote to memory of 2092	4428	Jaqcnl32.exe	89
PID 4428 wrote to memory of 2092	4428	Jaqcnl32.exe	89
PID 4428 wrote to memory of 2092	4428	Jaqcnl32.exe	89
PID 2092 wrote to memory of 3148	2092	Jacpcl32.exe	90
PID 2092 wrote to memory of 3148	2092	Jacpcl32.exe	90
PID 2092 wrote to memory of 3148	2092	Jacpcl32.exe	90
PID 3148 wrote to memory of 2068	3148	Jlidpe32.exe	91
PID 3148 wrote to memory of 2068	3148	Jlidpe32.exe	91
PID 3148 wrote to memory of 2068	3148	Jlidpe32.exe	91
PID 2068 wrote to memory of 1180	2068	Kbjbnnfg.exe	92
PID 2068 wrote to memory of 1180	2068	Kbjbnnfg.exe	92
PID 2068 wrote to memory of 1180	2068	Kbjbnnfg.exe	92
PID 1180 wrote to memory of 4916	1180	Lolcnman.exe	93
PID 1180 wrote to memory of 4916	1180	Lolcnman.exe	93
PID 1180 wrote to memory of 4916	1180	Lolcnman.exe	93
PID 4916 wrote to memory of 4720	4916	Lehhqg32.exe	94
PID 4916 wrote to memory of 4720	4916	Lehhqg32.exe	94
PID 4916 wrote to memory of 4720	4916	Lehhqg32.exe	94
PID 4720 wrote to memory of 316	4720	Moefdljc.exe	95
PID 4720 wrote to memory of 316	4720	Moefdljc.exe	95
PID 4720 wrote to memory of 316	4720	Moefdljc.exe	95
PID 316 wrote to memory of 5084	316	Mebkge32.exe	96
PID 316 wrote to memory of 5084	316	Mebkge32.exe	96
PID 316 wrote to memory of 5084	316	Mebkge32.exe	96
PID 5084 wrote to memory of 4624	5084	Nchhfild.exe	97
PID 5084 wrote to memory of 4624	5084	Nchhfild.exe	97
PID 5084 wrote to memory of 4624	5084	Nchhfild.exe	97
PID 4624 wrote to memory of 4176	4624	Nkeipk32.exe	98
PID 4624 wrote to memory of 4176	4624	Nkeipk32.exe	98
PID 4624 wrote to memory of 4176	4624	Nkeipk32.exe	98
PID 4176 wrote to memory of 408	4176	Ollljmhg.exe	99
PID 4176 wrote to memory of 408	4176	Ollljmhg.exe	99
PID 4176 wrote to memory of 408	4176	Ollljmhg.exe	99
PID 408 wrote to memory of 3372	408	Ohhfknjf.exe	100
PID 408 wrote to memory of 3372	408	Ohhfknjf.exe	100
PID 408 wrote to memory of 3372	408	Ohhfknjf.exe	100
PID 3372 wrote to memory of 2260	3372	Piolkm32.exe	101
PID 3372 wrote to memory of 2260	3372	Piolkm32.exe	101
PID 3372 wrote to memory of 2260	3372	Piolkm32.exe	101
PID 2260 wrote to memory of 4016	2260	Qppkhfec.exe	102
PID 2260 wrote to memory of 4016	2260	Qppkhfec.exe	102
PID 2260 wrote to memory of 4016	2260	Qppkhfec.exe	102
PID 4016 wrote to memory of 244	4016	Aijlgkjq.exe	103
PID 4016 wrote to memory of 244	4016	Aijlgkjq.exe	103
PID 4016 wrote to memory of 244	4016	Aijlgkjq.exe	103
PID 244 wrote to memory of 1424	244	Ammnhilb.exe	104
PID 244 wrote to memory of 1424	244	Ammnhilb.exe	104
PID 244 wrote to memory of 1424	244	Ammnhilb.exe	104
PID 1424 wrote to memory of 4840	1424	Bboplo32.exe	105
PID 1424 wrote to memory of 4840	1424	Bboplo32.exe	105
PID 1424 wrote to memory of 4840	1424	Bboplo32.exe	105
PID 4840 wrote to memory of 4296	4840	Blgddd32.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.feb8423a21492ce14ee547bfe8c3aadd_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\Gbpnjdkg.exe
  C:\Windows\system32\Gbpnjdkg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\SysWOW64\Hannao32.exe
    C:\Windows\system32\Hannao32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\Icfmci32.exe
      C:\Windows\system32\Icfmci32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        28⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 400
        29⤵
        Program crash
        
        PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2080 -ip 2080
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
85KB

MD5
28bdc505016e350d82000f0e370f9d7b

SHA1
4b26af412ac81d655999c0b8f0248eaae2b8cde4

SHA256
08f0237d9dcdda67a40989afe83cd1d5f868dea5e5330c699fd381d2f9ab0501

SHA512
e594ba84b249029aa280b82e21a5f13bc217033a976da1222e27d0509eddae86025971763df49be7e31e138f59a8610903c24cec5f11b5a1e4e04b036905904b

Download Submit
C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
85KB

MD5
28bdc505016e350d82000f0e370f9d7b

SHA1
4b26af412ac81d655999c0b8f0248eaae2b8cde4

SHA256
08f0237d9dcdda67a40989afe83cd1d5f868dea5e5330c699fd381d2f9ab0501

SHA512
e594ba84b249029aa280b82e21a5f13bc217033a976da1222e27d0509eddae86025971763df49be7e31e138f59a8610903c24cec5f11b5a1e4e04b036905904b

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
85KB

MD5
9ee87fcb3aae40222cbcb955c8867bf8

SHA1
6ff2dbefcc7692a7848c3cbd7dfbc547599f73ea

SHA256
b2422c78f17fde8f9f3f042ba72644f521b3b883ffe5d3605f200b28beea2a79

SHA512
ad73d3fc0b9e8a16bf694b99c90bc723c71ee46afae2b2b59079a814140473dafba3a6564f57c5cb4e90bdf95c1d15d183766e14f7a87f7cf60c53f7148b97c1

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
85KB

MD5
9ee87fcb3aae40222cbcb955c8867bf8

SHA1
6ff2dbefcc7692a7848c3cbd7dfbc547599f73ea

SHA256
b2422c78f17fde8f9f3f042ba72644f521b3b883ffe5d3605f200b28beea2a79

SHA512
ad73d3fc0b9e8a16bf694b99c90bc723c71ee46afae2b2b59079a814140473dafba3a6564f57c5cb4e90bdf95c1d15d183766e14f7a87f7cf60c53f7148b97c1

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
85KB

MD5
9ee87fcb3aae40222cbcb955c8867bf8

SHA1
6ff2dbefcc7692a7848c3cbd7dfbc547599f73ea

SHA256
b2422c78f17fde8f9f3f042ba72644f521b3b883ffe5d3605f200b28beea2a79

SHA512
ad73d3fc0b9e8a16bf694b99c90bc723c71ee46afae2b2b59079a814140473dafba3a6564f57c5cb4e90bdf95c1d15d183766e14f7a87f7cf60c53f7148b97c1

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
85KB

MD5
c468e3a07c96ab71ecdf8bc4ee03ebbe

SHA1
4747765f48f86aec0228f68e283e176ac6e0f441

SHA256
11b86e2fc69e9c7bf03764ddb751ab66b1bd9654e0d155c6b2d0652ab6da9984

SHA512
f1a728af65881989ed27edeeb3bb2c24a2482f410ce8ec885ff583e3618e1525f07862d790fd92db391efd7ebb4f82138111a95f66070f606da33c0560336593

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
85KB

MD5
c468e3a07c96ab71ecdf8bc4ee03ebbe

SHA1
4747765f48f86aec0228f68e283e176ac6e0f441

SHA256
11b86e2fc69e9c7bf03764ddb751ab66b1bd9654e0d155c6b2d0652ab6da9984

SHA512
f1a728af65881989ed27edeeb3bb2c24a2482f410ce8ec885ff583e3618e1525f07862d790fd92db391efd7ebb4f82138111a95f66070f606da33c0560336593

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe

Filesize
85KB

MD5
c468e3a07c96ab71ecdf8bc4ee03ebbe

SHA1
4747765f48f86aec0228f68e283e176ac6e0f441

SHA256
11b86e2fc69e9c7bf03764ddb751ab66b1bd9654e0d155c6b2d0652ab6da9984

SHA512
f1a728af65881989ed27edeeb3bb2c24a2482f410ce8ec885ff583e3618e1525f07862d790fd92db391efd7ebb4f82138111a95f66070f606da33c0560336593

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe

Filesize
85KB

MD5
2010b44c387d990d7c55c1e60b120c29

SHA1
d0288ac8e64a48016f271a1ef2e3157962649c47

SHA256
485572647e3b449a3037dc0b1735f32cd934a63329fd5925fc2eff492f26f896

SHA512
f893374c1ff6d044da6d103805bf824ccdabc1dcce5c671d028cdaf82acb61de805576683042fb9c92f57786b938a7db2c29f4130bf5695dee59d6667dcf73c2

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe

Filesize
85KB

MD5
2010b44c387d990d7c55c1e60b120c29

SHA1
d0288ac8e64a48016f271a1ef2e3157962649c47

SHA256
485572647e3b449a3037dc0b1735f32cd934a63329fd5925fc2eff492f26f896

SHA512
f893374c1ff6d044da6d103805bf824ccdabc1dcce5c671d028cdaf82acb61de805576683042fb9c92f57786b938a7db2c29f4130bf5695dee59d6667dcf73c2

Download Submit
C:\Windows\SysWOW64\Blnjecfl.exe

Filesize
85KB

MD5
fc2361f7e91e0227f6ef103d0ec1dbf9

SHA1
46f071bc92d25610e2c1f6befe9d862906f99618

SHA256
7a701dfb69530d974357e12ed8aec6d4f973362ba29a830d694496a5c0d64616

SHA512
0e595b3abf516fd7efe02ca1bfd143670c142a566fe80eb28ab08c440409d968ef75a2e9e98a607773a5ef2d0d86c8882574fb04ca53ec2172782ae0de30297e

Download Submit
C:\Windows\SysWOW64\Blnjecfl.exe

Filesize
85KB

MD5
fc2361f7e91e0227f6ef103d0ec1dbf9

SHA1
46f071bc92d25610e2c1f6befe9d862906f99618

SHA256
7a701dfb69530d974357e12ed8aec6d4f973362ba29a830d694496a5c0d64616

SHA512
0e595b3abf516fd7efe02ca1bfd143670c142a566fe80eb28ab08c440409d968ef75a2e9e98a607773a5ef2d0d86c8882574fb04ca53ec2172782ae0de30297e

Download Submit
C:\Windows\SysWOW64\Cefoni32.exe

Filesize
85KB

MD5
90cf81c20ee340c034f87b483d182546

SHA1
a45072ac369e92c6432cec386b39e38e6837ecde

SHA256
9258e0fe993a4159ad81e2bb2848ddad875ead982ab31b8b85aefd6fa61d6d0d

SHA512
627aff5aa19ce9f86ec0d251fa30455a4cac9422ffe6ca3e3e9523f36e6ad6b848f26da901fd3ad4eb74be127f3ea81ebe87bc5378bd7b9e71fe2a04d71299c7

Download Submit
C:\Windows\SysWOW64\Cefoni32.exe

Filesize
85KB

MD5
90cf81c20ee340c034f87b483d182546

SHA1
a45072ac369e92c6432cec386b39e38e6837ecde

SHA256
9258e0fe993a4159ad81e2bb2848ddad875ead982ab31b8b85aefd6fa61d6d0d

SHA512
627aff5aa19ce9f86ec0d251fa30455a4cac9422ffe6ca3e3e9523f36e6ad6b848f26da901fd3ad4eb74be127f3ea81ebe87bc5378bd7b9e71fe2a04d71299c7

Download Submit
C:\Windows\SysWOW64\Cifdjg32.exe

Filesize
85KB

MD5
d87286bf439abe885565132e84e920aa

SHA1
79243da07e502eaf4b3f988f7900cb966a78a0b2

SHA256
24c6a82dccbf42bf4a05fbbbb6360046465577f1c68c99a92dbcadd0f4c1a6c0

SHA512
98c87c1254004886f9647d97f22272e88ed2bc41d01d72e501148c413c9cce75674ea6b7a4cb8c6be949d225011d116f4b4e73bb418bad46e014e938ac029aaf

Download Submit
C:\Windows\SysWOW64\Cifdjg32.exe

Filesize
85KB

MD5
d87286bf439abe885565132e84e920aa

SHA1
79243da07e502eaf4b3f988f7900cb966a78a0b2

SHA256
24c6a82dccbf42bf4a05fbbbb6360046465577f1c68c99a92dbcadd0f4c1a6c0

SHA512
98c87c1254004886f9647d97f22272e88ed2bc41d01d72e501148c413c9cce75674ea6b7a4cb8c6be949d225011d116f4b4e73bb418bad46e014e938ac029aaf

Download Submit
C:\Windows\SysWOW64\Cpqlfa32.exe

Filesize
85KB

MD5
3413e92d5c939b423489790781e98d43

SHA1
11719337e8e35a6022829e44f0ece98eb41a861a

SHA256
c830ce888e9d2d791c5613007c686573004fdbeb0d58d79fa7ca33fb27291624

SHA512
dafba096bcfaf38dcc20e89be553cca42c33a34721e974852189305ad15b884438570b0888f6b41030f1d4f9c1997d1862f6f734cc1be6155bda5754a8682293

Download Submit
C:\Windows\SysWOW64\Cpqlfa32.exe

Filesize
85KB

MD5
3413e92d5c939b423489790781e98d43

SHA1
11719337e8e35a6022829e44f0ece98eb41a861a

SHA256
c830ce888e9d2d791c5613007c686573004fdbeb0d58d79fa7ca33fb27291624

SHA512
dafba096bcfaf38dcc20e89be553cca42c33a34721e974852189305ad15b884438570b0888f6b41030f1d4f9c1997d1862f6f734cc1be6155bda5754a8682293

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
85KB

MD5
ac8d2edfca37a7b792eac1bc5baa874e

SHA1
d3a9ca1034bdce032292066a9e2f8c90979e0198

SHA256
d4d1e814c928e1e71d6a51a4b938f42ca7350e0f9f1dca3de6d7257c9e12e1e2

SHA512
6dffb5f422938cc4716129a3f4a85db45e11b319d349d9dd49c620b417d0ccd21070b6dc3ff14fb4e923f7d9189ab7cbea3164266d5b19844fff2605af577a1b

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
85KB

MD5
ac8d2edfca37a7b792eac1bc5baa874e

SHA1
d3a9ca1034bdce032292066a9e2f8c90979e0198

SHA256
d4d1e814c928e1e71d6a51a4b938f42ca7350e0f9f1dca3de6d7257c9e12e1e2

SHA512
6dffb5f422938cc4716129a3f4a85db45e11b319d349d9dd49c620b417d0ccd21070b6dc3ff14fb4e923f7d9189ab7cbea3164266d5b19844fff2605af577a1b

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
85KB

MD5
ac8d2edfca37a7b792eac1bc5baa874e

SHA1
d3a9ca1034bdce032292066a9e2f8c90979e0198

SHA256
d4d1e814c928e1e71d6a51a4b938f42ca7350e0f9f1dca3de6d7257c9e12e1e2

SHA512
6dffb5f422938cc4716129a3f4a85db45e11b319d349d9dd49c620b417d0ccd21070b6dc3ff14fb4e923f7d9189ab7cbea3164266d5b19844fff2605af577a1b

Download Submit
C:\Windows\SysWOW64\Dpefaq32.exe

Filesize
85KB

MD5
e78705a3cb3516660372191595fffc31

SHA1
2871b13b3988bdbe7f5d2c7c27667dfae303dc81

SHA256
0b542e7ea399d23390acb558d8ef99db9e70a54ea3c1d35c88db139deba904e2

SHA512
38d00a6aa4d3cc5604c9535998b3d15101845c6b9464ba81199a38116d1f380fc259304c4d8e5ef164f2057802dbceada8dedd26536bb3bf7e34742eaa5a3f8e

Download Submit
C:\Windows\SysWOW64\Dpefaq32.exe

Filesize
85KB

MD5
e78705a3cb3516660372191595fffc31

SHA1
2871b13b3988bdbe7f5d2c7c27667dfae303dc81

SHA256
0b542e7ea399d23390acb558d8ef99db9e70a54ea3c1d35c88db139deba904e2

SHA512
38d00a6aa4d3cc5604c9535998b3d15101845c6b9464ba81199a38116d1f380fc259304c4d8e5ef164f2057802dbceada8dedd26536bb3bf7e34742eaa5a3f8e

Download Submit
C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
85KB

MD5
c527c893fc839da84f902f32cff7e6a9

SHA1
bbec0de5c372e84fae1a29238aa56bc072eca69d

SHA256
28561fbb2f51ab4ad0a454bac285a4b6da394a032cd5f4e301345d6b302ef6fc

SHA512
8951fa6c119159c96852b57fb8810fb9ec66c8e9cdd2a4ae5497e8ed6977733fb9e83fdbcc37b86864a2309f8512be7be79ea22b7d3bf033fe4121191efd4868

Download Submit
C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
85KB

MD5
c527c893fc839da84f902f32cff7e6a9

SHA1
bbec0de5c372e84fae1a29238aa56bc072eca69d

SHA256
28561fbb2f51ab4ad0a454bac285a4b6da394a032cd5f4e301345d6b302ef6fc

SHA512
8951fa6c119159c96852b57fb8810fb9ec66c8e9cdd2a4ae5497e8ed6977733fb9e83fdbcc37b86864a2309f8512be7be79ea22b7d3bf033fe4121191efd4868

Download Submit
C:\Windows\SysWOW64\Hannao32.exe

Filesize
85KB

MD5
b39be9a76d0ae2743b5aec32ce7429d7

SHA1
30dbd855779729b3638adaf78665b61e5283e7c7

SHA256
d16100b290aa65e5cc76df65e9ab8cc53cb07969715954846cea96bf26a416a6

SHA512
1e1a0d2d7da051b8bcde328d8136ed9a9920ee8ee18fc82e082a57db61799d6876fa025c87e0b34e5d66fa544a5226fc0d445f72379a51ec9c7eaf52e40f5e94

Download Submit
C:\Windows\SysWOW64\Hannao32.exe

Filesize
85KB

MD5
b39be9a76d0ae2743b5aec32ce7429d7

SHA1
30dbd855779729b3638adaf78665b61e5283e7c7

SHA256
d16100b290aa65e5cc76df65e9ab8cc53cb07969715954846cea96bf26a416a6

SHA512
1e1a0d2d7da051b8bcde328d8136ed9a9920ee8ee18fc82e082a57db61799d6876fa025c87e0b34e5d66fa544a5226fc0d445f72379a51ec9c7eaf52e40f5e94

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
85KB

MD5
23a0858dd13b48df9e78f91aced20b26

SHA1
dcf2835527e0781461e9770ac85da3243ca964cd

SHA256
0e3065a33314b1f5d8b865e454f2b7e21a99df9346732727c476fdb13c31130c

SHA512
ef040c1646791fd81a7411286155c7beb6e05770a21f1777db8a07b088dedbc0c74d25817db7597592a3f7909ad98aca42e89c3f87f2ab95811b4e18344d88ea

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
85KB

MD5
23a0858dd13b48df9e78f91aced20b26

SHA1
dcf2835527e0781461e9770ac85da3243ca964cd

SHA256
0e3065a33314b1f5d8b865e454f2b7e21a99df9346732727c476fdb13c31130c

SHA512
ef040c1646791fd81a7411286155c7beb6e05770a21f1777db8a07b088dedbc0c74d25817db7597592a3f7909ad98aca42e89c3f87f2ab95811b4e18344d88ea

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
85KB

MD5
05d5704a3e51c9691aa61a497145f19f

SHA1
fc3e15b3ed1740f58dff7010d5278276ebc255c4

SHA256
83b21861a3568a3dd82dc9da3dfd7600a39ed499ad9b75d1b6f1d2da6641fce8

SHA512
0e59ab2f5f8e6badd48411b367765b1e7b231aa02eba537cb7a398e3641aed19259580ed8e84b30d4738e2969272b6046c59e04315fe3fb53ed73070213510f8

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
85KB

MD5
05d5704a3e51c9691aa61a497145f19f

SHA1
fc3e15b3ed1740f58dff7010d5278276ebc255c4

SHA256
83b21861a3568a3dd82dc9da3dfd7600a39ed499ad9b75d1b6f1d2da6641fce8

SHA512
0e59ab2f5f8e6badd48411b367765b1e7b231aa02eba537cb7a398e3641aed19259580ed8e84b30d4738e2969272b6046c59e04315fe3fb53ed73070213510f8

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
85KB

MD5
dea21f3fc927f0fe393bfeb49da95037

SHA1
dd5a128b3b14b04319a2f415d06edd311d4198a3

SHA256
d4e10459534cb4cdac2882a37339c5088cee96272b8c95193ba41b57fdb76216

SHA512
7680ece28bb21327a08ac67dfe342b54a01d239319b66e00d0ebe8f8a0313a4548c88d2234fe84f6b8883f57c222fe3a498aa0f1822d4791dce574a7fe5e46b4

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
85KB

MD5
dea21f3fc927f0fe393bfeb49da95037

SHA1
dd5a128b3b14b04319a2f415d06edd311d4198a3

SHA256
d4e10459534cb4cdac2882a37339c5088cee96272b8c95193ba41b57fdb76216

SHA512
7680ece28bb21327a08ac67dfe342b54a01d239319b66e00d0ebe8f8a0313a4548c88d2234fe84f6b8883f57c222fe3a498aa0f1822d4791dce574a7fe5e46b4

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
85KB

MD5
dea21f3fc927f0fe393bfeb49da95037

SHA1
dd5a128b3b14b04319a2f415d06edd311d4198a3

SHA256
d4e10459534cb4cdac2882a37339c5088cee96272b8c95193ba41b57fdb76216

SHA512
7680ece28bb21327a08ac67dfe342b54a01d239319b66e00d0ebe8f8a0313a4548c88d2234fe84f6b8883f57c222fe3a498aa0f1822d4791dce574a7fe5e46b4

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
85KB

MD5
03026c7e189d6eec2f2ac841e619b577

SHA1
6890b9492047709a65ae2686eb338673f7de2cbe

SHA256
0d0099b0f9c7fe29787f4cc1661e72a7235eba601bea2b2e9298fd9af85026da

SHA512
aeef0d8ce9cbb42f89c0b0ee21711cf06edb5ac4f2229877e7fa7e0cdedcec436f30ca6f2b9d252606f8b8759852bd321bdf42176f5cc43f7f49b254fa89ff21

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
85KB

MD5
03026c7e189d6eec2f2ac841e619b577

SHA1
6890b9492047709a65ae2686eb338673f7de2cbe

SHA256
0d0099b0f9c7fe29787f4cc1661e72a7235eba601bea2b2e9298fd9af85026da

SHA512
aeef0d8ce9cbb42f89c0b0ee21711cf06edb5ac4f2229877e7fa7e0cdedcec436f30ca6f2b9d252606f8b8759852bd321bdf42176f5cc43f7f49b254fa89ff21

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
85KB

MD5
9621aa1acbdf19b2d73017f8e7acfc33

SHA1
843d866298eaefd9682f0f174382d7892c86fe4d

SHA256
2114f4e043c4bdaf558bdc75ab603e0f6527d638b410c485f3d0270011923520

SHA512
394aee7c33162029af307b257e81da0701272b63c7a13719cde86ba315218a54e49a48f13be5005ccf55f920920d981a2f93ab4acef5ab359ace1a463a69f5b6

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
85KB

MD5
9621aa1acbdf19b2d73017f8e7acfc33

SHA1
843d866298eaefd9682f0f174382d7892c86fe4d

SHA256
2114f4e043c4bdaf558bdc75ab603e0f6527d638b410c485f3d0270011923520

SHA512
394aee7c33162029af307b257e81da0701272b63c7a13719cde86ba315218a54e49a48f13be5005ccf55f920920d981a2f93ab4acef5ab359ace1a463a69f5b6

Download Submit
C:\Windows\SysWOW64\Lehhqg32.exe

Filesize
85KB

MD5
ed2ab5215fbcc173d2f849f2a70c1fbb

SHA1
c7e727aaa947879e67fd41de4cdfdb495dc68fe6

SHA256
a09587ada3e2ad7d20ae93a1056fbedbb41e5fddd714ddb513e423e2ff63f01b

SHA512
68513785e84c8c79d9780d4698dae5fa8bbba6606be8a62d01adeb93fcfb2b55983ad986f16afc2f76cb68db5e1c069f60cf598c3c20697c037c3733024c9043

Download Submit
C:\Windows\SysWOW64\Lehhqg32.exe

Filesize
85KB

MD5
ed2ab5215fbcc173d2f849f2a70c1fbb

SHA1
c7e727aaa947879e67fd41de4cdfdb495dc68fe6

SHA256
a09587ada3e2ad7d20ae93a1056fbedbb41e5fddd714ddb513e423e2ff63f01b

SHA512
68513785e84c8c79d9780d4698dae5fa8bbba6606be8a62d01adeb93fcfb2b55983ad986f16afc2f76cb68db5e1c069f60cf598c3c20697c037c3733024c9043

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
85KB

MD5
52eae504b7d54b5aa0a5bfc80c548bda

SHA1
17ef5f020755bbf3d45749750405c2365fd1148d

SHA256
521f2b9664633feacf63710921237d1709e3f684f999b8149065dfce75dc6321

SHA512
2c7958e91793549745a126e9151a22a0cd4f657c03ea07a27bcd9477a931050d5ee18d7d7b93e62e96658a882fad982a670b978e904e72a141a4b643813ef6c2

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
85KB

MD5
52eae504b7d54b5aa0a5bfc80c548bda

SHA1
17ef5f020755bbf3d45749750405c2365fd1148d

SHA256
521f2b9664633feacf63710921237d1709e3f684f999b8149065dfce75dc6321

SHA512
2c7958e91793549745a126e9151a22a0cd4f657c03ea07a27bcd9477a931050d5ee18d7d7b93e62e96658a882fad982a670b978e904e72a141a4b643813ef6c2

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
85KB

MD5
a988585afc7629bfc6097071b507d189

SHA1
2b688dc3a2b230f20c23844b2b66f53505df72cb

SHA256
126fbeff17125b70c51122243a3c4cd251277ef009fc87f861925fa280239aa2

SHA512
41e21974790eb990a9d88e3f460d199eb985082acd35800d2c53d054fe6e34b19e6565011b4deaad7de46b140238776029caa9cc56bcd608f69ff6f844802df7

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
85KB

MD5
a988585afc7629bfc6097071b507d189

SHA1
2b688dc3a2b230f20c23844b2b66f53505df72cb

SHA256
126fbeff17125b70c51122243a3c4cd251277ef009fc87f861925fa280239aa2

SHA512
41e21974790eb990a9d88e3f460d199eb985082acd35800d2c53d054fe6e34b19e6565011b4deaad7de46b140238776029caa9cc56bcd608f69ff6f844802df7

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
85KB

MD5
c905e29499a1583bb43a47c3f76642a8

SHA1
24d47b6c7107ada92cc41ec7d232bcd3ac43fa69

SHA256
8c85d4742a94617bf1e98d17326be71eafedeeea56be3525480bebccd411de2b

SHA512
e17a240ecea5fc5f1f14f818e5849cb246e2a99ecdbe39a351faba4d3a3a2387c439ac1e9fdb57dc89c5ec9387c417839498a40180270b812f74272481251975

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
85KB

MD5
c905e29499a1583bb43a47c3f76642a8

SHA1
24d47b6c7107ada92cc41ec7d232bcd3ac43fa69

SHA256
8c85d4742a94617bf1e98d17326be71eafedeeea56be3525480bebccd411de2b

SHA512
e17a240ecea5fc5f1f14f818e5849cb246e2a99ecdbe39a351faba4d3a3a2387c439ac1e9fdb57dc89c5ec9387c417839498a40180270b812f74272481251975

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
85KB

MD5
1538b35134cec89d1b4a0bd4f83b0273

SHA1
28cd55cd38358d4423e1c3e6215057d747c952d0

SHA256
e1b99235e9648d2aa9826e59f4d7ae156341030ff1ce0b916c7e53884ee1f462

SHA512
2ad952deacd5205d3f99105b3375d4e477b5ef348b229bb264e014a454ec7815947c8a00571c624f4e7758e304f9a9c8b83faa3392eeeeeae4f2d74479fa1503

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
85KB

MD5
1538b35134cec89d1b4a0bd4f83b0273

SHA1
28cd55cd38358d4423e1c3e6215057d747c952d0

SHA256
e1b99235e9648d2aa9826e59f4d7ae156341030ff1ce0b916c7e53884ee1f462

SHA512
2ad952deacd5205d3f99105b3375d4e477b5ef348b229bb264e014a454ec7815947c8a00571c624f4e7758e304f9a9c8b83faa3392eeeeeae4f2d74479fa1503

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
85KB

MD5
d0ab2e12b0f97dbb4f9ce45d16d4298e

SHA1
d5a7bdd69a7d4bafa3b9a7c03afeeffe4681189b

SHA256
5f2a5b1c0cc1887b2b76c5f8988d7066a990925b8dc9dd7e270d3f04c74dfa71

SHA512
c2d65e00554de4416e4bc479293370c9969dff9204530f477da26362d7616e9057fc4a3ae32a442cee22b54065d2639819dcf924a070bbfa01ece9565b5cb519

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
85KB

MD5
d0ab2e12b0f97dbb4f9ce45d16d4298e

SHA1
d5a7bdd69a7d4bafa3b9a7c03afeeffe4681189b

SHA256
5f2a5b1c0cc1887b2b76c5f8988d7066a990925b8dc9dd7e270d3f04c74dfa71

SHA512
c2d65e00554de4416e4bc479293370c9969dff9204530f477da26362d7616e9057fc4a3ae32a442cee22b54065d2639819dcf924a070bbfa01ece9565b5cb519

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
85KB

MD5
537b5691107dc709534b2f3948b10006

SHA1
b336c3e104ccc3c7340c322ce956419e3c3c6067

SHA256
c274872a9e222ecac9c2aa42c11214e72e2079fbc4497c624b9312fc427876ae

SHA512
0f27daf4a5a1b739152f7433cf729f36d292b89ed0c592897f2994a99bbb372927323863f9b150fe5507fa865cc6b672b85cb382492625222497a55cb952d3d4

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
85KB

MD5
537b5691107dc709534b2f3948b10006

SHA1
b336c3e104ccc3c7340c322ce956419e3c3c6067

SHA256
c274872a9e222ecac9c2aa42c11214e72e2079fbc4497c624b9312fc427876ae

SHA512
0f27daf4a5a1b739152f7433cf729f36d292b89ed0c592897f2994a99bbb372927323863f9b150fe5507fa865cc6b672b85cb382492625222497a55cb952d3d4

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
85KB

MD5
8a24334abd5f898569cf2c13f1279d43

SHA1
21ffcd085e9f982cd79346c0cbe51ff1264d2272

SHA256
331a16375ae34314b46e6e9169dce9547efc12d5eb9756c7d1dc5018e6129a72

SHA512
470b4812052b55b490aca12dc7d752eece02d4639f0254826f84c5be23ad5ab30c3ab64eeec136ae3694c6bffa9b8097eee094cb0dd9adee61b1e3bd8e3404be

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
85KB

MD5
8a24334abd5f898569cf2c13f1279d43

SHA1
21ffcd085e9f982cd79346c0cbe51ff1264d2272

SHA256
331a16375ae34314b46e6e9169dce9547efc12d5eb9756c7d1dc5018e6129a72

SHA512
470b4812052b55b490aca12dc7d752eece02d4639f0254826f84c5be23ad5ab30c3ab64eeec136ae3694c6bffa9b8097eee094cb0dd9adee61b1e3bd8e3404be

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
85KB

MD5
df08cdab3f4afd4b61c6f74214ec2877

SHA1
d9289ad629226b9e531d26b8d3b911d584cdc41e

SHA256
6614a7eb889ad0def605059d2e491a2501f932f7593ed9b03f8f8bf5e95486ce

SHA512
0400037c29fbac2c2ce2ec62a7034bd77e05237e48494b82625e0709376777ede6e5fe4f1de09ef923184023bc3fd5f78290f3046297fc4183ba7b1ebbc0ef24

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
85KB

MD5
df08cdab3f4afd4b61c6f74214ec2877

SHA1
d9289ad629226b9e531d26b8d3b911d584cdc41e

SHA256
6614a7eb889ad0def605059d2e491a2501f932f7593ed9b03f8f8bf5e95486ce

SHA512
0400037c29fbac2c2ce2ec62a7034bd77e05237e48494b82625e0709376777ede6e5fe4f1de09ef923184023bc3fd5f78290f3046297fc4183ba7b1ebbc0ef24

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
85KB

MD5
ab4f7ed3374bafe4f04d8773fc6598be

SHA1
e2eb5614912c6cf7d699269895de459f92d7d1e1

SHA256
78abbd09dd6066de1a2abed242c8875980ca9b749d1bd7cd03159e40d21e8ec4

SHA512
3acd0444c7c498ad93bb8c62dd41e0bbcbc84359263ef7a7a8efd54a86620ea69e9f4822d25eaa2e1290fff41257eefb68491898d675603035cdb93ce94a1954

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
85KB

MD5
ab4f7ed3374bafe4f04d8773fc6598be

SHA1
e2eb5614912c6cf7d699269895de459f92d7d1e1

SHA256
78abbd09dd6066de1a2abed242c8875980ca9b749d1bd7cd03159e40d21e8ec4

SHA512
3acd0444c7c498ad93bb8c62dd41e0bbcbc84359263ef7a7a8efd54a86620ea69e9f4822d25eaa2e1290fff41257eefb68491898d675603035cdb93ce94a1954

Download Submit
memory/244-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/244-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/316-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/316-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1180-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1180-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1424-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1424-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3236-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3236-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4176-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads