40cca6e3e9b17772f1c5877e4d65baa1517d0b6b3ade2772a640447b4b476737

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 20:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
Size

98KB
MD5

f714dcf9b4d47533a0d3b06a425178e0
SHA1

edd785863244e5173620f8f4dd6443e69bb11ed1
SHA256

40cca6e3e9b17772f1c5877e4d65baa1517d0b6b3ade2772a640447b4b476737
SHA512

cd22d8ad50ce29009427b51bc4ec399adf1b4beb4cd75a368a861d88ef4214f02f09a4ba475c7bd4538c777f4179d40231b3bbdfb06b5a95480ab9d62958f086
SSDEEP

3072:0iEE2nyElhK8sM50ocEhueFKPD375lHzpa1P:06GV/v95bcEAeYr75lHzpaF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe

Executes dropped EXE 27 IoCs

pid	Process
1928	Qmmnjfnl.exe
2260	Qffbbldm.exe
4544	Acjclpcf.exe
3044	Ajckij32.exe
4856	Agglboim.exe
4360	Aqppkd32.exe
3924	Afmhck32.exe
4912	Aglemn32.exe
632	Anfmjhmd.exe
3076	Bnhjohkb.exe
2348	Bcebhoii.exe
1456	Bnkgeg32.exe
3984	Bnmcjg32.exe
4084	Bfhhoi32.exe
2888	Bfkedibe.exe
4220	Bcoenmao.exe
2704	Cmgjgcgo.exe
1104	Cjkjpgfi.exe
4188	Cnicfe32.exe
3452	Ceckcp32.exe
4376	Cfdhkhjj.exe
2156	Cnnlaehj.exe
4476	Cegdnopg.exe
4212	Dejacond.exe
4272	Daqbip32.exe
228	Ddakjkqi.exe
1468	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1548	1468	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1928	4980	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe	87
PID 4980 wrote to memory of 1928	4980	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe	87
PID 4980 wrote to memory of 1928	4980	NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe	87
PID 1928 wrote to memory of 2260	1928	Qmmnjfnl.exe	88
PID 1928 wrote to memory of 2260	1928	Qmmnjfnl.exe	88
PID 1928 wrote to memory of 2260	1928	Qmmnjfnl.exe	88
PID 2260 wrote to memory of 4544	2260	Qffbbldm.exe	90
PID 2260 wrote to memory of 4544	2260	Qffbbldm.exe	90
PID 2260 wrote to memory of 4544	2260	Qffbbldm.exe	90
PID 4544 wrote to memory of 3044	4544	Acjclpcf.exe	91
PID 4544 wrote to memory of 3044	4544	Acjclpcf.exe	91
PID 4544 wrote to memory of 3044	4544	Acjclpcf.exe	91
PID 3044 wrote to memory of 4856	3044	Ajckij32.exe	92
PID 3044 wrote to memory of 4856	3044	Ajckij32.exe	92
PID 3044 wrote to memory of 4856	3044	Ajckij32.exe	92
PID 4856 wrote to memory of 4360	4856	Agglboim.exe	93
PID 4856 wrote to memory of 4360	4856	Agglboim.exe	93
PID 4856 wrote to memory of 4360	4856	Agglboim.exe	93
PID 4360 wrote to memory of 3924	4360	Aqppkd32.exe	94
PID 4360 wrote to memory of 3924	4360	Aqppkd32.exe	94
PID 4360 wrote to memory of 3924	4360	Aqppkd32.exe	94
PID 3924 wrote to memory of 4912	3924	Afmhck32.exe	95
PID 3924 wrote to memory of 4912	3924	Afmhck32.exe	95
PID 3924 wrote to memory of 4912	3924	Afmhck32.exe	95
PID 4912 wrote to memory of 632	4912	Aglemn32.exe	96
PID 4912 wrote to memory of 632	4912	Aglemn32.exe	96
PID 4912 wrote to memory of 632	4912	Aglemn32.exe	96
PID 632 wrote to memory of 3076	632	Anfmjhmd.exe	97
PID 632 wrote to memory of 3076	632	Anfmjhmd.exe	97
PID 632 wrote to memory of 3076	632	Anfmjhmd.exe	97
PID 3076 wrote to memory of 2348	3076	Bnhjohkb.exe	98
PID 3076 wrote to memory of 2348	3076	Bnhjohkb.exe	98
PID 3076 wrote to memory of 2348	3076	Bnhjohkb.exe	98
PID 2348 wrote to memory of 1456	2348	Bcebhoii.exe	99
PID 2348 wrote to memory of 1456	2348	Bcebhoii.exe	99
PID 2348 wrote to memory of 1456	2348	Bcebhoii.exe	99
PID 1456 wrote to memory of 3984	1456	Bnkgeg32.exe	100
PID 1456 wrote to memory of 3984	1456	Bnkgeg32.exe	100
PID 1456 wrote to memory of 3984	1456	Bnkgeg32.exe	100
PID 3984 wrote to memory of 4084	3984	Bnmcjg32.exe	101
PID 3984 wrote to memory of 4084	3984	Bnmcjg32.exe	101
PID 3984 wrote to memory of 4084	3984	Bnmcjg32.exe	101
PID 4084 wrote to memory of 2888	4084	Bfhhoi32.exe	102
PID 4084 wrote to memory of 2888	4084	Bfhhoi32.exe	102
PID 4084 wrote to memory of 2888	4084	Bfhhoi32.exe	102
PID 2888 wrote to memory of 4220	2888	Bfkedibe.exe	103
PID 2888 wrote to memory of 4220	2888	Bfkedibe.exe	103
PID 2888 wrote to memory of 4220	2888	Bfkedibe.exe	103
PID 4220 wrote to memory of 2704	4220	Bcoenmao.exe	104
PID 4220 wrote to memory of 2704	4220	Bcoenmao.exe	104
PID 4220 wrote to memory of 2704	4220	Bcoenmao.exe	104
PID 2704 wrote to memory of 1104	2704	Cmgjgcgo.exe	105
PID 2704 wrote to memory of 1104	2704	Cmgjgcgo.exe	105
PID 2704 wrote to memory of 1104	2704	Cmgjgcgo.exe	105
PID 1104 wrote to memory of 4188	1104	Cjkjpgfi.exe	106
PID 1104 wrote to memory of 4188	1104	Cjkjpgfi.exe	106
PID 1104 wrote to memory of 4188	1104	Cjkjpgfi.exe	106
PID 4188 wrote to memory of 3452	4188	Cnicfe32.exe	108
PID 4188 wrote to memory of 3452	4188	Cnicfe32.exe	108
PID 4188 wrote to memory of 3452	4188	Cnicfe32.exe	108
PID 3452 wrote to memory of 4376	3452	Ceckcp32.exe	109
PID 3452 wrote to memory of 4376	3452	Ceckcp32.exe	109
PID 3452 wrote to memory of 4376	3452	Ceckcp32.exe	109
PID 4376 wrote to memory of 2156	4376	Cfdhkhjj.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f714dcf9b4d47533a0d3b06a425178e0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\Qmmnjfnl.exe
  C:\Windows\system32\Qmmnjfnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\Qffbbldm.exe
    C:\Windows\system32\Qffbbldm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\Acjclpcf.exe
      C:\Windows\system32\Acjclpcf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 408
        29⤵
        Program crash
        
        PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1468 -ip 1468
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
98KB

MD5
9391e931c694271e588d1be81f8a3b28

SHA1
7087cb960c70792c98c8226758ba6f072d556dc8

SHA256
1bf136c101a58c301a70c761f8ccf476365ad42edf50afa2500db61e74c3a53b

SHA512
c72520177d06bcfeec185268a5a78822ccf0dd414d6187b293d23680131822a66bcf944ef2d0fcfa85d02570161f8193f510cfd05b050c3640c5b390acf27f39

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
98KB

MD5
9391e931c694271e588d1be81f8a3b28

SHA1
7087cb960c70792c98c8226758ba6f072d556dc8

SHA256
1bf136c101a58c301a70c761f8ccf476365ad42edf50afa2500db61e74c3a53b

SHA512
c72520177d06bcfeec185268a5a78822ccf0dd414d6187b293d23680131822a66bcf944ef2d0fcfa85d02570161f8193f510cfd05b050c3640c5b390acf27f39

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
98KB

MD5
f93e65cc44ee8e2c58d64f77b09a1d0b

SHA1
510dff034ed2ed613dd8ea135967f0ca8c371e4a

SHA256
1cf0284d09df11bd3ed397881dbbff7fd1d405807040d21e7849c60c4df8cdb8

SHA512
0877248543f2fe4a448911ba971fe78497bf14d9c00d0d60d125e438f42a53eb3bcfa908355fb2accf239cd84468121a45d836f8a7d8df0a42883ec520f54c73

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
98KB

MD5
f93e65cc44ee8e2c58d64f77b09a1d0b

SHA1
510dff034ed2ed613dd8ea135967f0ca8c371e4a

SHA256
1cf0284d09df11bd3ed397881dbbff7fd1d405807040d21e7849c60c4df8cdb8

SHA512
0877248543f2fe4a448911ba971fe78497bf14d9c00d0d60d125e438f42a53eb3bcfa908355fb2accf239cd84468121a45d836f8a7d8df0a42883ec520f54c73

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
98KB

MD5
9f3ef5cd1dd957542f06ada4310f9ed1

SHA1
50db2499edcd0eff3a3c97328b0a563ced0cc38f

SHA256
fcae9b881596734e91e883e84b3da8f3d37adf5d20bcc5ed409f7091e0367db8

SHA512
72e9ddb0e8e0d4984354362e145f0aab4594a149cad045d4b3467a9c7ae6cab68cd9208074be998905838bb9356e57cb8fa4efd703248a7adbaa75349868fb68

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
98KB

MD5
9f3ef5cd1dd957542f06ada4310f9ed1

SHA1
50db2499edcd0eff3a3c97328b0a563ced0cc38f

SHA256
fcae9b881596734e91e883e84b3da8f3d37adf5d20bcc5ed409f7091e0367db8

SHA512
72e9ddb0e8e0d4984354362e145f0aab4594a149cad045d4b3467a9c7ae6cab68cd9208074be998905838bb9356e57cb8fa4efd703248a7adbaa75349868fb68

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
98KB

MD5
f3d69696f206b9b7262699ad4fdc5a8e

SHA1
cca2068d77a2ca1eb4e35f1f8a30e6ca0ca5e39c

SHA256
bd87697f1a750e1f9c1ab615bed58b0440cab41efc468f6b6b020705db167694

SHA512
8ae5c5c8ce00842fd2fe454d94389786f8bd3fb16788ab06ef206cdf021253780b37a05c3a8a36cd533e0d12845ee82e73c825b21f9951f9761028f8d73e32b6

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
98KB

MD5
f3d69696f206b9b7262699ad4fdc5a8e

SHA1
cca2068d77a2ca1eb4e35f1f8a30e6ca0ca5e39c

SHA256
bd87697f1a750e1f9c1ab615bed58b0440cab41efc468f6b6b020705db167694

SHA512
8ae5c5c8ce00842fd2fe454d94389786f8bd3fb16788ab06ef206cdf021253780b37a05c3a8a36cd533e0d12845ee82e73c825b21f9951f9761028f8d73e32b6

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
98KB

MD5
25addbaeefefceebc1d1cd8b09a8ae5c

SHA1
ab2d44db7aadc32f4567bbd6c801d49c4ddf3924

SHA256
a09345ada4dfae907a1dba79fcab7d0e53a95abd508a9848c1792bb18c4aa4b5

SHA512
4459c5e13700918ed099b88b4d3e076bdd0fa51f737bb75c83c523b16e34d46b58e1442be47c974942b4ea5bfb8e35983791f560d41c5fd1a845683dede5db6d

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
98KB

MD5
25addbaeefefceebc1d1cd8b09a8ae5c

SHA1
ab2d44db7aadc32f4567bbd6c801d49c4ddf3924

SHA256
a09345ada4dfae907a1dba79fcab7d0e53a95abd508a9848c1792bb18c4aa4b5

SHA512
4459c5e13700918ed099b88b4d3e076bdd0fa51f737bb75c83c523b16e34d46b58e1442be47c974942b4ea5bfb8e35983791f560d41c5fd1a845683dede5db6d

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
98KB

MD5
487795f0f3569b4aaa6f1573cb5a103d

SHA1
5bf1dcc1a25a6abbd3c7e5a62ce0134dd7df040e

SHA256
5429067cfab120c4fa51d895b34e4901ccfe2c67d65fd6faae7be0fddc1ee9aa

SHA512
8d3ae5918f1f0a531948f85b8d4ba45b7bf125c0ae0bac3e64c48ede2d7dd76fa8937ceacb36cc7c4e0949f579a858ef030b1fa68787f21ba6107002e5299c5c

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
98KB

MD5
487795f0f3569b4aaa6f1573cb5a103d

SHA1
5bf1dcc1a25a6abbd3c7e5a62ce0134dd7df040e

SHA256
5429067cfab120c4fa51d895b34e4901ccfe2c67d65fd6faae7be0fddc1ee9aa

SHA512
8d3ae5918f1f0a531948f85b8d4ba45b7bf125c0ae0bac3e64c48ede2d7dd76fa8937ceacb36cc7c4e0949f579a858ef030b1fa68787f21ba6107002e5299c5c

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
98KB

MD5
cbaff7346bb0608f866407957b18ba50

SHA1
83978bbeab722c652f31a636f5574fa71b5360e1

SHA256
9cac852852e8b691de917b8c997a9675b40a0cc7d162f8824a05906db5ec4993

SHA512
6f329e28236e30e03e3edf561101e34636420711c509a44a359e7e3a0d6b2a3f9f538ed34627345baf9919ab20ed2fbcb858f8a7ce255818925adef8bab90cba

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
98KB

MD5
cbaff7346bb0608f866407957b18ba50

SHA1
83978bbeab722c652f31a636f5574fa71b5360e1

SHA256
9cac852852e8b691de917b8c997a9675b40a0cc7d162f8824a05906db5ec4993

SHA512
6f329e28236e30e03e3edf561101e34636420711c509a44a359e7e3a0d6b2a3f9f538ed34627345baf9919ab20ed2fbcb858f8a7ce255818925adef8bab90cba

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
98KB

MD5
03260457195ebe06f5e0bf4e3da05aa1

SHA1
6705eb9240e6f0c5143b00cac596ec12167fd5c5

SHA256
bb02bed624317039dfd1174260ab243a9d7a9ee7321c3c35d9dc2e3cbe21a120

SHA512
f0acd2b219fc4df1b87efb6779bbfedc6cc60c6b0546809829dab0378ff0cb65fe8eba37531ca277c7f15094a2dc4e6fa6bc0050f6481356d8aa0824380e3e7b

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
98KB

MD5
03260457195ebe06f5e0bf4e3da05aa1

SHA1
6705eb9240e6f0c5143b00cac596ec12167fd5c5

SHA256
bb02bed624317039dfd1174260ab243a9d7a9ee7321c3c35d9dc2e3cbe21a120

SHA512
f0acd2b219fc4df1b87efb6779bbfedc6cc60c6b0546809829dab0378ff0cb65fe8eba37531ca277c7f15094a2dc4e6fa6bc0050f6481356d8aa0824380e3e7b

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
98KB

MD5
03852966c9b6fc9a9399ae9019be24c7

SHA1
64afe727147fad5793a0ae4cdda2466fe89fa799

SHA256
8de06438e853de2ea2863e60d8fe5d83819271a645fe183d8b6184e49e928c80

SHA512
92c63d584bed3bddcc8b0df9def5348da843936fb0492d4f9c7b8cd06240174f372d4806a65a872ac76bb5ed3e11d2e436411d29e1796c974a91f0508a8cd8c3

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
98KB

MD5
e5e12e32a43bd9721ce271899a57287f

SHA1
ddf66ab4b91592c53e4f5cc38e3b5e509d8c939a

SHA256
784860929a7f5ca0dc00453a31e67774f3ef34ea086b3fabf1c303a92ea9ecb4

SHA512
e7f16ff857baef1f45f890f365d623c72f0519cd24d5ef076e39393ed1e5e092effeb01ce77aed5725d25930e8fb09db33a9d380dae62a07dc3ea2c6b21e67a4

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
98KB

MD5
e5e12e32a43bd9721ce271899a57287f

SHA1
ddf66ab4b91592c53e4f5cc38e3b5e509d8c939a

SHA256
784860929a7f5ca0dc00453a31e67774f3ef34ea086b3fabf1c303a92ea9ecb4

SHA512
e7f16ff857baef1f45f890f365d623c72f0519cd24d5ef076e39393ed1e5e092effeb01ce77aed5725d25930e8fb09db33a9d380dae62a07dc3ea2c6b21e67a4

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
98KB

MD5
ace3cb8e9ab87eae8f5023aa3a621ea3

SHA1
f70b7a82e8bdb0c6b83232bb01f77d76f84c1b4c

SHA256
9a3b49e9925561b04a36eeedf08b97650fec5c4226dccd41bd34ba5c1571ec95

SHA512
33ff50049ed92abad10ed7179920f5a017ecce97cac3caa6e25ff8f69bd77a035eb75fda6a74f87cf11f4a5fe179e240fa38bc8229bb44ce891e5dcab415f4fd

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
98KB

MD5
ace3cb8e9ab87eae8f5023aa3a621ea3

SHA1
f70b7a82e8bdb0c6b83232bb01f77d76f84c1b4c

SHA256
9a3b49e9925561b04a36eeedf08b97650fec5c4226dccd41bd34ba5c1571ec95

SHA512
33ff50049ed92abad10ed7179920f5a017ecce97cac3caa6e25ff8f69bd77a035eb75fda6a74f87cf11f4a5fe179e240fa38bc8229bb44ce891e5dcab415f4fd

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
98KB

MD5
d423a75b6d91b286420e3787d01ff30b

SHA1
cc4001e3175c5dd4cae3ca8333facd5d429d4ccf

SHA256
fe825c6f8f1395569a7369dedda7671447dfdbe585507f6afec3849b8c9a66c2

SHA512
083db94f37df388047c952a7ce4ce4c14b3fbcacd2be959ecf0d8ce1120dfbcb1daf9e111a97973578b14a78e71b0edf83d4c6b575c1d97e7e112e0289d3d7fc

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
98KB

MD5
d423a75b6d91b286420e3787d01ff30b

SHA1
cc4001e3175c5dd4cae3ca8333facd5d429d4ccf

SHA256
fe825c6f8f1395569a7369dedda7671447dfdbe585507f6afec3849b8c9a66c2

SHA512
083db94f37df388047c952a7ce4ce4c14b3fbcacd2be959ecf0d8ce1120dfbcb1daf9e111a97973578b14a78e71b0edf83d4c6b575c1d97e7e112e0289d3d7fc

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
98KB

MD5
f1fe37d47d893bba45d9d1894bd5f8e7

SHA1
71e5dd5b998759be4f1942f877ab13f986cfd4c8

SHA256
88ad175f049afb8b5e29989efc53e5f0ee06b12f5da2b048741605fa4c6139cf

SHA512
849f24c5b1b0901f97fb2ff3b181bfe65c86784753596430a0b7b8db47c775f86e356c07762c4f068fb3e896ce20e99ca99512e15f6ca0742cb6c6eec80654f9

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
98KB

MD5
f1fe37d47d893bba45d9d1894bd5f8e7

SHA1
71e5dd5b998759be4f1942f877ab13f986cfd4c8

SHA256
88ad175f049afb8b5e29989efc53e5f0ee06b12f5da2b048741605fa4c6139cf

SHA512
849f24c5b1b0901f97fb2ff3b181bfe65c86784753596430a0b7b8db47c775f86e356c07762c4f068fb3e896ce20e99ca99512e15f6ca0742cb6c6eec80654f9

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
98KB

MD5
93ef6f6c61b394b0e2cc2c42ee64e0ee

SHA1
a852d874e5195216e82ae4bee8ef373f2da67c37

SHA256
1ed6c33472a854521071a52c0e17e5b08d2c0bf8e1cab1c8bb04b9d820fe546b

SHA512
5a534c32aa6dfd53a593fbabf191ca09a84c985602fb403a678d36da15a3fd05ae7c8e379efd145c7c800c3a64cd62b453325e6be4bb1f83f32eb60908b66b3e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
98KB

MD5
93ef6f6c61b394b0e2cc2c42ee64e0ee

SHA1
a852d874e5195216e82ae4bee8ef373f2da67c37

SHA256
1ed6c33472a854521071a52c0e17e5b08d2c0bf8e1cab1c8bb04b9d820fe546b

SHA512
5a534c32aa6dfd53a593fbabf191ca09a84c985602fb403a678d36da15a3fd05ae7c8e379efd145c7c800c3a64cd62b453325e6be4bb1f83f32eb60908b66b3e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
98KB

MD5
93ef6f6c61b394b0e2cc2c42ee64e0ee

SHA1
a852d874e5195216e82ae4bee8ef373f2da67c37

SHA256
1ed6c33472a854521071a52c0e17e5b08d2c0bf8e1cab1c8bb04b9d820fe546b

SHA512
5a534c32aa6dfd53a593fbabf191ca09a84c985602fb403a678d36da15a3fd05ae7c8e379efd145c7c800c3a64cd62b453325e6be4bb1f83f32eb60908b66b3e

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
98KB

MD5
8ec628b8eb191751e39c9c6bd14bb9bc

SHA1
1536b611609784838876d1108c8ddc062cec858f

SHA256
9805b338039cc072d743aea688bcd9022e17f1bae45be84f2f071d7eca720b45

SHA512
96af0dcabb342f21f8408b5d07dbe5d55b24a06779eb96baf312b89efc8114011cd72156bd6469396c4b98a0bb562d2aa12be6bca39d98bea6876861eb3675fa

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
98KB

MD5
8ec628b8eb191751e39c9c6bd14bb9bc

SHA1
1536b611609784838876d1108c8ddc062cec858f

SHA256
9805b338039cc072d743aea688bcd9022e17f1bae45be84f2f071d7eca720b45

SHA512
96af0dcabb342f21f8408b5d07dbe5d55b24a06779eb96baf312b89efc8114011cd72156bd6469396c4b98a0bb562d2aa12be6bca39d98bea6876861eb3675fa

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
98KB

MD5
055fbdcccd87b686d8b90344106ac466

SHA1
0ede172f882d365648fd4349262d0e9fe719e359

SHA256
082e3cf89f87475982cdfb5addd26aa6649412e2163d9ad3569a9893a91902bc

SHA512
8e97d0d17709dda9f22538dc969d0b4214d9d8dcb30b06d1745e584f659112d0cf02c0fde9dfa4ced90965059b80a263fb9f45a40db0630d4a1ceac6c818f51e

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
98KB

MD5
055fbdcccd87b686d8b90344106ac466

SHA1
0ede172f882d365648fd4349262d0e9fe719e359

SHA256
082e3cf89f87475982cdfb5addd26aa6649412e2163d9ad3569a9893a91902bc

SHA512
8e97d0d17709dda9f22538dc969d0b4214d9d8dcb30b06d1745e584f659112d0cf02c0fde9dfa4ced90965059b80a263fb9f45a40db0630d4a1ceac6c818f51e

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
98KB

MD5
fba23dc9e7fc8a09b39e38279a619a6c

SHA1
198e10c3d39640b681dfa473099d08e468ffc4c4

SHA256
ff1037d6124164b2656230e57ff9d5f2fc404079b21c6747b4826a5a6e30a919

SHA512
4fbbe4cee3541122645249d07c95bec3ffb62bbf57ac1757b25b59b6e5163e448c076ffe04ba20a249755156e5de8ef18229f7fda9899328c09ca187284509d9

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
98KB

MD5
fba23dc9e7fc8a09b39e38279a619a6c

SHA1
198e10c3d39640b681dfa473099d08e468ffc4c4

SHA256
ff1037d6124164b2656230e57ff9d5f2fc404079b21c6747b4826a5a6e30a919

SHA512
4fbbe4cee3541122645249d07c95bec3ffb62bbf57ac1757b25b59b6e5163e448c076ffe04ba20a249755156e5de8ef18229f7fda9899328c09ca187284509d9

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
98KB

MD5
593d3b46959c65d776086755e52053fa

SHA1
383d19a32bd9ac7717af6f69bf178d5d38920171

SHA256
68e2d8833d9d3ee3a33c40b7a9c588e3f338769f7fb0f9855c333d4e8679323b

SHA512
44dfa695f2e7019cf4ccb8a9964eb87d112befa9580a0355131fac882e90751e50327bc59b3e5dd43552bac46a5405b3d1a0d6ee7a588861d72570d88cf88bcb

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
98KB

MD5
593d3b46959c65d776086755e52053fa

SHA1
383d19a32bd9ac7717af6f69bf178d5d38920171

SHA256
68e2d8833d9d3ee3a33c40b7a9c588e3f338769f7fb0f9855c333d4e8679323b

SHA512
44dfa695f2e7019cf4ccb8a9964eb87d112befa9580a0355131fac882e90751e50327bc59b3e5dd43552bac46a5405b3d1a0d6ee7a588861d72570d88cf88bcb

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
98KB

MD5
e02b2e3b5c144e797e9d4fec9112df7d

SHA1
2bf004fb1f2c5314ab49f3749e4b5a107925ceee

SHA256
690e08033d14336e8fee6a3d5614b9f2e598da82fcf93d98e5fd755cb73dd5d9

SHA512
11bb29c8f8f8a6eeea7cac33ea738d71996751e0a454be55251a49e51f180248ed4b3fb2c98cf1da633b6e96f2630e3c2cfe03f228753ed5951e881f50a7fe2f

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
98KB

MD5
e02b2e3b5c144e797e9d4fec9112df7d

SHA1
2bf004fb1f2c5314ab49f3749e4b5a107925ceee

SHA256
690e08033d14336e8fee6a3d5614b9f2e598da82fcf93d98e5fd755cb73dd5d9

SHA512
11bb29c8f8f8a6eeea7cac33ea738d71996751e0a454be55251a49e51f180248ed4b3fb2c98cf1da633b6e96f2630e3c2cfe03f228753ed5951e881f50a7fe2f

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
98KB

MD5
1ef8c06061a62af878b36575e67eae30

SHA1
fc2e3316088b610a8a232e21d6c8a944b157b59f

SHA256
11f04fc0cb49c6728ea96d70d4093cd9f4a2e552523871ebc0dbd13ac5685b84

SHA512
8a0b59ab65fd11d679337137b9817e1af45109c7d6b59672371deae51057d24d36676e1e09730f3e1f55d7de4c452dfa2349274709ec1f8373b5803bb0935244

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
98KB

MD5
1ef8c06061a62af878b36575e67eae30

SHA1
fc2e3316088b610a8a232e21d6c8a944b157b59f

SHA256
11f04fc0cb49c6728ea96d70d4093cd9f4a2e552523871ebc0dbd13ac5685b84

SHA512
8a0b59ab65fd11d679337137b9817e1af45109c7d6b59672371deae51057d24d36676e1e09730f3e1f55d7de4c452dfa2349274709ec1f8373b5803bb0935244

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
98KB

MD5
6153756ef86ca3a1fd037b99adf88d1b

SHA1
5f15fa623e05fe002bbcd0a3fc9af963a30fb8eb

SHA256
7936038dfabe8921128b452a0ebef2d65eb19b420661bcb6ecf04c7dfd23d2b8

SHA512
1b7b387c4f2c69e831b6de89f4ab68beb24dbfacefaa74a8d20d78fd56af4b1198d0b0f7e0157636a9cbb634edc147b05c9a01accca1153fc1919428ea032716

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
98KB

MD5
6153756ef86ca3a1fd037b99adf88d1b

SHA1
5f15fa623e05fe002bbcd0a3fc9af963a30fb8eb

SHA256
7936038dfabe8921128b452a0ebef2d65eb19b420661bcb6ecf04c7dfd23d2b8

SHA512
1b7b387c4f2c69e831b6de89f4ab68beb24dbfacefaa74a8d20d78fd56af4b1198d0b0f7e0157636a9cbb634edc147b05c9a01accca1153fc1919428ea032716

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
98KB

MD5
def1a9025f72105f34da2ef56a239a72

SHA1
03847d49d060d82a72cbd74950cb162267eebabd

SHA256
b9e428e63251a75ab352fe9cd0af98d1a173a66df16b9fdffa5cfdd55d26e176

SHA512
1cce24d713a18d627639bddfa1da8629d780ebacdc1c1aa14e67cb1c20e45ff9a80e162372762f266aa507842324905333269ba376bf6654dcddffe7e79264f8

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
98KB

MD5
def1a9025f72105f34da2ef56a239a72

SHA1
03847d49d060d82a72cbd74950cb162267eebabd

SHA256
b9e428e63251a75ab352fe9cd0af98d1a173a66df16b9fdffa5cfdd55d26e176

SHA512
1cce24d713a18d627639bddfa1da8629d780ebacdc1c1aa14e67cb1c20e45ff9a80e162372762f266aa507842324905333269ba376bf6654dcddffe7e79264f8

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
98KB

MD5
def1a9025f72105f34da2ef56a239a72

SHA1
03847d49d060d82a72cbd74950cb162267eebabd

SHA256
b9e428e63251a75ab352fe9cd0af98d1a173a66df16b9fdffa5cfdd55d26e176

SHA512
1cce24d713a18d627639bddfa1da8629d780ebacdc1c1aa14e67cb1c20e45ff9a80e162372762f266aa507842324905333269ba376bf6654dcddffe7e79264f8

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
98KB

MD5
2492e6ee97a5664ba3614c8299add8dd

SHA1
0ef07d300384a93bb17c7f51843c352998db9989

SHA256
23028a582271b7ffbaab27f113dac6437a1c1a4ca18e8465561beca06354e2c5

SHA512
c2249200f7626a2e0c8f26aad6b64bb4efbdda62a10eb90e2dc497b5f320ac0d474568289680b9b1285a17153485c75e11c7ff38b13ee4385cd68ec9fc0152e9

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
98KB

MD5
2492e6ee97a5664ba3614c8299add8dd

SHA1
0ef07d300384a93bb17c7f51843c352998db9989

SHA256
23028a582271b7ffbaab27f113dac6437a1c1a4ca18e8465561beca06354e2c5

SHA512
c2249200f7626a2e0c8f26aad6b64bb4efbdda62a10eb90e2dc497b5f320ac0d474568289680b9b1285a17153485c75e11c7ff38b13ee4385cd68ec9fc0152e9

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
98KB

MD5
26ad1b0ca892994c73851e30ccd79759

SHA1
027a1d2d3cf8284cb199b264043a7ae2925582bc

SHA256
59871aecbce49ae9a61374ee8e2456cc452d085c283b9de78971fdb2a21acd97

SHA512
8f05ab06755655046478eba095b3e22ceb276b50c5f73c7ad7252b5377f980df1059a57ff6a342839729adc1feb2501afd8672a28adb87dbf48d9c0d48c25d9d

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
98KB

MD5
26ad1b0ca892994c73851e30ccd79759

SHA1
027a1d2d3cf8284cb199b264043a7ae2925582bc

SHA256
59871aecbce49ae9a61374ee8e2456cc452d085c283b9de78971fdb2a21acd97

SHA512
8f05ab06755655046478eba095b3e22ceb276b50c5f73c7ad7252b5377f980df1059a57ff6a342839729adc1feb2501afd8672a28adb87dbf48d9c0d48c25d9d

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
98KB

MD5
fba23dc9e7fc8a09b39e38279a619a6c

SHA1
198e10c3d39640b681dfa473099d08e468ffc4c4

SHA256
ff1037d6124164b2656230e57ff9d5f2fc404079b21c6747b4826a5a6e30a919

SHA512
4fbbe4cee3541122645249d07c95bec3ffb62bbf57ac1757b25b59b6e5163e448c076ffe04ba20a249755156e5de8ef18229f7fda9899328c09ca187284509d9

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
98KB

MD5
63d40fa456a6de4b2b3bab3fe277ab3a

SHA1
a5886f3d1b44268fcfeac78f589615799271f37a

SHA256
9cb0862a1a02239102a280527979ce9a6cfd7448c9fd143fb62b961b8d7507e3

SHA512
63dde88a81d8f95815b3d202052cf9eb913c683199038631e65ded12493db4a93a401a6e564e25e91b5a0ebb6703f08946e7facda48f0a67da6e6625740c523e

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
98KB

MD5
63d40fa456a6de4b2b3bab3fe277ab3a

SHA1
a5886f3d1b44268fcfeac78f589615799271f37a

SHA256
9cb0862a1a02239102a280527979ce9a6cfd7448c9fd143fb62b961b8d7507e3

SHA512
63dde88a81d8f95815b3d202052cf9eb913c683199038631e65ded12493db4a93a401a6e564e25e91b5a0ebb6703f08946e7facda48f0a67da6e6625740c523e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
98KB

MD5
b33ee81622ffd42946f5084098c02a2c

SHA1
20afed374675a802e61373a4919430caef30d9cb

SHA256
7a51ac6e504112cd28eb09aa857f11a9a188d44dab6233fdaf96ada27bcd2e0f

SHA512
78278c938aa6ba9a8e5bf78b316bb993c973d3d167f97e3fcd2e90eea8e775c08a821158b6f36aca7becd507126aec8d39fec6fdef7eb0cb97fcfb31ff8c0cfc

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
98KB

MD5
b33ee81622ffd42946f5084098c02a2c

SHA1
20afed374675a802e61373a4919430caef30d9cb

SHA256
7a51ac6e504112cd28eb09aa857f11a9a188d44dab6233fdaf96ada27bcd2e0f

SHA512
78278c938aa6ba9a8e5bf78b316bb993c973d3d167f97e3fcd2e90eea8e775c08a821158b6f36aca7becd507126aec8d39fec6fdef7eb0cb97fcfb31ff8c0cfc

Download Submit
C:\Windows\SysWOW64\Dpmdoo32.dll

Filesize
7KB

MD5
6ee12e4ca2b9e896b7fd8fcd0924830c

SHA1
d303b7c8dbf66c311d56df1b4b9be10fe4110669

SHA256
f7ae7855a9adc48790db416faff88eb427370e17aaacbf6143f89dcfb906b55c

SHA512
b47cd6189c2d754d804f561e394b5aec7e3058d6b3fe64e3c1817cef5e62aa08e12c112e09d2e685d98f85cd0fe264ce578c8be2d06b30abf17bdca30d8ff76d

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
98KB

MD5
8802ab1a739603329c9e872532b7d470

SHA1
ab5f831cdfe3df506a6f91efeb56e35a6f090814

SHA256
8249eb3911696c9f51f7723492f702d48a9fec44427aaa7233fc6de458e2a5dd

SHA512
63202389fd91c3a0f0af18586d645ab9220684102cd6e70217467bd0665a552701ff90b105e5c5bcae2cb3f379a26ea2493ec6cdc589b481171d7479f6ebf5f4

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
98KB

MD5
8802ab1a739603329c9e872532b7d470

SHA1
ab5f831cdfe3df506a6f91efeb56e35a6f090814

SHA256
8249eb3911696c9f51f7723492f702d48a9fec44427aaa7233fc6de458e2a5dd

SHA512
63202389fd91c3a0f0af18586d645ab9220684102cd6e70217467bd0665a552701ff90b105e5c5bcae2cb3f379a26ea2493ec6cdc589b481171d7479f6ebf5f4

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
98KB

MD5
af1e6227fd5ce37554df064de2487432

SHA1
0eee3103a57352dbd85492d4b1d0735cad72081a

SHA256
70e74343697d6c19a40acc78b23b3371bfe4ebd12e5c571fc8e9720e8b41e4e8

SHA512
6262ce42dbdfeb381b319718e14fca90aaed1cf4783b4b316ea75754b2f4a88c779c881776ec7c63b78d950e7af5eb661500e8484ce28d94561190f1711c8983

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
98KB

MD5
af1e6227fd5ce37554df064de2487432

SHA1
0eee3103a57352dbd85492d4b1d0735cad72081a

SHA256
70e74343697d6c19a40acc78b23b3371bfe4ebd12e5c571fc8e9720e8b41e4e8

SHA512
6262ce42dbdfeb381b319718e14fca90aaed1cf4783b4b316ea75754b2f4a88c779c881776ec7c63b78d950e7af5eb661500e8484ce28d94561190f1711c8983

Download Submit
memory/228-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/228-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/632-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/632-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3984-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3984-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4212-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4212-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4220-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4220-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads