fde64b745fe2196cc5b43cf34b5f25570919602c71dd6b847648e42a30f1e973

Analysis

max time kernel
136s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.24af1c3363f445e2934b02fad693f010.exe
Size

304KB
MD5

24af1c3363f445e2934b02fad693f010
SHA1

672445d3ec62bfd5588cc33e2862192672dbec4d
SHA256

fde64b745fe2196cc5b43cf34b5f25570919602c71dd6b847648e42a30f1e973
SHA512

3ee09381c6b8964e58e62f1f3d7da3ac2af26841decbd646e2127df9872bae9e846dbee17cbe40246ffd6c509f3f935010859271c000ce2d461970d9a4ce64f8
SSDEEP

3072:FkjID1Yqmytjapewejz+k5rD0LZSnulc0VP7SnHjg:WYOGjwEKIrD0Lu

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binhnomg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.24af1c3363f445e2934b02fad693f010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.24af1c3363f445e2934b02fad693f010.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Binhnomg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccdihbgg.exe

Executes dropped EXE 18 IoCs

pid	Process
2524	Jhgiim32.exe
4560	Jeapcq32.exe
1524	Kefiopki.exe
4748	Koonge32.exe
3344	Ljpaqmgb.exe
1148	Mhjhmhhd.exe
1580	Mpeiie32.exe
3492	Noblkqca.exe
1508	Njljch32.exe
3992	Ocihgnam.exe
4912	Ojemig32.exe
3756	Pfojdh32.exe
724	Pjaleemj.exe
2564	Ajohfcpj.exe
3380	Bmbnnn32.exe
2744	Binhnomg.exe
2336	Ccdihbgg.exe
2936	Diqnjl32.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pgdhilkd.dll	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Iankhggi.dll	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Ljpaqmgb.exe	Koonge32.exe
File created	C:\Windows\SysWOW64\Bpemfc32.dll	Koonge32.exe
File created	C:\Windows\SysWOW64\Mhjhmhhd.exe	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Ojemig32.exe	Ocihgnam.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Binhnomg.exe
File opened for modification	C:\Windows\SysWOW64\Jhgiim32.exe	NEAS.24af1c3363f445e2934b02fad693f010.exe
File created	C:\Windows\SysWOW64\Kefiopki.exe	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Gpeipb32.dll	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Jhgiim32.exe	NEAS.24af1c3363f445e2934b02fad693f010.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Binhnomg.exe	Bmbnnn32.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Bmbnnn32.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Fpgkbmbm.dll	Noblkqca.exe
File created	C:\Windows\SysWOW64\Ojemig32.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pfojdh32.exe	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnnn32.exe	Ajohfcpj.exe
File opened for modification	C:\Windows\SysWOW64\Koonge32.exe	Kefiopki.exe
File opened for modification	C:\Windows\SysWOW64\Mhjhmhhd.exe	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Binhnomg.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Ejhfdb32.dll	Jeapcq32.exe
File opened for modification	C:\Windows\SysWOW64\Mpeiie32.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Koonge32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Binhnomg.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Ekjali32.dll	NEAS.24af1c3363f445e2934b02fad693f010.exe
File created	C:\Windows\SysWOW64\Koonge32.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Njljch32.exe
File created	C:\Windows\SysWOW64\Jeapcq32.exe	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Jfmlqhcc.dll	Kefiopki.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mhjhmhhd.exe
File opened for modification	C:\Windows\SysWOW64\Pfojdh32.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Ajohfcpj.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Dfbjkg32.dll	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Binhnomg.exe
File created	C:\Windows\SysWOW64\Kjmgil32.dll	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Ajohfcpj.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Jeapcq32.exe	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Dpifjj32.dll	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Kefiopki.exe	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Noblkqca.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Njljch32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2168	2936	WerFault.exe	106
4204	2936	WerFault.exe	106

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.24af1c3363f445e2934b02fad693f010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll"	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemfc32.dll"	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Binhnomg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koonge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjali32.dll"	NEAS.24af1c3363f445e2934b02fad693f010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.24af1c3363f445e2934b02fad693f010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.24af1c3363f445e2934b02fad693f010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.24af1c3363f445e2934b02fad693f010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.24af1c3363f445e2934b02fad693f010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhilkd.dll"	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Ajohfcpj.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2524	3356	NEAS.24af1c3363f445e2934b02fad693f010.exe	89
PID 3356 wrote to memory of 2524	3356	NEAS.24af1c3363f445e2934b02fad693f010.exe	89
PID 3356 wrote to memory of 2524	3356	NEAS.24af1c3363f445e2934b02fad693f010.exe	89
PID 2524 wrote to memory of 4560	2524	Jhgiim32.exe	90
PID 2524 wrote to memory of 4560	2524	Jhgiim32.exe	90
PID 2524 wrote to memory of 4560	2524	Jhgiim32.exe	90
PID 4560 wrote to memory of 1524	4560	Jeapcq32.exe	91
PID 4560 wrote to memory of 1524	4560	Jeapcq32.exe	91
PID 4560 wrote to memory of 1524	4560	Jeapcq32.exe	91
PID 1524 wrote to memory of 4748	1524	Kefiopki.exe	92
PID 1524 wrote to memory of 4748	1524	Kefiopki.exe	92
PID 1524 wrote to memory of 4748	1524	Kefiopki.exe	92
PID 4748 wrote to memory of 3344	4748	Koonge32.exe	93
PID 4748 wrote to memory of 3344	4748	Koonge32.exe	93
PID 4748 wrote to memory of 3344	4748	Koonge32.exe	93
PID 3344 wrote to memory of 1148	3344	Ljpaqmgb.exe	94
PID 3344 wrote to memory of 1148	3344	Ljpaqmgb.exe	94
PID 3344 wrote to memory of 1148	3344	Ljpaqmgb.exe	94
PID 1148 wrote to memory of 1580	1148	Mhjhmhhd.exe	95
PID 1148 wrote to memory of 1580	1148	Mhjhmhhd.exe	95
PID 1148 wrote to memory of 1580	1148	Mhjhmhhd.exe	95
PID 1580 wrote to memory of 3492	1580	Mpeiie32.exe	96
PID 1580 wrote to memory of 3492	1580	Mpeiie32.exe	96
PID 1580 wrote to memory of 3492	1580	Mpeiie32.exe	96
PID 3492 wrote to memory of 1508	3492	Noblkqca.exe	97
PID 3492 wrote to memory of 1508	3492	Noblkqca.exe	97
PID 3492 wrote to memory of 1508	3492	Noblkqca.exe	97
PID 1508 wrote to memory of 3992	1508	Njljch32.exe	98
PID 1508 wrote to memory of 3992	1508	Njljch32.exe	98
PID 1508 wrote to memory of 3992	1508	Njljch32.exe	98
PID 3992 wrote to memory of 4912	3992	Ocihgnam.exe	99
PID 3992 wrote to memory of 4912	3992	Ocihgnam.exe	99
PID 3992 wrote to memory of 4912	3992	Ocihgnam.exe	99
PID 4912 wrote to memory of 3756	4912	Ojemig32.exe	100
PID 4912 wrote to memory of 3756	4912	Ojemig32.exe	100
PID 4912 wrote to memory of 3756	4912	Ojemig32.exe	100
PID 3756 wrote to memory of 724	3756	Pfojdh32.exe	101
PID 3756 wrote to memory of 724	3756	Pfojdh32.exe	101
PID 3756 wrote to memory of 724	3756	Pfojdh32.exe	101
PID 724 wrote to memory of 2564	724	Pjaleemj.exe	102
PID 724 wrote to memory of 2564	724	Pjaleemj.exe	102
PID 724 wrote to memory of 2564	724	Pjaleemj.exe	102
PID 2564 wrote to memory of 3380	2564	Ajohfcpj.exe	103
PID 2564 wrote to memory of 3380	2564	Ajohfcpj.exe	103
PID 2564 wrote to memory of 3380	2564	Ajohfcpj.exe	103
PID 3380 wrote to memory of 2744	3380	Bmbnnn32.exe	104
PID 3380 wrote to memory of 2744	3380	Bmbnnn32.exe	104
PID 3380 wrote to memory of 2744	3380	Bmbnnn32.exe	104
PID 2744 wrote to memory of 2336	2744	Binhnomg.exe	105
PID 2744 wrote to memory of 2336	2744	Binhnomg.exe	105
PID 2744 wrote to memory of 2336	2744	Binhnomg.exe	105
PID 2336 wrote to memory of 2936	2336	Ccdihbgg.exe	106
PID 2336 wrote to memory of 2936	2336	Ccdihbgg.exe	106
PID 2336 wrote to memory of 2936	2336	Ccdihbgg.exe	106
PID 2936 wrote to memory of 2168	2936	Diqnjl32.exe	110
PID 2936 wrote to memory of 2168	2936	Diqnjl32.exe	110
PID 2936 wrote to memory of 2168	2936	Diqnjl32.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.24af1c3363f445e2934b02fad693f010.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.24af1c3363f445e2934b02fad693f010.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SysWOW64\Jhgiim32.exe
  C:\Windows\system32\Jhgiim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Jeapcq32.exe
    C:\Windows\system32\Jeapcq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\Kefiopki.exe
      C:\Windows\system32\Kefiopki.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
      - C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 412
        20⤵
        Program crash
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 412
        20⤵
        Program crash
        
        PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2936 -ip 2936
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
304KB

MD5
7a30f42161669e93c3cac925a04edbbc

SHA1
08035e971960a6e70d6ae5270c4dc580678cc860

SHA256
f6fa35f2a014f6e39b4571bc3112eb87925ff88e8d653959d288cd7958d516b0

SHA512
1a5d0673147ceed7bab4f5fa426db0f1309b8f4b004f1ebbbd4f4384a5fbcb452ea163208e12798cd59c4c6ec41ebd1cbbb9ea368be57cf80b92ed63f9bf57f9

Download Submit
C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
304KB

MD5
7a30f42161669e93c3cac925a04edbbc

SHA1
08035e971960a6e70d6ae5270c4dc580678cc860

SHA256
f6fa35f2a014f6e39b4571bc3112eb87925ff88e8d653959d288cd7958d516b0

SHA512
1a5d0673147ceed7bab4f5fa426db0f1309b8f4b004f1ebbbd4f4384a5fbcb452ea163208e12798cd59c4c6ec41ebd1cbbb9ea368be57cf80b92ed63f9bf57f9

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
304KB

MD5
3b5978ea2fa9409b5950f51f8373211d

SHA1
3beaf520816073f5007afe8c1c35d1905a0e2bbd

SHA256
b4db7d4f9df25816970add87cfaf8cf2d5f4beebbc4ff0aeb3c2153783097b54

SHA512
ea6f5afeeec61d6affd73d710b5e8acb21abb2ec69f6e394edff545248d1298154eb8d667d3838ae997416f0d7eca3b50e95016d4e67b6d831f7e0757575b522

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
304KB

MD5
3b5978ea2fa9409b5950f51f8373211d

SHA1
3beaf520816073f5007afe8c1c35d1905a0e2bbd

SHA256
b4db7d4f9df25816970add87cfaf8cf2d5f4beebbc4ff0aeb3c2153783097b54

SHA512
ea6f5afeeec61d6affd73d710b5e8acb21abb2ec69f6e394edff545248d1298154eb8d667d3838ae997416f0d7eca3b50e95016d4e67b6d831f7e0757575b522

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
304KB

MD5
7a30f42161669e93c3cac925a04edbbc

SHA1
08035e971960a6e70d6ae5270c4dc580678cc860

SHA256
f6fa35f2a014f6e39b4571bc3112eb87925ff88e8d653959d288cd7958d516b0

SHA512
1a5d0673147ceed7bab4f5fa426db0f1309b8f4b004f1ebbbd4f4384a5fbcb452ea163208e12798cd59c4c6ec41ebd1cbbb9ea368be57cf80b92ed63f9bf57f9

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
304KB

MD5
61b99f43c799c36f67793c66892cacc3

SHA1
a229892ae506c085a6649d116e7a1d839f1a33a2

SHA256
4eb3275e2d89339a1033a4edf8b6f2260d6666206c83c36b8d43d413fe42546a

SHA512
ec304d55d489d1a8a567b733f096f728fa9e461c3b0bdb7b73dd83425a988371bbaeea53903d9e8725b7fbe48579825709ffd3b178d710700c7d8564e4196421

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
304KB

MD5
61b99f43c799c36f67793c66892cacc3

SHA1
a229892ae506c085a6649d116e7a1d839f1a33a2

SHA256
4eb3275e2d89339a1033a4edf8b6f2260d6666206c83c36b8d43d413fe42546a

SHA512
ec304d55d489d1a8a567b733f096f728fa9e461c3b0bdb7b73dd83425a988371bbaeea53903d9e8725b7fbe48579825709ffd3b178d710700c7d8564e4196421

Download Submit
C:\Windows\SysWOW64\Bpemfc32.dll

Filesize
7KB

MD5
b3bf72243bb179faa414b5766873d847

SHA1
19a4b2fdd3fc6543c8d3c9672aaa0014697bd64e

SHA256
41ae188e250215040136e45941c1f77e687d8bba2265377447fc058590281eaf

SHA512
f8ec3118599287957bc476769aad15dc9f4c9ac6f019b9f6aca7dc4ce8c1d160b2b4f5e08e14a2546aa4cb9f37f867299a991346ba336e5f394587fd2425e396

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
304KB

MD5
3b5978ea2fa9409b5950f51f8373211d

SHA1
3beaf520816073f5007afe8c1c35d1905a0e2bbd

SHA256
b4db7d4f9df25816970add87cfaf8cf2d5f4beebbc4ff0aeb3c2153783097b54

SHA512
ea6f5afeeec61d6affd73d710b5e8acb21abb2ec69f6e394edff545248d1298154eb8d667d3838ae997416f0d7eca3b50e95016d4e67b6d831f7e0757575b522

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
304KB

MD5
ba2862f9f7f9872bdf3b0b1a8632965e

SHA1
376f55829c5c9c89221a5057fd00ff1ee2a31c21

SHA256
22ab7471818faced700639f23632499fd24a5e24f6b657c54afbbd2f7cc0774a

SHA512
edb2cffc47ae289f9154ac550cac24d249018a7e0ecbc95fc9621dc91cc4954d9e0eace455ede04c98ce205804c02a9166d4b7d53e0e5af7fb8eaefe0ae2d722

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
304KB

MD5
ba2862f9f7f9872bdf3b0b1a8632965e

SHA1
376f55829c5c9c89221a5057fd00ff1ee2a31c21

SHA256
22ab7471818faced700639f23632499fd24a5e24f6b657c54afbbd2f7cc0774a

SHA512
edb2cffc47ae289f9154ac550cac24d249018a7e0ecbc95fc9621dc91cc4954d9e0eace455ede04c98ce205804c02a9166d4b7d53e0e5af7fb8eaefe0ae2d722

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
304KB

MD5
d03b8b508efa4d94fd02f81189252eea

SHA1
1b95cfa77c0bb94afa997a143c97fee01ba084da

SHA256
dbbf7ed03746c53bcc5f582eb980ee568abbec4c7b4d0c9083cfc13264508410

SHA512
32c3330912c20bccdaf55f4b6e9d843229692a16d3ef3f7379f645657734977b22320dfcaff51d33f542a29a2cc1961c51998397e257d0d81bf395abf711e07d

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
304KB

MD5
d03b8b508efa4d94fd02f81189252eea

SHA1
1b95cfa77c0bb94afa997a143c97fee01ba084da

SHA256
dbbf7ed03746c53bcc5f582eb980ee568abbec4c7b4d0c9083cfc13264508410

SHA512
32c3330912c20bccdaf55f4b6e9d843229692a16d3ef3f7379f645657734977b22320dfcaff51d33f542a29a2cc1961c51998397e257d0d81bf395abf711e07d

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
304KB

MD5
b4681057885870c8092762d6fa90947a

SHA1
0c1560f14b4c1016a485ef0d8dc33dce095f002f

SHA256
9980c90f4c0cf7fbc71f725f2095dffab7fe036c6c0c2a4cc6bb1f53aec8a2f0

SHA512
3b0e52d939dbebf340a312c45649a7328b6a83e1d2a20d7428390350d1b3999bcb69d602ad6dc9e51b8c005c52c0f9e79c9d16c180528d153b0aceefb0842739

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
304KB

MD5
b4681057885870c8092762d6fa90947a

SHA1
0c1560f14b4c1016a485ef0d8dc33dce095f002f

SHA256
9980c90f4c0cf7fbc71f725f2095dffab7fe036c6c0c2a4cc6bb1f53aec8a2f0

SHA512
3b0e52d939dbebf340a312c45649a7328b6a83e1d2a20d7428390350d1b3999bcb69d602ad6dc9e51b8c005c52c0f9e79c9d16c180528d153b0aceefb0842739

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
304KB

MD5
31e8bc4774668b0c0111966e2dd78e30

SHA1
244d168e8225759fcb62b9a6d435a8b80e5ef604

SHA256
2154732121f992c3f61e8f475c56b5cd9fca70a491bb0df62b72082720e50d5e

SHA512
aa9ec4ee5ca0458dd619c37b96b92b4d3900e8f05c8675225305237ac02f808b9ed2d7fec68b7c7a2c494f09c1e966e6f1d8d17a8f0919d5ea60d4576b76c71b

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
304KB

MD5
31e8bc4774668b0c0111966e2dd78e30

SHA1
244d168e8225759fcb62b9a6d435a8b80e5ef604

SHA256
2154732121f992c3f61e8f475c56b5cd9fca70a491bb0df62b72082720e50d5e

SHA512
aa9ec4ee5ca0458dd619c37b96b92b4d3900e8f05c8675225305237ac02f808b9ed2d7fec68b7c7a2c494f09c1e966e6f1d8d17a8f0919d5ea60d4576b76c71b

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
304KB

MD5
ce291eb231a5775c8de5c68167527111

SHA1
ac36def287bbfd139eaff7d6c2a4abf76987a8a0

SHA256
f4fa85b07c395fd8319433adbddef8d40e5b85bf4d58c308cebfcf28de000061

SHA512
cea7252d393de1d46e9f6b6fd5540f9122b65468e086b785b43301382f139382740a60408e5cda02fff1c25752404e215b3fd91bbe2731ee42fb2532126c87e0

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
304KB

MD5
ce291eb231a5775c8de5c68167527111

SHA1
ac36def287bbfd139eaff7d6c2a4abf76987a8a0

SHA256
f4fa85b07c395fd8319433adbddef8d40e5b85bf4d58c308cebfcf28de000061

SHA512
cea7252d393de1d46e9f6b6fd5540f9122b65468e086b785b43301382f139382740a60408e5cda02fff1c25752404e215b3fd91bbe2731ee42fb2532126c87e0

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
304KB

MD5
ce291eb231a5775c8de5c68167527111

SHA1
ac36def287bbfd139eaff7d6c2a4abf76987a8a0

SHA256
f4fa85b07c395fd8319433adbddef8d40e5b85bf4d58c308cebfcf28de000061

SHA512
cea7252d393de1d46e9f6b6fd5540f9122b65468e086b785b43301382f139382740a60408e5cda02fff1c25752404e215b3fd91bbe2731ee42fb2532126c87e0

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
304KB

MD5
e9eacc4d3686b7ad78b97013cbafe141

SHA1
3218a97866341b4e3a4187f2b3b861ca570fa63b

SHA256
8e18e085ebe15bc0860c0aadc9b65496be0fc65676d53203681f4f6cf1287f62

SHA512
6fbbcee9af5772db61ed3526d8be7b937ebc8185bc1a6bda8eb758e4806c26cc6bafb803def7412bca4251e838c71417dc7f4413961fe96375dba9bf7670fc93

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
304KB

MD5
e9eacc4d3686b7ad78b97013cbafe141

SHA1
3218a97866341b4e3a4187f2b3b861ca570fa63b

SHA256
8e18e085ebe15bc0860c0aadc9b65496be0fc65676d53203681f4f6cf1287f62

SHA512
6fbbcee9af5772db61ed3526d8be7b937ebc8185bc1a6bda8eb758e4806c26cc6bafb803def7412bca4251e838c71417dc7f4413961fe96375dba9bf7670fc93

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
304KB

MD5
6593afcb5462de97d8f3b81717cfd203

SHA1
9a1d9e550c64a23d2d0354cf801bb87dfbe48534

SHA256
7fc30ae1ca6b62f4855fcff06dfea80ae1f24ed71f348fdb643ea888e2ee6e6b

SHA512
b59f08649c1145e50b9e4406f35f3d0954e096f1352380360e02687a053e556929b85ccc0f238d090149973d938cb7cbb67df77692fe2b1f29629618676f8979

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
304KB

MD5
6593afcb5462de97d8f3b81717cfd203

SHA1
9a1d9e550c64a23d2d0354cf801bb87dfbe48534

SHA256
7fc30ae1ca6b62f4855fcff06dfea80ae1f24ed71f348fdb643ea888e2ee6e6b

SHA512
b59f08649c1145e50b9e4406f35f3d0954e096f1352380360e02687a053e556929b85ccc0f238d090149973d938cb7cbb67df77692fe2b1f29629618676f8979

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
304KB

MD5
41ba9393b072a53665e508499aeae59f

SHA1
ca57ca473007ea3b25fc19df0f9097a8e2f7872b

SHA256
166ba099db02b6df3f24c19c7312804636196e24092003722fa2783202b6cbe1

SHA512
e6e35963299ac255df27b60647a8a8826895a0482652d572c0e6426766666a6543630e076d24f56cfa8b65437bcdd898a80b13f47738e1e045598260798d7a7b

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
304KB

MD5
41ba9393b072a53665e508499aeae59f

SHA1
ca57ca473007ea3b25fc19df0f9097a8e2f7872b

SHA256
166ba099db02b6df3f24c19c7312804636196e24092003722fa2783202b6cbe1

SHA512
e6e35963299ac255df27b60647a8a8826895a0482652d572c0e6426766666a6543630e076d24f56cfa8b65437bcdd898a80b13f47738e1e045598260798d7a7b

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
304KB

MD5
ea4cbf5030a40ad198ddc2807bf7003f

SHA1
3d0bb169d278b44af4cd814ee379c77442f9f243

SHA256
89c6bef18c1da9385717693b04e2a09086127bd77fd3cb6d5e59c52baf525d38

SHA512
6d6ba638a5874b6f72d9491d83e5e27831ba0fe474dbb060cc1ed186675828e49b17c9ce45e8dc16a98eb73024d6030d0fd439348853d3b66ab032bb27b444b0

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
304KB

MD5
ea4cbf5030a40ad198ddc2807bf7003f

SHA1
3d0bb169d278b44af4cd814ee379c77442f9f243

SHA256
89c6bef18c1da9385717693b04e2a09086127bd77fd3cb6d5e59c52baf525d38

SHA512
6d6ba638a5874b6f72d9491d83e5e27831ba0fe474dbb060cc1ed186675828e49b17c9ce45e8dc16a98eb73024d6030d0fd439348853d3b66ab032bb27b444b0

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
304KB

MD5
5da97c4134d3967fb65d38d79648d1d0

SHA1
2bd73d9dcc64d06a8815f65fb931e161a9f3e7a7

SHA256
ae7e3846ebd76296b9ea22885d01d965413d9166068c62e1dab5f34a6dabaad0

SHA512
ea30adb2b71af7f73390aeaad60150102894086476c27b82ceff892d88393d9fca0a92e3063c0126b6742760ed919ce1d4890e7aa0f76df0f86ed2c9738692ea

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
304KB

MD5
80a82dfaa4eed94919b209548d7c9181

SHA1
b912414f55881d6250b158c2cb69ef2b1ce6f696

SHA256
c54a7c04e2e4326b9473b678274a75468066c28a5c09cd2d2958a94d470a6f97

SHA512
6493923ae89d40b3c85064ee615659a128dc3fcf60a5759b810852f5cb33e8f5efcc35023677d8412c041fba94bccd0882dd81002923eaa093e59303c56e8a9a

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
304KB

MD5
80a82dfaa4eed94919b209548d7c9181

SHA1
b912414f55881d6250b158c2cb69ef2b1ce6f696

SHA256
c54a7c04e2e4326b9473b678274a75468066c28a5c09cd2d2958a94d470a6f97

SHA512
6493923ae89d40b3c85064ee615659a128dc3fcf60a5759b810852f5cb33e8f5efcc35023677d8412c041fba94bccd0882dd81002923eaa093e59303c56e8a9a

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
304KB

MD5
dc39ea23660e201ce1b1ba6352729b0a

SHA1
cb969777afc8b17545ee9a597e342e1bb983e0fd

SHA256
7b0e8acf289f95d3b820e3146c6eb48c26c0b5d219f57e0915f19be947a7903a

SHA512
1d94fac44380d073a3a83093e72e20afebb206d7f0ef338fa9ea3114edd300ddfa9f2cf3f82b543a00cae4dcdc8b4a2da2621e688ec1cdfbccb06e2798432fe3

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
304KB

MD5
dc39ea23660e201ce1b1ba6352729b0a

SHA1
cb969777afc8b17545ee9a597e342e1bb983e0fd

SHA256
7b0e8acf289f95d3b820e3146c6eb48c26c0b5d219f57e0915f19be947a7903a

SHA512
1d94fac44380d073a3a83093e72e20afebb206d7f0ef338fa9ea3114edd300ddfa9f2cf3f82b543a00cae4dcdc8b4a2da2621e688ec1cdfbccb06e2798432fe3

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
304KB

MD5
cdec9ae4a6d3bc460d34dd791abe63a5

SHA1
a0d5c8304e2e77cff91b203658d2a4f6729305c6

SHA256
273834320987e274479a803121a57406fb7d771593514ffeab6ec3c160b049bd

SHA512
ec05339a1746e5d86f5dcbc7b2aac70e4e07251b45b337a0bd9a66b4edb4d701c2126ee4e3b6fa491281c59443911491a80c833aba7deb81c7e56c552550c48c

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
304KB

MD5
cdec9ae4a6d3bc460d34dd791abe63a5

SHA1
a0d5c8304e2e77cff91b203658d2a4f6729305c6

SHA256
273834320987e274479a803121a57406fb7d771593514ffeab6ec3c160b049bd

SHA512
ec05339a1746e5d86f5dcbc7b2aac70e4e07251b45b337a0bd9a66b4edb4d701c2126ee4e3b6fa491281c59443911491a80c833aba7deb81c7e56c552550c48c

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
304KB

MD5
a398d696fb7c601f8648057b5920badc

SHA1
538592a00a524b88bcbc7b7330d8a89e01cbf4bc

SHA256
c30b8c742af58cdbfa6f5d3ae35e4aa638c4c2752c488c4901f7a3392e811e95

SHA512
da037f8762d144191d5f5ff85c8cc35fead70c35919c6cd60f8683afcaf8a69744b43378c7c0425719eb019eefb40ae7cbf472a6a7de7e79bb66d196384d39fe

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
304KB

MD5
a398d696fb7c601f8648057b5920badc

SHA1
538592a00a524b88bcbc7b7330d8a89e01cbf4bc

SHA256
c30b8c742af58cdbfa6f5d3ae35e4aa638c4c2752c488c4901f7a3392e811e95

SHA512
da037f8762d144191d5f5ff85c8cc35fead70c35919c6cd60f8683afcaf8a69744b43378c7c0425719eb019eefb40ae7cbf472a6a7de7e79bb66d196384d39fe

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
304KB

MD5
f0f24a1c6ec978916be7abf6d6a90276

SHA1
1d9599d4b6405f901b8a3856e221577d46fc06eb

SHA256
e73c7f30fe112c5c33ee96d6659bac3f1f02739efdf87a0f29d24da32164dac6

SHA512
b262779133fb380b0a022e2eb8d9d8f9de2a65f960f69c4b35fc429ec877083194372d6b2419119dbef37afdeb39ea5271843c3126b6e53a3ddd96536c8eee14

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
304KB

MD5
f0f24a1c6ec978916be7abf6d6a90276

SHA1
1d9599d4b6405f901b8a3856e221577d46fc06eb

SHA256
e73c7f30fe112c5c33ee96d6659bac3f1f02739efdf87a0f29d24da32164dac6

SHA512
b262779133fb380b0a022e2eb8d9d8f9de2a65f960f69c4b35fc429ec877083194372d6b2419119dbef37afdeb39ea5271843c3126b6e53a3ddd96536c8eee14

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
304KB

MD5
9a591c93f39addb499f83d06b7d9c708

SHA1
b495e9db7ae3cb045faa5937d5afaf247ace730b

SHA256
db77c4f26f667819c6affd27d95ec84739762d11c15a648e5f1eccc8e0374090

SHA512
c963ac12b12c722407c1cb12fa7f876af245f16ec57761cc83f3fa9bdd41ca978f0f904d5b87a386ad681513197b778f3649a5477c17e01d84122b212234d007

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
304KB

MD5
9a591c93f39addb499f83d06b7d9c708

SHA1
b495e9db7ae3cb045faa5937d5afaf247ace730b

SHA256
db77c4f26f667819c6affd27d95ec84739762d11c15a648e5f1eccc8e0374090

SHA512
c963ac12b12c722407c1cb12fa7f876af245f16ec57761cc83f3fa9bdd41ca978f0f904d5b87a386ad681513197b778f3649a5477c17e01d84122b212234d007

Download Submit
memory/724-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads