ef60622aac10c425250ecf7fed64241e4cfefae563d8e72f09eacb29463902bb

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Size

237KB
MD5

f3b8c0a2cb9f5596ea859cff00d77bc0
SHA1

f66fecd362f8ab00029e12bcc8ac22f9e984b855
SHA256

ef60622aac10c425250ecf7fed64241e4cfefae563d8e72f09eacb29463902bb
SHA512

fdf7697756cedcd607286a53d3b5b73ad00cf8f77e8fd5674956609ce33a2d08c9b0d248789f2b04dcea5f130819f39d857a1bbd754aa6f34c95fa5741b4c1c0
SSDEEP

6144:VIffNbXX+JJjxobikQ76QwlkwsDkOlti7wnN:affNbXd46QwqDtlr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phjenbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpikkge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qljjjqlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfillg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phjenbhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpikkge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbkgfej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcbfakec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjgoaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppjgoaoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbkgfej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookjdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookjdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfillg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcbfakec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qljjjqlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe

Executes dropped EXE 25 IoCs

pid	Process
2848	Ookjdn32.exe
3476	Ppjgoaoj.exe
1644	Pjbkgfej.exe
4704	Pfillg32.exe
208	Phjenbhp.exe
3920	Pcpikkge.exe
2816	Qcbfakec.exe
4240	Qljjjqlc.exe
5048	Mmfkhmdi.exe
424	Ppjbmc32.exe
4400	Ilfennic.exe
1160	Babcil32.exe
1580	Bmidnm32.exe
1256	Bdcmkgmm.exe
2576	Bkmeha32.exe
3800	Bagmdllg.exe
3232	Bgdemb32.exe
5060	Cajjjk32.exe
3948	Cbkfbcpb.exe
4268	Cigkdmel.exe
1112	Cmgqpkip.exe
2740	Cpfmlghd.exe
2404	Dkkaiphj.exe
1084	Ddcebe32.exe
4520	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmgqpkip.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Pjbkgfej.exe	Ppjgoaoj.exe
File created	C:\Windows\SysWOW64\Gbomgcch.dll	Pcpikkge.exe
File created	C:\Windows\SysWOW64\Bkmeha32.exe	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Bkmeha32.exe	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Gpccpg32.dll	Ppjgoaoj.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Ilfennic.exe	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Cijnin32.dll	Ookjdn32.exe
File created	C:\Windows\SysWOW64\Mmfkhmdi.exe	Qljjjqlc.exe
File created	C:\Windows\SysWOW64\Adfdmepn.dll	Phjenbhp.exe
File opened for modification	C:\Windows\SysWOW64\Pfillg32.exe	Pjbkgfej.exe
File opened for modification	C:\Windows\SysWOW64\Phjenbhp.exe	Pfillg32.exe
File created	C:\Windows\SysWOW64\Jponoqjl.dll	Mmfkhmdi.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Qcbfakec.exe	Pcpikkge.exe
File created	C:\Windows\SysWOW64\Qljjjqlc.exe	Qcbfakec.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Pcpikkge.exe	Phjenbhp.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bmidnm32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Ppjgoaoj.exe	Ookjdn32.exe
File created	C:\Windows\SysWOW64\Keoaokpd.dll	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ppjbmc32.exe	Mmfkhmdi.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Ppjbmc32.exe	Mmfkhmdi.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Ilfennic.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Bmidnm32.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Pfillg32.exe	Pjbkgfej.exe
File opened for modification	C:\Windows\SysWOW64\Mmfkhmdi.exe	Qljjjqlc.exe
File created	C:\Windows\SysWOW64\Lpphjbnh.dll	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbkgfej.exe	Ppjgoaoj.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Iicfkknk.dll	Pfillg32.exe
File created	C:\Windows\SysWOW64\Pcpikkge.exe	Phjenbhp.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Ookjdn32.exe	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
File opened for modification	C:\Windows\SysWOW64\Ookjdn32.exe	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
File created	C:\Windows\SysWOW64\Pbehoafp.dll	Qcbfakec.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Ilfennic.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Qcbfakec.exe	Pcpikkge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
216	4520	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpikkge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbomgcch.dll"	Pcpikkge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbehoafp.dll"	Qcbfakec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppjgoaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfillg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qljjjqlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iicfkknk.dll"	Pfillg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jencdebl.dll"	Qljjjqlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opakdijo.dll"	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpccpg32.dll"	Ppjgoaoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcbfakec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookjdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcbfakec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qljjjqlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpikkge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpphjbnh.dll"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookjdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfillg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilfennic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2848	3508	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe	86
PID 3508 wrote to memory of 2848	3508	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe	86
PID 3508 wrote to memory of 2848	3508	NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe	86
PID 2848 wrote to memory of 3476	2848	Ookjdn32.exe	87
PID 2848 wrote to memory of 3476	2848	Ookjdn32.exe	87
PID 2848 wrote to memory of 3476	2848	Ookjdn32.exe	87
PID 3476 wrote to memory of 1644	3476	Ppjgoaoj.exe	88
PID 3476 wrote to memory of 1644	3476	Ppjgoaoj.exe	88
PID 3476 wrote to memory of 1644	3476	Ppjgoaoj.exe	88
PID 1644 wrote to memory of 4704	1644	Pjbkgfej.exe	89
PID 1644 wrote to memory of 4704	1644	Pjbkgfej.exe	89
PID 1644 wrote to memory of 4704	1644	Pjbkgfej.exe	89
PID 4704 wrote to memory of 208	4704	Pfillg32.exe	90
PID 4704 wrote to memory of 208	4704	Pfillg32.exe	90
PID 4704 wrote to memory of 208	4704	Pfillg32.exe	90
PID 208 wrote to memory of 3920	208	Phjenbhp.exe	91
PID 208 wrote to memory of 3920	208	Phjenbhp.exe	91
PID 208 wrote to memory of 3920	208	Phjenbhp.exe	91
PID 3920 wrote to memory of 2816	3920	Pcpikkge.exe	92
PID 3920 wrote to memory of 2816	3920	Pcpikkge.exe	92
PID 3920 wrote to memory of 2816	3920	Pcpikkge.exe	92
PID 2816 wrote to memory of 4240	2816	Qcbfakec.exe	94
PID 2816 wrote to memory of 4240	2816	Qcbfakec.exe	94
PID 2816 wrote to memory of 4240	2816	Qcbfakec.exe	94
PID 4240 wrote to memory of 5048	4240	Qljjjqlc.exe	96
PID 4240 wrote to memory of 5048	4240	Qljjjqlc.exe	96
PID 4240 wrote to memory of 5048	4240	Qljjjqlc.exe	96
PID 5048 wrote to memory of 424	5048	Mmfkhmdi.exe	98
PID 5048 wrote to memory of 424	5048	Mmfkhmdi.exe	98
PID 5048 wrote to memory of 424	5048	Mmfkhmdi.exe	98
PID 424 wrote to memory of 4400	424	Ppjbmc32.exe	100
PID 424 wrote to memory of 4400	424	Ppjbmc32.exe	100
PID 424 wrote to memory of 4400	424	Ppjbmc32.exe	100
PID 4400 wrote to memory of 1160	4400	Ilfennic.exe	101
PID 4400 wrote to memory of 1160	4400	Ilfennic.exe	101
PID 4400 wrote to memory of 1160	4400	Ilfennic.exe	101
PID 1160 wrote to memory of 1580	1160	Babcil32.exe	102
PID 1160 wrote to memory of 1580	1160	Babcil32.exe	102
PID 1160 wrote to memory of 1580	1160	Babcil32.exe	102
PID 1580 wrote to memory of 1256	1580	Bmidnm32.exe	103
PID 1580 wrote to memory of 1256	1580	Bmidnm32.exe	103
PID 1580 wrote to memory of 1256	1580	Bmidnm32.exe	103
PID 1256 wrote to memory of 2576	1256	Bdcmkgmm.exe	104
PID 1256 wrote to memory of 2576	1256	Bdcmkgmm.exe	104
PID 1256 wrote to memory of 2576	1256	Bdcmkgmm.exe	104
PID 2576 wrote to memory of 3800	2576	Bkmeha32.exe	105
PID 2576 wrote to memory of 3800	2576	Bkmeha32.exe	105
PID 2576 wrote to memory of 3800	2576	Bkmeha32.exe	105
PID 3800 wrote to memory of 3232	3800	Bagmdllg.exe	106
PID 3800 wrote to memory of 3232	3800	Bagmdllg.exe	106
PID 3800 wrote to memory of 3232	3800	Bagmdllg.exe	106
PID 3232 wrote to memory of 5060	3232	Bgdemb32.exe	107
PID 3232 wrote to memory of 5060	3232	Bgdemb32.exe	107
PID 3232 wrote to memory of 5060	3232	Bgdemb32.exe	107
PID 5060 wrote to memory of 3948	5060	Cajjjk32.exe	108
PID 5060 wrote to memory of 3948	5060	Cajjjk32.exe	108
PID 5060 wrote to memory of 3948	5060	Cajjjk32.exe	108
PID 3948 wrote to memory of 4268	3948	Cbkfbcpb.exe	109
PID 3948 wrote to memory of 4268	3948	Cbkfbcpb.exe	109
PID 3948 wrote to memory of 4268	3948	Cbkfbcpb.exe	109
PID 4268 wrote to memory of 1112	4268	Cigkdmel.exe	110
PID 4268 wrote to memory of 1112	4268	Cigkdmel.exe	110
PID 4268 wrote to memory of 1112	4268	Cigkdmel.exe	110
PID 1112 wrote to memory of 2740	1112	Cmgqpkip.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f3b8c0a2cb9f5596ea859cff00d77bc0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\Ookjdn32.exe
  C:\Windows\system32\Ookjdn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Ppjgoaoj.exe
    C:\Windows\system32\Ppjgoaoj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\Pjbkgfej.exe
      C:\Windows\system32\Pjbkgfej.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\SysWOW64\Phjenbhp.exe
        
        C:\Windows\system32\Phjenbhp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Pcpikkge.exe
        
        C:\Windows\system32\Pcpikkge.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Qljjjqlc.exe
        
        C:\Windows\system32\Qljjjqlc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        26⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 400
        27⤵
        Program crash
        
        PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4520 -ip 4520
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Babcil32.exe

Filesize
237KB

MD5
c9af1dc8b96ee82a664afde60e89efcf

SHA1
c817b5189c7bbcad5aff839b99b56de25752de11

SHA256
9b4055c292a8a7d63fbd2a9b711300cd4dc6403c706c9f47b94ccb38deb24a5b

SHA512
43a39ca2fddc0f53dda5d97854cb1bada1d4af8ce5162c2c8120579aeb2a6c7f0b2e04e29dd67171897dd3d8acf01308fbc9b745fbb96665eedcef0e815ee16c

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
237KB

MD5
c9af1dc8b96ee82a664afde60e89efcf

SHA1
c817b5189c7bbcad5aff839b99b56de25752de11

SHA256
9b4055c292a8a7d63fbd2a9b711300cd4dc6403c706c9f47b94ccb38deb24a5b

SHA512
43a39ca2fddc0f53dda5d97854cb1bada1d4af8ce5162c2c8120579aeb2a6c7f0b2e04e29dd67171897dd3d8acf01308fbc9b745fbb96665eedcef0e815ee16c

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
237KB

MD5
2befdfc93bbd5e7b4fe40c25b46a1e12

SHA1
38f5c2c4327c3ee52fde879157ecbacb210a4342

SHA256
ef75da9a31dfb5caede6ecbad83ede7441e90a776af45254b7507a75a2832484

SHA512
d8898df8f4c60e65e79a3eee86b9fa195a32999c3ae626fbeae0927461e3f16cc48f22796832d5aef3d9431eec8e8565dff93120ffdb83f5a0ddd8ad9a51ed6e

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
237KB

MD5
2befdfc93bbd5e7b4fe40c25b46a1e12

SHA1
38f5c2c4327c3ee52fde879157ecbacb210a4342

SHA256
ef75da9a31dfb5caede6ecbad83ede7441e90a776af45254b7507a75a2832484

SHA512
d8898df8f4c60e65e79a3eee86b9fa195a32999c3ae626fbeae0927461e3f16cc48f22796832d5aef3d9431eec8e8565dff93120ffdb83f5a0ddd8ad9a51ed6e

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
237KB

MD5
2c2377ba9fabfaf0872464450e4ec8b7

SHA1
e2fc46ac7d0ab7e42c6b873a36eb7b2968b60d38

SHA256
0f174d93674daab7f7049681089227a49b145583b2ab177c4eb6e9a5ec206750

SHA512
6c7080c7b8bf5ea14ef6ced97de5ebb65cd7ff1b83d59c89f03c03b8e0e01404de075f5b0ea1ae0244a9204ae47364bfe071a5cfa8b3c38074284044eddc4970

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
237KB

MD5
2c2377ba9fabfaf0872464450e4ec8b7

SHA1
e2fc46ac7d0ab7e42c6b873a36eb7b2968b60d38

SHA256
0f174d93674daab7f7049681089227a49b145583b2ab177c4eb6e9a5ec206750

SHA512
6c7080c7b8bf5ea14ef6ced97de5ebb65cd7ff1b83d59c89f03c03b8e0e01404de075f5b0ea1ae0244a9204ae47364bfe071a5cfa8b3c38074284044eddc4970

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
237KB

MD5
8c8ee1324e7474a3bc15eea132918184

SHA1
b1c8e412c5923e7e51a5fee453b689d03e4f9af3

SHA256
8480dd2b0b38c92471313e9357d92087e4f7aadf2d94a45a16a35c203c47ffc9

SHA512
b458a3fde940ab5a3f81ec7c7e61bfdad9cd0dd96b38fe6cd1491484b4900b195e8a84bdd8bcbff27ca735fbd1d61ed74fc985ab7995859d1e6c934704030a3a

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
237KB

MD5
8c8ee1324e7474a3bc15eea132918184

SHA1
b1c8e412c5923e7e51a5fee453b689d03e4f9af3

SHA256
8480dd2b0b38c92471313e9357d92087e4f7aadf2d94a45a16a35c203c47ffc9

SHA512
b458a3fde940ab5a3f81ec7c7e61bfdad9cd0dd96b38fe6cd1491484b4900b195e8a84bdd8bcbff27ca735fbd1d61ed74fc985ab7995859d1e6c934704030a3a

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
237KB

MD5
77a75dc7fde371ab957e0e1d441d37ff

SHA1
f28e651d948280d5534f925afd3f8f405d05a3e9

SHA256
1245ece80fcb3cf06701a8d00455671ee20d13b241c7ea2d3dff28feca67a7c9

SHA512
01d886467d73a478dbe8f846b4b7d6cf11406cca669f5b0e3c1975c6f391ba5de62a8817d15008cfbc692dec732f10809ca7f03e1dc6d0eaeef6ee126e58a531

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
237KB

MD5
77a75dc7fde371ab957e0e1d441d37ff

SHA1
f28e651d948280d5534f925afd3f8f405d05a3e9

SHA256
1245ece80fcb3cf06701a8d00455671ee20d13b241c7ea2d3dff28feca67a7c9

SHA512
01d886467d73a478dbe8f846b4b7d6cf11406cca669f5b0e3c1975c6f391ba5de62a8817d15008cfbc692dec732f10809ca7f03e1dc6d0eaeef6ee126e58a531

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
237KB

MD5
473e053801321f39584a293c151a6950

SHA1
81b96756063d6834c8a1c62a401bddf8d52db544

SHA256
11e5cc0a166ee45b0459c6c5d88c1e895f88057ee972088157283ded4c7d4cdb

SHA512
23fc6a487d6560e97b4594fb8359f1c57d39103706e16e0bf94f963d8d5d64dbe5b57694f9d887517aa31b791ea5a6fa0a1897b4b936128165be7eaf3bb6e3db

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
237KB

MD5
473e053801321f39584a293c151a6950

SHA1
81b96756063d6834c8a1c62a401bddf8d52db544

SHA256
11e5cc0a166ee45b0459c6c5d88c1e895f88057ee972088157283ded4c7d4cdb

SHA512
23fc6a487d6560e97b4594fb8359f1c57d39103706e16e0bf94f963d8d5d64dbe5b57694f9d887517aa31b791ea5a6fa0a1897b4b936128165be7eaf3bb6e3db

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
237KB

MD5
c68d924209f2ab0f3eb025fb64adbe24

SHA1
72acea2028c91dda85ec60966bd5d12bddb3c92d

SHA256
427fc2864375d760abadd6c24778e2880ceda726f0d4f18bda4f3780eeaaed39

SHA512
c721de797102bfffdcfd3879fa46857b76b6a9d5b449386639c2761bae382fc82795160cdafbe26a73e8d869a2c03f0cc9f8c615e57b188f5769bfe39208b0be

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
237KB

MD5
c68d924209f2ab0f3eb025fb64adbe24

SHA1
72acea2028c91dda85ec60966bd5d12bddb3c92d

SHA256
427fc2864375d760abadd6c24778e2880ceda726f0d4f18bda4f3780eeaaed39

SHA512
c721de797102bfffdcfd3879fa46857b76b6a9d5b449386639c2761bae382fc82795160cdafbe26a73e8d869a2c03f0cc9f8c615e57b188f5769bfe39208b0be

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
237KB

MD5
3553fea1836e972021a2aa954bff9ebc

SHA1
28dc98525cfa5eb5705b5f812c1ca12d26b7ccd5

SHA256
1e267c4e90471b82d75c1333c539dd25a64e3a6ba398a3694c222c41a7ccc6c0

SHA512
b2d5877abb2b03d05becb6d1610b83fa9c624aab69788feff7c6666e70f7a6c4a50ae401314fbe1b10d2ade55ec96b25e0b5b2dda3c0ac05b8e8c8f254cc0e8a

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
237KB

MD5
3553fea1836e972021a2aa954bff9ebc

SHA1
28dc98525cfa5eb5705b5f812c1ca12d26b7ccd5

SHA256
1e267c4e90471b82d75c1333c539dd25a64e3a6ba398a3694c222c41a7ccc6c0

SHA512
b2d5877abb2b03d05becb6d1610b83fa9c624aab69788feff7c6666e70f7a6c4a50ae401314fbe1b10d2ade55ec96b25e0b5b2dda3c0ac05b8e8c8f254cc0e8a

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
237KB

MD5
5b9892391c7dac89e2164740e73defe0

SHA1
31ea25fd50220bf50823e9a20a0826d0939786f5

SHA256
645b6e1392e2745b20dc042f165439f3f957106059c3fa2cfe6084eb401c3a60

SHA512
7f9eaf9c6bb27f18eb0924ea2f36c8270fc38bda8a6c7da007fc0e0f5a33deb3981e7a9a6a44208a263e65a279c2dd7b67a85dd40f8c3ddae03e6ffef040c769

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
237KB

MD5
5b9892391c7dac89e2164740e73defe0

SHA1
31ea25fd50220bf50823e9a20a0826d0939786f5

SHA256
645b6e1392e2745b20dc042f165439f3f957106059c3fa2cfe6084eb401c3a60

SHA512
7f9eaf9c6bb27f18eb0924ea2f36c8270fc38bda8a6c7da007fc0e0f5a33deb3981e7a9a6a44208a263e65a279c2dd7b67a85dd40f8c3ddae03e6ffef040c769

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
237KB

MD5
b2518180559a8be9a8bbdee1a61d3df8

SHA1
1c0c41f39d0d68205ea5d7fa8cd61f9d54fb58fb

SHA256
a701da29d6d267b45a17a921bdc6bb7d2a0120b5fc2daaf565efe87646d1d27e

SHA512
61e5f25461de2cd43572395e42ce8256116db45df74166983332c0b1028df3d0aa8b56cd198da93a4517ec734a7c0acc90fd9bd46be47050735c236d73fe8b45

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
237KB

MD5
b2518180559a8be9a8bbdee1a61d3df8

SHA1
1c0c41f39d0d68205ea5d7fa8cd61f9d54fb58fb

SHA256
a701da29d6d267b45a17a921bdc6bb7d2a0120b5fc2daaf565efe87646d1d27e

SHA512
61e5f25461de2cd43572395e42ce8256116db45df74166983332c0b1028df3d0aa8b56cd198da93a4517ec734a7c0acc90fd9bd46be47050735c236d73fe8b45

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
237KB

MD5
797e0e2faff059579dc9b5f609dc8aff

SHA1
52f5f22a7e4d0f621ff34d6e94eff3041be77674

SHA256
24be888717d202792b7e769a3de76737697d1df162df7708c6148040655fe796

SHA512
b2ef707fc37ddc9b23ad658b2f8f48ac926b6d1bd1cd557c0774438c202d5012eeb39016e5865d1bb66aa7e46970090ea41fba09d9e7fd34d5b051852c16f294

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
237KB

MD5
797e0e2faff059579dc9b5f609dc8aff

SHA1
52f5f22a7e4d0f621ff34d6e94eff3041be77674

SHA256
24be888717d202792b7e769a3de76737697d1df162df7708c6148040655fe796

SHA512
b2ef707fc37ddc9b23ad658b2f8f48ac926b6d1bd1cd557c0774438c202d5012eeb39016e5865d1bb66aa7e46970090ea41fba09d9e7fd34d5b051852c16f294

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
237KB

MD5
35b5dd6b52163ce9da2b40a26f61fcbf

SHA1
45e76f72d19e4158d3e4d0d80b4e5aee682ce4b3

SHA256
eb0db79a439aca05eccc46a35c6415b046631439bc794711fc1d6d23bdb4f2d9

SHA512
13e9f517d0e3ecd35fde8543e83b826805272fbdf8c032ef48368887ebe510aa185e24c3a8a8d5503146bd138b17914c0be68c8d8558cb354067d4e7f92518d6

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
237KB

MD5
35b5dd6b52163ce9da2b40a26f61fcbf

SHA1
45e76f72d19e4158d3e4d0d80b4e5aee682ce4b3

SHA256
eb0db79a439aca05eccc46a35c6415b046631439bc794711fc1d6d23bdb4f2d9

SHA512
13e9f517d0e3ecd35fde8543e83b826805272fbdf8c032ef48368887ebe510aa185e24c3a8a8d5503146bd138b17914c0be68c8d8558cb354067d4e7f92518d6

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
237KB

MD5
6ca1527190a235f77c8b80a82260085f

SHA1
54efde1b5ae3efa3e7a156e8cb95e82d63801823

SHA256
40bc658deb9112fd600ac47f77ff87fc131a201791a7c2ab866c6d70316f332e

SHA512
da4455b8298c8f2d5ad9188d372cd3d031605080df4c9824679fb0bbb27ab34297ababf356df0935d3ad822130b1ae98472837b45c559ca61a6e18c6b181910d

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
237KB

MD5
6ca1527190a235f77c8b80a82260085f

SHA1
54efde1b5ae3efa3e7a156e8cb95e82d63801823

SHA256
40bc658deb9112fd600ac47f77ff87fc131a201791a7c2ab866c6d70316f332e

SHA512
da4455b8298c8f2d5ad9188d372cd3d031605080df4c9824679fb0bbb27ab34297ababf356df0935d3ad822130b1ae98472837b45c559ca61a6e18c6b181910d

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
237KB

MD5
15cbc9506092b055cc71f202354d67c8

SHA1
e34261deaf51265bc3e79f1ab7478777d2bc56ef

SHA256
d5f18800d97ea5b7e52c206fac713ba16016cb2bf542c2a445a4537b36e05589

SHA512
46fb76655c8f454cc0675a97c478ba4da9f8740453ba77c9ad71e93cf865a51f9bf063dd4a41ad35d0094d339bd7a15f3d3fd3fb875cdc6fbee6649cd9488d91

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
237KB

MD5
15cbc9506092b055cc71f202354d67c8

SHA1
e34261deaf51265bc3e79f1ab7478777d2bc56ef

SHA256
d5f18800d97ea5b7e52c206fac713ba16016cb2bf542c2a445a4537b36e05589

SHA512
46fb76655c8f454cc0675a97c478ba4da9f8740453ba77c9ad71e93cf865a51f9bf063dd4a41ad35d0094d339bd7a15f3d3fd3fb875cdc6fbee6649cd9488d91

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
237KB

MD5
14d0a832be48277cb6fcac1a5fd3ef1a

SHA1
0c55e81567dd257fcba5f6362ceb07e74cdb1a71

SHA256
6827633a6274b1c6e42e7d3597fe5302f309f93388d4030778eac8881dee0e38

SHA512
6bba1654607a80c2c48ebf9816965818bc971b77fd06c6848606d910e2790431e8b602a323e1a2a62a53979e5306541c3f87c380a7540db1920195ba1fdbe181

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
237KB

MD5
14d0a832be48277cb6fcac1a5fd3ef1a

SHA1
0c55e81567dd257fcba5f6362ceb07e74cdb1a71

SHA256
6827633a6274b1c6e42e7d3597fe5302f309f93388d4030778eac8881dee0e38

SHA512
6bba1654607a80c2c48ebf9816965818bc971b77fd06c6848606d910e2790431e8b602a323e1a2a62a53979e5306541c3f87c380a7540db1920195ba1fdbe181

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
237KB

MD5
8a251ff220e9a100a599d63b133a6110

SHA1
4f3bb8c2139c8e19688534af3957a2d33a59db7f

SHA256
b9247297cd339bb14525a6cf6364fe6a667570ee05883ed764eda1396474dd45

SHA512
692979a8d1fb1ea43c17be52b14e9536ff6306eef3e64948d0bcfde5a30dd222551a28e94689f8fa3f8e133f8bcaf242bd03541b10e57cdb16560dc7ac63a029

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
237KB

MD5
8a251ff220e9a100a599d63b133a6110

SHA1
4f3bb8c2139c8e19688534af3957a2d33a59db7f

SHA256
b9247297cd339bb14525a6cf6364fe6a667570ee05883ed764eda1396474dd45

SHA512
692979a8d1fb1ea43c17be52b14e9536ff6306eef3e64948d0bcfde5a30dd222551a28e94689f8fa3f8e133f8bcaf242bd03541b10e57cdb16560dc7ac63a029

Download Submit
C:\Windows\SysWOW64\Ookjdn32.exe

Filesize
237KB

MD5
99a5214a9cd8533d39cb544ceca74183

SHA1
58399c0c75c5c8a9332b37198afc59a6a7299756

SHA256
fcf37c3490e373dba6da635b2377c23a2046bee2f113a15d12e9a49dc9f08f23

SHA512
d8cb14ba23e2c3c138d9817b8c7fbb5c36af56309feb6c991630d5b00870ae09c86b6b3af08ef15147bb3f96c29692b4b5d4b0e085fde0e884c4494be208e7cd

Download Submit
C:\Windows\SysWOW64\Ookjdn32.exe

Filesize
237KB

MD5
99a5214a9cd8533d39cb544ceca74183

SHA1
58399c0c75c5c8a9332b37198afc59a6a7299756

SHA256
fcf37c3490e373dba6da635b2377c23a2046bee2f113a15d12e9a49dc9f08f23

SHA512
d8cb14ba23e2c3c138d9817b8c7fbb5c36af56309feb6c991630d5b00870ae09c86b6b3af08ef15147bb3f96c29692b4b5d4b0e085fde0e884c4494be208e7cd

Download Submit
C:\Windows\SysWOW64\Pcpikkge.exe

Filesize
237KB

MD5
e867c703cd2b085f043e6507da5caf32

SHA1
9089cea0e504cfbca263842587aa1b6c5450325e

SHA256
b0a9fbba0bd3f5e82648d831cf1be81f81fa5ead5a05d64f883094c34d786646

SHA512
fb653fd7e9b101c89d4495d8fe668b1b6e10c886f21af8df9af6801003d3d02f652f64084f168a67367a6dfae573a8d40292d11aa912944a78403d9c90a1609b

Download Submit
C:\Windows\SysWOW64\Pcpikkge.exe

Filesize
237KB

MD5
e867c703cd2b085f043e6507da5caf32

SHA1
9089cea0e504cfbca263842587aa1b6c5450325e

SHA256
b0a9fbba0bd3f5e82648d831cf1be81f81fa5ead5a05d64f883094c34d786646

SHA512
fb653fd7e9b101c89d4495d8fe668b1b6e10c886f21af8df9af6801003d3d02f652f64084f168a67367a6dfae573a8d40292d11aa912944a78403d9c90a1609b

Download Submit
C:\Windows\SysWOW64\Pfillg32.exe

Filesize
237KB

MD5
50d7a102d6099f389820d98a8d96dc06

SHA1
b46364db6f96a0411fbaa954d178a8bbad3f889f

SHA256
6d354d9eb058b790e391076ddfaacb4aeff79f35bfe4333c7820690002539514

SHA512
9926e2e5c2e4039e380dbd87c05b71919c1d2f030ca7e244f922e279dcc5bac152306695e4c05bc3c49e04d80eed80b0a7210cc43685401519470436495fe228

Download Submit
C:\Windows\SysWOW64\Pfillg32.exe

Filesize
237KB

MD5
50d7a102d6099f389820d98a8d96dc06

SHA1
b46364db6f96a0411fbaa954d178a8bbad3f889f

SHA256
6d354d9eb058b790e391076ddfaacb4aeff79f35bfe4333c7820690002539514

SHA512
9926e2e5c2e4039e380dbd87c05b71919c1d2f030ca7e244f922e279dcc5bac152306695e4c05bc3c49e04d80eed80b0a7210cc43685401519470436495fe228

Download Submit
C:\Windows\SysWOW64\Phjenbhp.exe

Filesize
237KB

MD5
50d7a102d6099f389820d98a8d96dc06

SHA1
b46364db6f96a0411fbaa954d178a8bbad3f889f

SHA256
6d354d9eb058b790e391076ddfaacb4aeff79f35bfe4333c7820690002539514

SHA512
9926e2e5c2e4039e380dbd87c05b71919c1d2f030ca7e244f922e279dcc5bac152306695e4c05bc3c49e04d80eed80b0a7210cc43685401519470436495fe228

Download Submit
C:\Windows\SysWOW64\Phjenbhp.exe

Filesize
237KB

MD5
ed7ac01ad544d528151d301a3cbe9d4d

SHA1
2e36fcdef2031bce493cb0a26718ebd9dffddfd5

SHA256
c4d5d3bc001700b497f44cca9aa8453677d02515afbf41aead4a231a47c788f1

SHA512
d7f130ca0f6715695e5aa44a6d67c6a34d94e5cb06ce8a09365bd9f5f212af30fefac57bc516376e9f13db66a1a641dd22bdcdb878edd1127c3d08088425083b

Download Submit
C:\Windows\SysWOW64\Phjenbhp.exe

Filesize
237KB

MD5
ed7ac01ad544d528151d301a3cbe9d4d

SHA1
2e36fcdef2031bce493cb0a26718ebd9dffddfd5

SHA256
c4d5d3bc001700b497f44cca9aa8453677d02515afbf41aead4a231a47c788f1

SHA512
d7f130ca0f6715695e5aa44a6d67c6a34d94e5cb06ce8a09365bd9f5f212af30fefac57bc516376e9f13db66a1a641dd22bdcdb878edd1127c3d08088425083b

Download Submit
C:\Windows\SysWOW64\Pjbkgfej.exe

Filesize
237KB

MD5
42d09fba5a27397a321d8094aebc1b9b

SHA1
d165b8b3da5295288a1b6df69d354157c79885f8

SHA256
e23320b37fd4a2c6af4e5a622335466781c19d16c0e1ca2b9bcd26e8f2f4e9ac

SHA512
3a7219a4b7204a1c2503d0cafb141d71c702c0893d027896ffe443aa44cda9fbccc44ddca44ff9a03354f74ef2043bbefa6cf517ae230ea3b253220a84925dce

Download Submit
C:\Windows\SysWOW64\Pjbkgfej.exe

Filesize
237KB

MD5
42d09fba5a27397a321d8094aebc1b9b

SHA1
d165b8b3da5295288a1b6df69d354157c79885f8

SHA256
e23320b37fd4a2c6af4e5a622335466781c19d16c0e1ca2b9bcd26e8f2f4e9ac

SHA512
3a7219a4b7204a1c2503d0cafb141d71c702c0893d027896ffe443aa44cda9fbccc44ddca44ff9a03354f74ef2043bbefa6cf517ae230ea3b253220a84925dce

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
237KB

MD5
e935caa65b09e8f737812027793205fc

SHA1
105e887800b2b8c9257a4976508e414f6a372c16

SHA256
27ec59db115cc57d81fd6df07ebcc6df35abb2230ba085b0b2a729b82a9ca6da

SHA512
230bb4dbefc4e5020398399624c783b7f3386de62c66e1a701a48cd276a4b6ab2d7a7db06c3081beaeac49ba8e33ecba0d88695bd8d8098e2ec03fd16a6cac3d

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
237KB

MD5
e935caa65b09e8f737812027793205fc

SHA1
105e887800b2b8c9257a4976508e414f6a372c16

SHA256
27ec59db115cc57d81fd6df07ebcc6df35abb2230ba085b0b2a729b82a9ca6da

SHA512
230bb4dbefc4e5020398399624c783b7f3386de62c66e1a701a48cd276a4b6ab2d7a7db06c3081beaeac49ba8e33ecba0d88695bd8d8098e2ec03fd16a6cac3d

Download Submit
C:\Windows\SysWOW64\Ppjgoaoj.exe

Filesize
237KB

MD5
37d0e5c2f5318a4efe887c8a1ab416f7

SHA1
d75aa2ac4f5dcdee07367843f3c3aac683004ed8

SHA256
f44d5a9589205cbb1c325d267607954576092c3f0a67b195845fa90352148474

SHA512
f809c5b0d491226583222f436d7b53435e9bf1c268133f2d380d6f9336dda1cfcf8d8e7cbb6b1800bbe5c4ecf79c4c11cafd1bcc39439870a5afa6b879aff4a1

Download Submit
C:\Windows\SysWOW64\Ppjgoaoj.exe

Filesize
237KB

MD5
37d0e5c2f5318a4efe887c8a1ab416f7

SHA1
d75aa2ac4f5dcdee07367843f3c3aac683004ed8

SHA256
f44d5a9589205cbb1c325d267607954576092c3f0a67b195845fa90352148474

SHA512
f809c5b0d491226583222f436d7b53435e9bf1c268133f2d380d6f9336dda1cfcf8d8e7cbb6b1800bbe5c4ecf79c4c11cafd1bcc39439870a5afa6b879aff4a1

Download Submit
C:\Windows\SysWOW64\Qcbfakec.exe

Filesize
237KB

MD5
456ad36b112fbfe13cf7e9cb2b065072

SHA1
75fc937a5cb7a3fb4b45f3a6e0868b46644da1a8

SHA256
8c74c70ac84efa4f48e0cf5301f049acba6e1e8eb485573d83477a87945040b7

SHA512
75b6b9cc473c336c3967f9e81711cdb26311c170b62d27cc4712dd625566c169453d0ab4b3018286be1a6495e25268fc27b296db5c4b79d49bd18f9ca6aa69f1

Download Submit
C:\Windows\SysWOW64\Qcbfakec.exe

Filesize
237KB

MD5
456ad36b112fbfe13cf7e9cb2b065072

SHA1
75fc937a5cb7a3fb4b45f3a6e0868b46644da1a8

SHA256
8c74c70ac84efa4f48e0cf5301f049acba6e1e8eb485573d83477a87945040b7

SHA512
75b6b9cc473c336c3967f9e81711cdb26311c170b62d27cc4712dd625566c169453d0ab4b3018286be1a6495e25268fc27b296db5c4b79d49bd18f9ca6aa69f1

Download Submit
C:\Windows\SysWOW64\Qljjjqlc.exe

Filesize
237KB

MD5
d1c9bc1a347b59e9d9ab5f35524e9f8d

SHA1
563f45590d57b84467755422b325f3721323dfba

SHA256
e13a08395b6894c343d7c2c7f590fe3ee2b643058ed676d78d7e86a496ec6954

SHA512
8da2572698ac535c19c976226100099b458d514fbec9cf6a49f813b93efd53c501d05f744bc256d5a6dc39ec74b70fcf7bdcffd7495ef2f51005535ba139e081

Download Submit
C:\Windows\SysWOW64\Qljjjqlc.exe

Filesize
237KB

MD5
d1c9bc1a347b59e9d9ab5f35524e9f8d

SHA1
563f45590d57b84467755422b325f3721323dfba

SHA256
e13a08395b6894c343d7c2c7f590fe3ee2b643058ed676d78d7e86a496ec6954

SHA512
8da2572698ac535c19c976226100099b458d514fbec9cf6a49f813b93efd53c501d05f744bc256d5a6dc39ec74b70fcf7bdcffd7495ef2f51005535ba139e081

Download Submit
memory/208-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/424-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/424-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads