79cefd37bb8e170edc37357f2aeb225453282196b3e14ca56d70fa6842c85e04

Analysis

max time kernel
86s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Size

45KB
MD5

1ec42009382e386f79a2aebae7baa220
SHA1

af94a6ecc8669f1e929ba5ad8c3d2f2c9c8366b4
SHA256

79cefd37bb8e170edc37357f2aeb225453282196b3e14ca56d70fa6842c85e04
SHA512

6d22d12f799d1eab12a6017da3aa5005ac3dfd0f150a4ed8d710cf8559eec5209125ee09339546aeacc9746411d2492b99eba59209aeea3952a9e3d7b3299628
SSDEEP

768:WvRLz/9/OwBcVr+AiuW97dYrFslxz0xnZno/1H5t+a:WpP/9d8u/cFsPz0zu/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe

Executes dropped EXE 26 IoCs

pid	Process
736	Aeiofcji.exe
2880	Ajfhnjhq.exe
1404	Agjhgngj.exe
4140	Andqdh32.exe
2132	Ajkaii32.exe
1680	Aadifclh.exe
3620	Bcebhoii.exe
4476	Bjokdipf.exe
3532	Bjagjhnc.exe
1592	Beglgani.exe
1912	Banllbdn.exe
4328	Bmemac32.exe
1712	Cenahpha.exe
4684	Cnffqf32.exe
5100	Cnicfe32.exe
1920	Cfdhkhjj.exe
5036	Cdhhdlid.exe
5076	Cmqmma32.exe
368	Dfiafg32.exe
980	Dopigd32.exe
1720	Dfknkg32.exe
3400	Delnin32.exe
448	Dmgbnq32.exe
2480	Dfpgffpm.exe
4196	Dddhpjof.exe
2724	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1700	2724	WerFault.exe	107

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 736	916	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe	82
PID 916 wrote to memory of 736	916	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe	82
PID 916 wrote to memory of 736	916	NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe	82
PID 736 wrote to memory of 2880	736	Aeiofcji.exe	83
PID 736 wrote to memory of 2880	736	Aeiofcji.exe	83
PID 736 wrote to memory of 2880	736	Aeiofcji.exe	83
PID 2880 wrote to memory of 1404	2880	Ajfhnjhq.exe	84
PID 2880 wrote to memory of 1404	2880	Ajfhnjhq.exe	84
PID 2880 wrote to memory of 1404	2880	Ajfhnjhq.exe	84
PID 1404 wrote to memory of 4140	1404	Agjhgngj.exe	85
PID 1404 wrote to memory of 4140	1404	Agjhgngj.exe	85
PID 1404 wrote to memory of 4140	1404	Agjhgngj.exe	85
PID 4140 wrote to memory of 2132	4140	Andqdh32.exe	86
PID 4140 wrote to memory of 2132	4140	Andqdh32.exe	86
PID 4140 wrote to memory of 2132	4140	Andqdh32.exe	86
PID 2132 wrote to memory of 1680	2132	Ajkaii32.exe	87
PID 2132 wrote to memory of 1680	2132	Ajkaii32.exe	87
PID 2132 wrote to memory of 1680	2132	Ajkaii32.exe	87
PID 1680 wrote to memory of 3620	1680	Aadifclh.exe	88
PID 1680 wrote to memory of 3620	1680	Aadifclh.exe	88
PID 1680 wrote to memory of 3620	1680	Aadifclh.exe	88
PID 3620 wrote to memory of 4476	3620	Bcebhoii.exe	89
PID 3620 wrote to memory of 4476	3620	Bcebhoii.exe	89
PID 3620 wrote to memory of 4476	3620	Bcebhoii.exe	89
PID 4476 wrote to memory of 3532	4476	Bjokdipf.exe	90
PID 4476 wrote to memory of 3532	4476	Bjokdipf.exe	90
PID 4476 wrote to memory of 3532	4476	Bjokdipf.exe	90
PID 3532 wrote to memory of 1592	3532	Bjagjhnc.exe	91
PID 3532 wrote to memory of 1592	3532	Bjagjhnc.exe	91
PID 3532 wrote to memory of 1592	3532	Bjagjhnc.exe	91
PID 1592 wrote to memory of 1912	1592	Beglgani.exe	92
PID 1592 wrote to memory of 1912	1592	Beglgani.exe	92
PID 1592 wrote to memory of 1912	1592	Beglgani.exe	92
PID 1912 wrote to memory of 4328	1912	Banllbdn.exe	93
PID 1912 wrote to memory of 4328	1912	Banllbdn.exe	93
PID 1912 wrote to memory of 4328	1912	Banllbdn.exe	93
PID 4328 wrote to memory of 1712	4328	Bmemac32.exe	94
PID 4328 wrote to memory of 1712	4328	Bmemac32.exe	94
PID 4328 wrote to memory of 1712	4328	Bmemac32.exe	94
PID 1712 wrote to memory of 4684	1712	Cenahpha.exe	95
PID 1712 wrote to memory of 4684	1712	Cenahpha.exe	95
PID 1712 wrote to memory of 4684	1712	Cenahpha.exe	95
PID 4684 wrote to memory of 5100	4684	Cnffqf32.exe	96
PID 4684 wrote to memory of 5100	4684	Cnffqf32.exe	96
PID 4684 wrote to memory of 5100	4684	Cnffqf32.exe	96
PID 5100 wrote to memory of 1920	5100	Cnicfe32.exe	97
PID 5100 wrote to memory of 1920	5100	Cnicfe32.exe	97
PID 5100 wrote to memory of 1920	5100	Cnicfe32.exe	97
PID 1920 wrote to memory of 5036	1920	Cfdhkhjj.exe	98
PID 1920 wrote to memory of 5036	1920	Cfdhkhjj.exe	98
PID 1920 wrote to memory of 5036	1920	Cfdhkhjj.exe	98
PID 5036 wrote to memory of 5076	5036	Cdhhdlid.exe	99
PID 5036 wrote to memory of 5076	5036	Cdhhdlid.exe	99
PID 5036 wrote to memory of 5076	5036	Cdhhdlid.exe	99
PID 5076 wrote to memory of 368	5076	Cmqmma32.exe	100
PID 5076 wrote to memory of 368	5076	Cmqmma32.exe	100
PID 5076 wrote to memory of 368	5076	Cmqmma32.exe	100
PID 368 wrote to memory of 980	368	Dfiafg32.exe	101
PID 368 wrote to memory of 980	368	Dfiafg32.exe	101
PID 368 wrote to memory of 980	368	Dfiafg32.exe	101
PID 980 wrote to memory of 1720	980	Dopigd32.exe	102
PID 980 wrote to memory of 1720	980	Dopigd32.exe	102
PID 980 wrote to memory of 1720	980	Dopigd32.exe	102
PID 1720 wrote to memory of 3400	1720	Dfknkg32.exe	103

C:\Users\Admin\AppData\Local\Temp\NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1ec42009382e386f79a2aebae7baa220_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\Aeiofcji.exe
  C:\Windows\system32\Aeiofcji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\Ajfhnjhq.exe
    C:\Windows\system32\Ajfhnjhq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\Agjhgngj.exe
      C:\Windows\system32\Agjhgngj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 404
        28⤵
        Program crash
        
        PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2724 -ip 2724
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
45KB

MD5
ee05199bd04bcbd000b06bb85a676152

SHA1
02349b96681b5abbe5cd9957f8664ce6b1a403d0

SHA256
501acd5ae5cd141302fb07c58dc96a2601977bb59a80d52b529607bfabb9be42

SHA512
30e27efdb9571b0e633298e944b15063ffae988236a6db687672fe5ec64cbaecf010617bb064fbc98b54f76aab49bdaf5a12a9fd47288f758089aed9e228bdc8

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
45KB

MD5
ee05199bd04bcbd000b06bb85a676152

SHA1
02349b96681b5abbe5cd9957f8664ce6b1a403d0

SHA256
501acd5ae5cd141302fb07c58dc96a2601977bb59a80d52b529607bfabb9be42

SHA512
30e27efdb9571b0e633298e944b15063ffae988236a6db687672fe5ec64cbaecf010617bb064fbc98b54f76aab49bdaf5a12a9fd47288f758089aed9e228bdc8

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
45KB

MD5
ee05199bd04bcbd000b06bb85a676152

SHA1
02349b96681b5abbe5cd9957f8664ce6b1a403d0

SHA256
501acd5ae5cd141302fb07c58dc96a2601977bb59a80d52b529607bfabb9be42

SHA512
30e27efdb9571b0e633298e944b15063ffae988236a6db687672fe5ec64cbaecf010617bb064fbc98b54f76aab49bdaf5a12a9fd47288f758089aed9e228bdc8

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
45KB

MD5
5c7a4d877c74552fa36df2e680a2b854

SHA1
9ebfb3616142944cdaa77eda4c2874f0fae178da

SHA256
1b1fb556a07a59f81f286d0e8e8674c7d0e4d83da0d9eaf1027b17ef60eca22e

SHA512
54e8adb5748f824068926e1d31b0fad27c6437ef8898e6df020e7dd06de01d2b8a99aff9d6826c1ed5256a87f2008598c1eb97062254ab08d50d5b8b72842483

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
45KB

MD5
5c7a4d877c74552fa36df2e680a2b854

SHA1
9ebfb3616142944cdaa77eda4c2874f0fae178da

SHA256
1b1fb556a07a59f81f286d0e8e8674c7d0e4d83da0d9eaf1027b17ef60eca22e

SHA512
54e8adb5748f824068926e1d31b0fad27c6437ef8898e6df020e7dd06de01d2b8a99aff9d6826c1ed5256a87f2008598c1eb97062254ab08d50d5b8b72842483

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
45KB

MD5
1ee489deac2d06d65e279668424f2c13

SHA1
ee429fd06f7413ac672f942a9af36e5a57256bbc

SHA256
c2af6a9709cd941a64b7f42a8d74286b4faf408283fd36e9510f783fea450fd1

SHA512
569ac917c1e120020a898fa555899cc919c1316720f0848b35f7611ec60438c5f6458f3264cb6d3757ac5a4497dbb32d8ec26f0544df240ea0384ee56927968a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
45KB

MD5
1ee489deac2d06d65e279668424f2c13

SHA1
ee429fd06f7413ac672f942a9af36e5a57256bbc

SHA256
c2af6a9709cd941a64b7f42a8d74286b4faf408283fd36e9510f783fea450fd1

SHA512
569ac917c1e120020a898fa555899cc919c1316720f0848b35f7611ec60438c5f6458f3264cb6d3757ac5a4497dbb32d8ec26f0544df240ea0384ee56927968a

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
45KB

MD5
0f5400085d6c4cf24df46e8efffd6692

SHA1
bbabf5a76e1a413c79c345ff89ad4c911f3e8221

SHA256
607977e3ef7e8d0fd3851a08ba8796193155dedf539b44cda6c2de5ec7bb7f62

SHA512
ad7e79cd6a89a8faf99e1d123748b5d153894819dc95772155bf394dd60ae6084c816d493cd2d608cab9c4702f43a9b0b82c353bd8924612b2ebe19f53d8eb23

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
45KB

MD5
0f5400085d6c4cf24df46e8efffd6692

SHA1
bbabf5a76e1a413c79c345ff89ad4c911f3e8221

SHA256
607977e3ef7e8d0fd3851a08ba8796193155dedf539b44cda6c2de5ec7bb7f62

SHA512
ad7e79cd6a89a8faf99e1d123748b5d153894819dc95772155bf394dd60ae6084c816d493cd2d608cab9c4702f43a9b0b82c353bd8924612b2ebe19f53d8eb23

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
45KB

MD5
624eb433c2747587e3485ed5ff0e5fba

SHA1
0ef66ecf0843c3529bdd699094d9714ac0a55b7f

SHA256
cf32287a59659870b3c93c1e4d0bf328dd8152d0d560245c0327d4fdc18d0aa8

SHA512
6d1ab9a4aab1e6406140d2aa4d88cde115eaf84cc8f4a79e87098e2b11c585285420c4997ece92acc6f12ef250fe769c125471fc0b92909ef6899b6ccce9bf61

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
45KB

MD5
624eb433c2747587e3485ed5ff0e5fba

SHA1
0ef66ecf0843c3529bdd699094d9714ac0a55b7f

SHA256
cf32287a59659870b3c93c1e4d0bf328dd8152d0d560245c0327d4fdc18d0aa8

SHA512
6d1ab9a4aab1e6406140d2aa4d88cde115eaf84cc8f4a79e87098e2b11c585285420c4997ece92acc6f12ef250fe769c125471fc0b92909ef6899b6ccce9bf61

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
45KB

MD5
dbaded288763322e48715a37e1d654e9

SHA1
bf8de7a878fba755cdb8892395b21ab2170b776d

SHA256
3f62a4803b2d5128dc85870d31a000323eed256e64763cc2035ee29530ca26fb

SHA512
48c284a182c160b9e4e1f175f5d245e9ba3c1d789977a1708d526f20d887876cfd3e9d3acd8f5029e2145ea077a48f82872d09f81aeb225fd3431378f907a562

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
45KB

MD5
dbaded288763322e48715a37e1d654e9

SHA1
bf8de7a878fba755cdb8892395b21ab2170b776d

SHA256
3f62a4803b2d5128dc85870d31a000323eed256e64763cc2035ee29530ca26fb

SHA512
48c284a182c160b9e4e1f175f5d245e9ba3c1d789977a1708d526f20d887876cfd3e9d3acd8f5029e2145ea077a48f82872d09f81aeb225fd3431378f907a562

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
45KB

MD5
2f4b32d681095c27da277e603d833bb3

SHA1
2d16d645770b234ecd988f6e4e5225929cffa29c

SHA256
c0b99a6a5bcc80b24503931542ea0c5d5946ea98c679d4239ac416f73c10d75c

SHA512
94afdf123b8f6aceddea0562f3e4ad0923d8903011694d8cfeebcc553d48254805c4180407f91a13076db221369e2e06ef32f0c6198f035f85c85ded642da035

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
45KB

MD5
2f4b32d681095c27da277e603d833bb3

SHA1
2d16d645770b234ecd988f6e4e5225929cffa29c

SHA256
c0b99a6a5bcc80b24503931542ea0c5d5946ea98c679d4239ac416f73c10d75c

SHA512
94afdf123b8f6aceddea0562f3e4ad0923d8903011694d8cfeebcc553d48254805c4180407f91a13076db221369e2e06ef32f0c6198f035f85c85ded642da035

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
45KB

MD5
0f9880b405b9897a00c95940a5be22c3

SHA1
042f665a363f330b0f46faa1d1d01282de5d696f

SHA256
6e599dde53d1376b7889f208da50a8236e0967f5d2022b8000626397b8e31f8b

SHA512
df28e70c4512c11cea077bde5c99bd54885074e51b73b819809214cd0fd8b2fc83425357534fa48c4abaaaced1720b3cb237d3a0354cc5e1da08aa8667cf2404

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
45KB

MD5
0f9880b405b9897a00c95940a5be22c3

SHA1
042f665a363f330b0f46faa1d1d01282de5d696f

SHA256
6e599dde53d1376b7889f208da50a8236e0967f5d2022b8000626397b8e31f8b

SHA512
df28e70c4512c11cea077bde5c99bd54885074e51b73b819809214cd0fd8b2fc83425357534fa48c4abaaaced1720b3cb237d3a0354cc5e1da08aa8667cf2404

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
45KB

MD5
d76057ab8c1c6cadaf784c3cb895c79a

SHA1
13fcbbd939115ba44730c3831cc87757e9e90cc6

SHA256
e1028d80db8be3fb8453d29553e9c11379a747493e912615ed1492e9da7b8cab

SHA512
b4006f08aa07c497142ace124dc0fe123456d2000be103fae56650a6002e44b9a235862edc0204daff80c9b2ce4dcabf2be010260efae4470a465ededc9f6a4e

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
45KB

MD5
d76057ab8c1c6cadaf784c3cb895c79a

SHA1
13fcbbd939115ba44730c3831cc87757e9e90cc6

SHA256
e1028d80db8be3fb8453d29553e9c11379a747493e912615ed1492e9da7b8cab

SHA512
b4006f08aa07c497142ace124dc0fe123456d2000be103fae56650a6002e44b9a235862edc0204daff80c9b2ce4dcabf2be010260efae4470a465ededc9f6a4e

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
45KB

MD5
1b616730daf9ba7612b1eb7ecb41bf93

SHA1
dedcd01cae2e8c17e4c30828f29c8f31a29d91d2

SHA256
bbca367596069dc9584ef59a18bbe2e2e3f63c3473a61966acf54e5c0bcfd3ef

SHA512
a5e7be60d29a2e6cd2ff504691b969fd85f1d3982224790a2dfd455e7a476f26b3c13e5f9a89723fecde23fed3a89bdeaa2ae263f98ec1b408f460694709be68

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
45KB

MD5
1b616730daf9ba7612b1eb7ecb41bf93

SHA1
dedcd01cae2e8c17e4c30828f29c8f31a29d91d2

SHA256
bbca367596069dc9584ef59a18bbe2e2e3f63c3473a61966acf54e5c0bcfd3ef

SHA512
a5e7be60d29a2e6cd2ff504691b969fd85f1d3982224790a2dfd455e7a476f26b3c13e5f9a89723fecde23fed3a89bdeaa2ae263f98ec1b408f460694709be68

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
45KB

MD5
97fd508d08662351175a81f2dd159fa4

SHA1
b898f95220712036790ef121c7877bcb4ea515a3

SHA256
62383f7afc6ae9e518a6643b3084ac3b7a063a50397ebf14de668490ccdb40b5

SHA512
45f0167f12da2169ab4912265b8296375175c2b1d1d0f775587a94a2853d26e141b14d46e6b1c593407585ef228a47b7ca5eeb522152cd8320bca024319eaf1a

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
45KB

MD5
97fd508d08662351175a81f2dd159fa4

SHA1
b898f95220712036790ef121c7877bcb4ea515a3

SHA256
62383f7afc6ae9e518a6643b3084ac3b7a063a50397ebf14de668490ccdb40b5

SHA512
45f0167f12da2169ab4912265b8296375175c2b1d1d0f775587a94a2853d26e141b14d46e6b1c593407585ef228a47b7ca5eeb522152cd8320bca024319eaf1a

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
45KB

MD5
c6592c04bb60b0683d5f4e394f12b8d1

SHA1
b526b58768bf67f255e306943e40d29b664fd9ac

SHA256
afff94a38e33994403b667d5141f8157c54d3ca63033b69fd8a4dcd0da099d08

SHA512
b1470dd461e3fd2914706c4fc7611b5df08d395c937ddf180142467458fcea736c1119c447f339fa6e3a2d18a22568b7c2239393cb2fecd60a7c903ba23ce29f

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
45KB

MD5
c6592c04bb60b0683d5f4e394f12b8d1

SHA1
b526b58768bf67f255e306943e40d29b664fd9ac

SHA256
afff94a38e33994403b667d5141f8157c54d3ca63033b69fd8a4dcd0da099d08

SHA512
b1470dd461e3fd2914706c4fc7611b5df08d395c937ddf180142467458fcea736c1119c447f339fa6e3a2d18a22568b7c2239393cb2fecd60a7c903ba23ce29f

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
45KB

MD5
3c36f72ad8465d7d4b2f6607c6070786

SHA1
483ee073717ab83809886f6945ecfa6665e96209

SHA256
533d83d63f1551b5040b3ef9d00d27c5ecebd45f300f7ba5c84d95f32906443e

SHA512
a23aa2fbbf7fff0ca89394d890f062ae5bc1905f444aa1ac3903d33c76a373c629bd416248dff80461b920c8ff4ebfa0abd9fa4515b16e88268db333384fbd81

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
45KB

MD5
3c36f72ad8465d7d4b2f6607c6070786

SHA1
483ee073717ab83809886f6945ecfa6665e96209

SHA256
533d83d63f1551b5040b3ef9d00d27c5ecebd45f300f7ba5c84d95f32906443e

SHA512
a23aa2fbbf7fff0ca89394d890f062ae5bc1905f444aa1ac3903d33c76a373c629bd416248dff80461b920c8ff4ebfa0abd9fa4515b16e88268db333384fbd81

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
45KB

MD5
8947c3da2cc340f962a6aa0c41402a7c

SHA1
ce2b5f7db6211e925992eb1e2b5680a6c7af9b30

SHA256
7acb4b2a00532c19cbc103602d734fd64f3295bc7986dde993c209c16bd3f57b

SHA512
93a99b790df8e17ad7292ac856bfcea0f724191304e36cc374d61a804d40ae8cdad892f99036bdb6ccdcc7a7ec4be6d9369af2dd72c960c14e6f705b9298a96b

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
45KB

MD5
8947c3da2cc340f962a6aa0c41402a7c

SHA1
ce2b5f7db6211e925992eb1e2b5680a6c7af9b30

SHA256
7acb4b2a00532c19cbc103602d734fd64f3295bc7986dde993c209c16bd3f57b

SHA512
93a99b790df8e17ad7292ac856bfcea0f724191304e36cc374d61a804d40ae8cdad892f99036bdb6ccdcc7a7ec4be6d9369af2dd72c960c14e6f705b9298a96b

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
45KB

MD5
aa7ac6b7ef24f5507a7cf4fafb8fab72

SHA1
8513bae3e5c4054eefa146d36d1a738e57e125f4

SHA256
90a10d1b781f9823723ddde8d357afa6caed4a47536b54c5ce646fd76209ba22

SHA512
d7c46d067b1c9e006a6e63bc81377f941da2572e3b4b7ff866250ecd14c89b2ada7ca8b6bd6f0eeadbbbf821d1e6e56a9a3a606ef1f99dce5972196e892d4a82

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
45KB

MD5
aa7ac6b7ef24f5507a7cf4fafb8fab72

SHA1
8513bae3e5c4054eefa146d36d1a738e57e125f4

SHA256
90a10d1b781f9823723ddde8d357afa6caed4a47536b54c5ce646fd76209ba22

SHA512
d7c46d067b1c9e006a6e63bc81377f941da2572e3b4b7ff866250ecd14c89b2ada7ca8b6bd6f0eeadbbbf821d1e6e56a9a3a606ef1f99dce5972196e892d4a82

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
45KB

MD5
ec19f4cefae846ecffd1b8b39024448d

SHA1
2c7b0d687e5cec218343f44eb61db0f9dd551a14

SHA256
e2d134ba056688e0c7bdd45ff52d58a475840e7b5d40b581aea15cb5764288a8

SHA512
db5f6b3692c05f6bfedb0e25efdf981dc8b503df109a744c2134ac34783df83fc7b8893cd41df4ebb758f868353a990a3ab61325d598a3c18f4e5536b8e2328d

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
45KB

MD5
ec19f4cefae846ecffd1b8b39024448d

SHA1
2c7b0d687e5cec218343f44eb61db0f9dd551a14

SHA256
e2d134ba056688e0c7bdd45ff52d58a475840e7b5d40b581aea15cb5764288a8

SHA512
db5f6b3692c05f6bfedb0e25efdf981dc8b503df109a744c2134ac34783df83fc7b8893cd41df4ebb758f868353a990a3ab61325d598a3c18f4e5536b8e2328d

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
45KB

MD5
e0564896c1149287f2cc229a7c2c6677

SHA1
152113a6e68608d9b3449387782b93ad25424cba

SHA256
adf81c7f5f737fa7fbb6cc2c0545293135533648b7519fc68fd0ad53a3e22c8c

SHA512
9bfccfc9eed896e41d81dd8be04a45a9c438aa5ce07165953d6edf778a1ca723ed30bdbbf62119264e79ff39aefd3b7f5a2c131073483ac00ee7f454932f8995

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
45KB

MD5
e0564896c1149287f2cc229a7c2c6677

SHA1
152113a6e68608d9b3449387782b93ad25424cba

SHA256
adf81c7f5f737fa7fbb6cc2c0545293135533648b7519fc68fd0ad53a3e22c8c

SHA512
9bfccfc9eed896e41d81dd8be04a45a9c438aa5ce07165953d6edf778a1ca723ed30bdbbf62119264e79ff39aefd3b7f5a2c131073483ac00ee7f454932f8995

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
45KB

MD5
313ac55ce0b15fc8a921a026d8efae05

SHA1
f963be181367907852361208813eec16b4ca2378

SHA256
d87e38539c06fdd0e8ffda8aa0ef378e3ca4703707df290e8bdb7e4ab6af0641

SHA512
705a5d9938c1f49fa6f99832132201313892e68c9c980582c139229b35d94916ee3f7eb742ffebac1f24d5bccd8ded388f8b1db740a8e386e20b0a82917afb5d

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
45KB

MD5
313ac55ce0b15fc8a921a026d8efae05

SHA1
f963be181367907852361208813eec16b4ca2378

SHA256
d87e38539c06fdd0e8ffda8aa0ef378e3ca4703707df290e8bdb7e4ab6af0641

SHA512
705a5d9938c1f49fa6f99832132201313892e68c9c980582c139229b35d94916ee3f7eb742ffebac1f24d5bccd8ded388f8b1db740a8e386e20b0a82917afb5d

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
45KB

MD5
313ac55ce0b15fc8a921a026d8efae05

SHA1
f963be181367907852361208813eec16b4ca2378

SHA256
d87e38539c06fdd0e8ffda8aa0ef378e3ca4703707df290e8bdb7e4ab6af0641

SHA512
705a5d9938c1f49fa6f99832132201313892e68c9c980582c139229b35d94916ee3f7eb742ffebac1f24d5bccd8ded388f8b1db740a8e386e20b0a82917afb5d

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
45KB

MD5
0976a7acbd32fae95717dce8a98aba6f

SHA1
55a8950e16094ffd6c60413eec6bfb26135f8403

SHA256
3fc71c71c1b1c415328af480f1a567cb9fc04e7355bced941b5714d8213afb2c

SHA512
f9c1d397a95a1ecbf7e06b61125fa6175e36115abf65155536099e6ae0bfa1fa37e60214e55f32560fe6916e1a9188def8547c0806fe30f31dba85db616a4cfa

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
45KB

MD5
0976a7acbd32fae95717dce8a98aba6f

SHA1
55a8950e16094ffd6c60413eec6bfb26135f8403

SHA256
3fc71c71c1b1c415328af480f1a567cb9fc04e7355bced941b5714d8213afb2c

SHA512
f9c1d397a95a1ecbf7e06b61125fa6175e36115abf65155536099e6ae0bfa1fa37e60214e55f32560fe6916e1a9188def8547c0806fe30f31dba85db616a4cfa

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
45KB

MD5
0976a7acbd32fae95717dce8a98aba6f

SHA1
55a8950e16094ffd6c60413eec6bfb26135f8403

SHA256
3fc71c71c1b1c415328af480f1a567cb9fc04e7355bced941b5714d8213afb2c

SHA512
f9c1d397a95a1ecbf7e06b61125fa6175e36115abf65155536099e6ae0bfa1fa37e60214e55f32560fe6916e1a9188def8547c0806fe30f31dba85db616a4cfa

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
45KB

MD5
9bfd85a96db10e4cd04d77b5ada2f1ed

SHA1
ba005d7ac0a0bb0aba24b1fd771b8aa88aa89ef7

SHA256
0352fd651368a94f9f82d24930769cb2f8b8a81f96b3ecad0f9b29d484c3f090

SHA512
f7addaff4eaffd39e4a9e44e40c5100928740f13c31c260723f65f989aa02113db162f80ec10100a236c5d085f3f249e413547be8aa61a0a0c535e46079148c3

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
45KB

MD5
9bfd85a96db10e4cd04d77b5ada2f1ed

SHA1
ba005d7ac0a0bb0aba24b1fd771b8aa88aa89ef7

SHA256
0352fd651368a94f9f82d24930769cb2f8b8a81f96b3ecad0f9b29d484c3f090

SHA512
f7addaff4eaffd39e4a9e44e40c5100928740f13c31c260723f65f989aa02113db162f80ec10100a236c5d085f3f249e413547be8aa61a0a0c535e46079148c3

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
45KB

MD5
6c563484a9c2f7d23bd568c73e527652

SHA1
4e16126c6ca6c2638cd86518482657c2945d0122

SHA256
0193a4447b8ca724b205ae17ae5ec98d1bbe8a566b26ab40b3c3f0bce4d5c8da

SHA512
880f6380743ece2e4bf2272a2bb6578553f6f821d5082e695b427e86c8611e6183eb6f0074f1138a536ad0f38cdb48805fa19b71b0d77288cfa4e60b65fd3ab5

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
45KB

MD5
6c563484a9c2f7d23bd568c73e527652

SHA1
4e16126c6ca6c2638cd86518482657c2945d0122

SHA256
0193a4447b8ca724b205ae17ae5ec98d1bbe8a566b26ab40b3c3f0bce4d5c8da

SHA512
880f6380743ece2e4bf2272a2bb6578553f6f821d5082e695b427e86c8611e6183eb6f0074f1138a536ad0f38cdb48805fa19b71b0d77288cfa4e60b65fd3ab5

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
45KB

MD5
6c563484a9c2f7d23bd568c73e527652

SHA1
4e16126c6ca6c2638cd86518482657c2945d0122

SHA256
0193a4447b8ca724b205ae17ae5ec98d1bbe8a566b26ab40b3c3f0bce4d5c8da

SHA512
880f6380743ece2e4bf2272a2bb6578553f6f821d5082e695b427e86c8611e6183eb6f0074f1138a536ad0f38cdb48805fa19b71b0d77288cfa4e60b65fd3ab5

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
45KB

MD5
5c20b1ba9739ae0690d3c15acc5275b0

SHA1
eeaa20e06da1ece0bc8658c2babad70ab2baba97

SHA256
d66c6d695dbec161002beba9e92c9319ff52ea83fe7fd9ef089a656d3cd61d7f

SHA512
b93537459e86ddf7a13512c95d616f7f4d2f7a78eb89cb5b3b97278363b2c96110cd6d6d14ef23bb40cfa40e517bac1904b5d9e478a0ee2dd268d525d37dea47

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
45KB

MD5
5c20b1ba9739ae0690d3c15acc5275b0

SHA1
eeaa20e06da1ece0bc8658c2babad70ab2baba97

SHA256
d66c6d695dbec161002beba9e92c9319ff52ea83fe7fd9ef089a656d3cd61d7f

SHA512
b93537459e86ddf7a13512c95d616f7f4d2f7a78eb89cb5b3b97278363b2c96110cd6d6d14ef23bb40cfa40e517bac1904b5d9e478a0ee2dd268d525d37dea47

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
45KB

MD5
8cc121435a99ba9f4b714e277f88d63d

SHA1
4561d8ee6d12ada4450fc13cb1b471c2176d5bf9

SHA256
8cb9877530894bc2850a8106440ba94d08c58f7cb642d4accb0f2832d7338d88

SHA512
45f2aa39c7647273774f2780f0f7b4c70885f7a6a98d802a0a397c0be10f341879b89f3815a5b74f813dfeb97426be78bb32301f63689f93efc6256e44cf765a

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
45KB

MD5
8cc121435a99ba9f4b714e277f88d63d

SHA1
4561d8ee6d12ada4450fc13cb1b471c2176d5bf9

SHA256
8cb9877530894bc2850a8106440ba94d08c58f7cb642d4accb0f2832d7338d88

SHA512
45f2aa39c7647273774f2780f0f7b4c70885f7a6a98d802a0a397c0be10f341879b89f3815a5b74f813dfeb97426be78bb32301f63689f93efc6256e44cf765a

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
45KB

MD5
53960aa545b82216ef18c180765f2361

SHA1
d9e14d12876bbf734c72b3f7be3a9fdfe4e6867e

SHA256
11144e257f8e187db5588a758eabd38bf3813027ecc8690a29734ba5e36c0d49

SHA512
2e9c66d311958c6f9cc275df6088d5e2ca0b061add6cbb7d56f97c4e1238350fe4f5bb79bb6c3a376b01180113cc9eed40f17715e1cd98828debc14eece1099a

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
45KB

MD5
53960aa545b82216ef18c180765f2361

SHA1
d9e14d12876bbf734c72b3f7be3a9fdfe4e6867e

SHA256
11144e257f8e187db5588a758eabd38bf3813027ecc8690a29734ba5e36c0d49

SHA512
2e9c66d311958c6f9cc275df6088d5e2ca0b061add6cbb7d56f97c4e1238350fe4f5bb79bb6c3a376b01180113cc9eed40f17715e1cd98828debc14eece1099a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
45KB

MD5
92eb65139803877c2f53cabbb48744dc

SHA1
6d95e0462b45ae4627ef698c0120c6dc41b4d64b

SHA256
a682323ff8d40a05e1e2a7d70a224491518a9fe3feef5db659a49228d7768195

SHA512
45ee218e491d29da2ea362882abce088cf3164314dabeb5bc17bb3623b2881b60e9a6b10cdeff85d1770b8290dba5b954c40ddbd608a0b48fa4bcc5e6085b77f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
45KB

MD5
92eb65139803877c2f53cabbb48744dc

SHA1
6d95e0462b45ae4627ef698c0120c6dc41b4d64b

SHA256
a682323ff8d40a05e1e2a7d70a224491518a9fe3feef5db659a49228d7768195

SHA512
45ee218e491d29da2ea362882abce088cf3164314dabeb5bc17bb3623b2881b60e9a6b10cdeff85d1770b8290dba5b954c40ddbd608a0b48fa4bcc5e6085b77f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
45KB

MD5
a97545dfd2dafcc4ebc94d38b39881d8

SHA1
1d6b9cf3269a3b9d71a3fe2020214caf0bf0a31c

SHA256
2e2fcc62fbf357dd4f777503b21363fc41df97ffd2e324277410a9a742098377

SHA512
044346b28f0d2e6a76eae987e8a1832e336f7f98b041dd27e0201299ea83e6aafd2bea54ef0d00018d8dc0853daf4c205ff6ee3719500189049881919b70dec1

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
45KB

MD5
a97545dfd2dafcc4ebc94d38b39881d8

SHA1
1d6b9cf3269a3b9d71a3fe2020214caf0bf0a31c

SHA256
2e2fcc62fbf357dd4f777503b21363fc41df97ffd2e324277410a9a742098377

SHA512
044346b28f0d2e6a76eae987e8a1832e336f7f98b041dd27e0201299ea83e6aafd2bea54ef0d00018d8dc0853daf4c205ff6ee3719500189049881919b70dec1

Download Submit
memory/368-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/368-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/980-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/980-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads