ce557c0687348879e092a6d1c34426a428869a19e6d7bb3bb1b32300a2e578ef

Analysis

max time kernel
129s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Size

56KB
MD5

9d56b92ff2e6c8ace61243d47286d570
SHA1

194255fea85defc2d101d3db7b5dee898c76f386
SHA256

ce557c0687348879e092a6d1c34426a428869a19e6d7bb3bb1b32300a2e578ef
SHA512

f43fb3c4fdd5c13e4c5fce55ea0586efe0f5ea62e98bbddb7c1bed5a89875de281d87649bef4c660faba9e644b933a31606c4f054e91783a746a6c0de9b0681c
SSDEEP

768:8+Yixu352Zu6GY4VRHhdWOwUbmm9iHnJpNAGDjEf3zJqNip32p/1H5m9fXdnhb:j2UGzXOnJqqNE2Lch

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gccmaack.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffjnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkgaglpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcihjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcpojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adbkmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdodbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhcbidcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pddokabk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cejjdlap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gccmaack.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdodbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcihjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjamhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpghfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjamhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpghfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhcbidcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pddokabk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adbkmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcpojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mffjnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkgaglpp.exe

Executes dropped EXE 17 IoCs

pid	Process
4732	Gccmaack.exe
4584	Jcihjl32.exe
3416	Jcpojk32.exe
3068	Kjamhd32.exe
3804	Lpghfi32.exe
4320	Mffjnc32.exe
3412	Mdodbf32.exe
4892	Nhcbidcd.exe
512	Oinbgk32.exe
4384	Pkgaglpp.exe
4060	Pddokabk.exe
4364	Adbkmo32.exe
2432	Bbmbgb32.exe
3972	Cjdfgc32.exe
3204	Cejjdlap.exe
3888	Cigcjj32.exe
336	Eldlhckj.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nbddah32.dll	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
File created	C:\Windows\SysWOW64\Egmjnelk.dll	Mdodbf32.exe
File created	C:\Windows\SysWOW64\Cejjdlap.exe	Cjdfgc32.exe
File created	C:\Windows\SysWOW64\Eldlhckj.exe	Cigcjj32.exe
File created	C:\Windows\SysWOW64\Apleaenp.dll	Cigcjj32.exe
File created	C:\Windows\SysWOW64\Adbkmo32.exe	Pddokabk.exe
File created	C:\Windows\SysWOW64\Jcpojk32.exe	Jcihjl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdodbf32.exe	Mffjnc32.exe
File created	C:\Windows\SysWOW64\Loifpp32.dll	Nhcbidcd.exe
File opened for modification	C:\Windows\SysWOW64\Pddokabk.exe	Pkgaglpp.exe
File created	C:\Windows\SysWOW64\Lelncp32.dll	Pkgaglpp.exe
File opened for modification	C:\Windows\SysWOW64\Oinbgk32.exe	Nhcbidcd.exe
File created	C:\Windows\SysWOW64\Cigcjj32.exe	Cejjdlap.exe
File created	C:\Windows\SysWOW64\Lpghfi32.exe	Kjamhd32.exe
File created	C:\Windows\SysWOW64\Cbpppcid.dll	Kjamhd32.exe
File created	C:\Windows\SysWOW64\Mffjnc32.exe	Lpghfi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfgc32.exe	Bbmbgb32.exe
File created	C:\Windows\SysWOW64\Milgmknm.dll	Gccmaack.exe
File created	C:\Windows\SysWOW64\Oinbgk32.exe	Nhcbidcd.exe
File created	C:\Windows\SysWOW64\Lokceimi.dll	Adbkmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kjamhd32.exe	Jcpojk32.exe
File created	C:\Windows\SysWOW64\Aljldk32.dll	Oinbgk32.exe
File created	C:\Windows\SysWOW64\Phbcfe32.dll	Bbmbgb32.exe
File created	C:\Windows\SysWOW64\Jcihjl32.exe	Gccmaack.exe
File opened for modification	C:\Windows\SysWOW64\Bbmbgb32.exe	Adbkmo32.exe
File created	C:\Windows\SysWOW64\Fpkpgaob.dll	Jcihjl32.exe
File opened for modification	C:\Windows\SysWOW64\Eldlhckj.exe	Cigcjj32.exe
File created	C:\Windows\SysWOW64\Modkhnci.dll	Mffjnc32.exe
File created	C:\Windows\SysWOW64\Pddokabk.exe	Pkgaglpp.exe
File created	C:\Windows\SysWOW64\Gccmaack.exe	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
File created	C:\Windows\SysWOW64\Nhcbidcd.exe	Mdodbf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkgaglpp.exe	Oinbgk32.exe
File created	C:\Windows\SysWOW64\Pobbadje.dll	Pddokabk.exe
File opened for modification	C:\Windows\SysWOW64\Cejjdlap.exe	Cjdfgc32.exe
File created	C:\Windows\SysWOW64\Kjamhd32.exe	Jcpojk32.exe
File created	C:\Windows\SysWOW64\Mcpooenf.dll	Jcpojk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpghfi32.exe	Kjamhd32.exe
File opened for modification	C:\Windows\SysWOW64\Mffjnc32.exe	Lpghfi32.exe
File created	C:\Windows\SysWOW64\Lkcancmc.dll	Cjdfgc32.exe
File created	C:\Windows\SysWOW64\Mdodbf32.exe	Mffjnc32.exe
File opened for modification	C:\Windows\SysWOW64\Cigcjj32.exe	Cejjdlap.exe
File opened for modification	C:\Windows\SysWOW64\Gccmaack.exe	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
File opened for modification	C:\Windows\SysWOW64\Jcihjl32.exe	Gccmaack.exe
File created	C:\Windows\SysWOW64\Fcpnhp32.dll	Lpghfi32.exe
File opened for modification	C:\Windows\SysWOW64\Nhcbidcd.exe	Mdodbf32.exe
File opened for modification	C:\Windows\SysWOW64\Adbkmo32.exe	Pddokabk.exe
File created	C:\Windows\SysWOW64\Bbmbgb32.exe	Adbkmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jcpojk32.exe	Jcihjl32.exe
File created	C:\Windows\SysWOW64\Pkgaglpp.exe	Oinbgk32.exe
File created	C:\Windows\SysWOW64\Ljiochji.dll	Cejjdlap.exe
File created	C:\Windows\SysWOW64\Cjdfgc32.exe	Bbmbgb32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3948	336	WerFault.exe	109
2548	336	WerFault.exe	109

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpghfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdodbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhcbidcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pddokabk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mffjnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjamhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkgaglpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcihjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modkhnci.dll"	Mffjnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lokceimi.dll"	Adbkmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcpojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjamhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpghfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pddokabk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adbkmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobbadje.dll"	Pddokabk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbcfe32.dll"	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljiochji.dll"	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpooenf.dll"	Jcpojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpnhp32.dll"	Lpghfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apleaenp.dll"	Cigcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffjnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdodbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhcbidcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkgaglpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adbkmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelncp32.dll"	Pkgaglpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbddah32.dll"	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgmknm.dll"	Gccmaack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcpojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loifpp32.dll"	Nhcbidcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkpgaob.dll"	Jcihjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpppcid.dll"	Kjamhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljldk32.dll"	Oinbgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcancmc.dll"	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjdfgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gccmaack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmjnelk.dll"	Mdodbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gccmaack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcihjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigcjj32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4732	3140	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe	91
PID 3140 wrote to memory of 4732	3140	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe	91
PID 3140 wrote to memory of 4732	3140	NEAS.9d56b92ff2e6c8ace61243d47286d570.exe	91
PID 4732 wrote to memory of 4584	4732	Gccmaack.exe	92
PID 4732 wrote to memory of 4584	4732	Gccmaack.exe	92
PID 4732 wrote to memory of 4584	4732	Gccmaack.exe	92
PID 4584 wrote to memory of 3416	4584	Jcihjl32.exe	93
PID 4584 wrote to memory of 3416	4584	Jcihjl32.exe	93
PID 4584 wrote to memory of 3416	4584	Jcihjl32.exe	93
PID 3416 wrote to memory of 3068	3416	Jcpojk32.exe	94
PID 3416 wrote to memory of 3068	3416	Jcpojk32.exe	94
PID 3416 wrote to memory of 3068	3416	Jcpojk32.exe	94
PID 3068 wrote to memory of 3804	3068	Kjamhd32.exe	95
PID 3068 wrote to memory of 3804	3068	Kjamhd32.exe	95
PID 3068 wrote to memory of 3804	3068	Kjamhd32.exe	95
PID 3804 wrote to memory of 4320	3804	Lpghfi32.exe	96
PID 3804 wrote to memory of 4320	3804	Lpghfi32.exe	96
PID 3804 wrote to memory of 4320	3804	Lpghfi32.exe	96
PID 4320 wrote to memory of 3412	4320	Mffjnc32.exe	97
PID 4320 wrote to memory of 3412	4320	Mffjnc32.exe	97
PID 4320 wrote to memory of 3412	4320	Mffjnc32.exe	97
PID 3412 wrote to memory of 4892	3412	Mdodbf32.exe	98
PID 3412 wrote to memory of 4892	3412	Mdodbf32.exe	98
PID 3412 wrote to memory of 4892	3412	Mdodbf32.exe	98
PID 4892 wrote to memory of 512	4892	Nhcbidcd.exe	99
PID 4892 wrote to memory of 512	4892	Nhcbidcd.exe	99
PID 4892 wrote to memory of 512	4892	Nhcbidcd.exe	99
PID 512 wrote to memory of 4384	512	Oinbgk32.exe	100
PID 512 wrote to memory of 4384	512	Oinbgk32.exe	100
PID 512 wrote to memory of 4384	512	Oinbgk32.exe	100
PID 4384 wrote to memory of 4060	4384	Pkgaglpp.exe	101
PID 4384 wrote to memory of 4060	4384	Pkgaglpp.exe	101
PID 4384 wrote to memory of 4060	4384	Pkgaglpp.exe	101
PID 4060 wrote to memory of 4364	4060	Pddokabk.exe	102
PID 4060 wrote to memory of 4364	4060	Pddokabk.exe	102
PID 4060 wrote to memory of 4364	4060	Pddokabk.exe	102
PID 4364 wrote to memory of 2432	4364	Adbkmo32.exe	103
PID 4364 wrote to memory of 2432	4364	Adbkmo32.exe	103
PID 4364 wrote to memory of 2432	4364	Adbkmo32.exe	103
PID 2432 wrote to memory of 3972	2432	Bbmbgb32.exe	104
PID 2432 wrote to memory of 3972	2432	Bbmbgb32.exe	104
PID 2432 wrote to memory of 3972	2432	Bbmbgb32.exe	104
PID 3972 wrote to memory of 3204	3972	Cjdfgc32.exe	105
PID 3972 wrote to memory of 3204	3972	Cjdfgc32.exe	105
PID 3972 wrote to memory of 3204	3972	Cjdfgc32.exe	105
PID 3204 wrote to memory of 3888	3204	Cejjdlap.exe	107
PID 3204 wrote to memory of 3888	3204	Cejjdlap.exe	107
PID 3204 wrote to memory of 3888	3204	Cejjdlap.exe	107
PID 3888 wrote to memory of 336	3888	Cigcjj32.exe	109
PID 3888 wrote to memory of 336	3888	Cigcjj32.exe	109
PID 3888 wrote to memory of 336	3888	Cigcjj32.exe	109
PID 336 wrote to memory of 3948	336	Eldlhckj.exe	111
PID 336 wrote to memory of 3948	336	Eldlhckj.exe	111
PID 336 wrote to memory of 3948	336	Eldlhckj.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.9d56b92ff2e6c8ace61243d47286d570.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9d56b92ff2e6c8ace61243d47286d570.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\Gccmaack.exe
  C:\Windows\system32\Gccmaack.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\Jcihjl32.exe
    C:\Windows\system32\Jcihjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Jcpojk32.exe
      C:\Windows\system32\Jcpojk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\Kjamhd32.exe
        
        C:\Windows\system32\Kjamhd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Lpghfi32.exe
        
        C:\Windows\system32\Lpghfi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Mffjnc32.exe
        
        C:\Windows\system32\Mffjnc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Mdodbf32.exe
        
        C:\Windows\system32\Mdodbf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Nhcbidcd.exe
        
        C:\Windows\system32\Nhcbidcd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Oinbgk32.exe
        
        C:\Windows\system32\Oinbgk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Pkgaglpp.exe
        
        C:\Windows\system32\Pkgaglpp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Pddokabk.exe
        
        C:\Windows\system32\Pddokabk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Adbkmo32.exe
        
        C:\Windows\system32\Adbkmo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 400
        19⤵
        Program crash
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 400
        19⤵
        Program crash
        
        PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 336 -ip 336
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adbkmo32.exe

Filesize
56KB

MD5
00cb6ae650219003adfd35ddb9e73bd4

SHA1
f7330e319ff61f929d5e11d8957726134770df75

SHA256
ee2a86a9601950a57a2585a4b3f925a6a569068d6575d1f7b09bdcec1a9e73b0

SHA512
f445d722bf4d4e0536aefc760d7828b96a752c1e386441f642f6c9395ce34c0064662cb686941ac451348aec042f7dbe1af75e6df9bef4c057c33f6035f4a748

Download Submit
C:\Windows\SysWOW64\Adbkmo32.exe

Filesize
56KB

MD5
00cb6ae650219003adfd35ddb9e73bd4

SHA1
f7330e319ff61f929d5e11d8957726134770df75

SHA256
ee2a86a9601950a57a2585a4b3f925a6a569068d6575d1f7b09bdcec1a9e73b0

SHA512
f445d722bf4d4e0536aefc760d7828b96a752c1e386441f642f6c9395ce34c0064662cb686941ac451348aec042f7dbe1af75e6df9bef4c057c33f6035f4a748

Download Submit
C:\Windows\SysWOW64\Bbmbgb32.exe

Filesize
56KB

MD5
f3a84c84805aa93a4ff185db96ebb9d3

SHA1
54f968f488fc9edced0aec58599380a1f86535d5

SHA256
65c5386666a42fd4559a712b0363adaf846057326e442452f6c123375710a64e

SHA512
b84f6d6bdd7f5f2b06ddac1b5ff1e44b55277a4bff827dee477181232caebb341853146f09ca96e3178098169bc1ea872d7d821b66d4166fcad844f95b2e9994

Download Submit
C:\Windows\SysWOW64\Bbmbgb32.exe

Filesize
56KB

MD5
f3a84c84805aa93a4ff185db96ebb9d3

SHA1
54f968f488fc9edced0aec58599380a1f86535d5

SHA256
65c5386666a42fd4559a712b0363adaf846057326e442452f6c123375710a64e

SHA512
b84f6d6bdd7f5f2b06ddac1b5ff1e44b55277a4bff827dee477181232caebb341853146f09ca96e3178098169bc1ea872d7d821b66d4166fcad844f95b2e9994

Download Submit
C:\Windows\SysWOW64\Cejjdlap.exe

Filesize
56KB

MD5
59b1584a6ae388fd2e6fc25f9954332c

SHA1
871b8c7415aa6ee183949962309a636315b63d3a

SHA256
638dabac31ede9a6641ea177e187e524fa795a8765759c85401f81fadc5d29e1

SHA512
a141d8a5851f53e55be62717d828b1c10a1d8011d4aee3823fced24315ddff1e7dc4c17c186f727b26c78838286340376856ad6110d73eaafea2d7e8926dd35d

Download Submit
C:\Windows\SysWOW64\Cejjdlap.exe

Filesize
56KB

MD5
59b1584a6ae388fd2e6fc25f9954332c

SHA1
871b8c7415aa6ee183949962309a636315b63d3a

SHA256
638dabac31ede9a6641ea177e187e524fa795a8765759c85401f81fadc5d29e1

SHA512
a141d8a5851f53e55be62717d828b1c10a1d8011d4aee3823fced24315ddff1e7dc4c17c186f727b26c78838286340376856ad6110d73eaafea2d7e8926dd35d

Download Submit
C:\Windows\SysWOW64\Cigcjj32.exe

Filesize
56KB

MD5
b48b83854a834beb2f9390ee31489efb

SHA1
f8ae5e99d194ccb51f79c78dbe645874c9036ba4

SHA256
82900e82e3dfc27c0f67ab1393d501541fea67dcc4ac3af56ea9c15372d69644

SHA512
f9dd0bbfcdfa692433d693306b6b1e9f578ac7c8f045756c537f430132082f9a4d556c74de00251da09b51f1ca2aade25548c08e7a31ee0341683124be8d0b23

Download Submit
C:\Windows\SysWOW64\Cigcjj32.exe

Filesize
56KB

MD5
b48b83854a834beb2f9390ee31489efb

SHA1
f8ae5e99d194ccb51f79c78dbe645874c9036ba4

SHA256
82900e82e3dfc27c0f67ab1393d501541fea67dcc4ac3af56ea9c15372d69644

SHA512
f9dd0bbfcdfa692433d693306b6b1e9f578ac7c8f045756c537f430132082f9a4d556c74de00251da09b51f1ca2aade25548c08e7a31ee0341683124be8d0b23

Download Submit
C:\Windows\SysWOW64\Cjdfgc32.exe

Filesize
56KB

MD5
515c44e351e4ad24b2e44d0b1e34f77d

SHA1
49649133d7e18b94472efccb5188ebdb7a7e7525

SHA256
4b403c8e1db5222d10cf41337691433cfe58aae31915aa74c1f60b1376fb6e2b

SHA512
0dd0fbe163931c7475cbcc4ba795edb595e8fc8826160b234fdf31428d1b09c551f30c5f4dd5ac85fe60a26e761283435667475d5015a8e591e8b4e68258d3f8

Download Submit
C:\Windows\SysWOW64\Cjdfgc32.exe

Filesize
56KB

MD5
515c44e351e4ad24b2e44d0b1e34f77d

SHA1
49649133d7e18b94472efccb5188ebdb7a7e7525

SHA256
4b403c8e1db5222d10cf41337691433cfe58aae31915aa74c1f60b1376fb6e2b

SHA512
0dd0fbe163931c7475cbcc4ba795edb595e8fc8826160b234fdf31428d1b09c551f30c5f4dd5ac85fe60a26e761283435667475d5015a8e591e8b4e68258d3f8

Download Submit
C:\Windows\SysWOW64\Eldlhckj.exe

Filesize
56KB

MD5
b48b83854a834beb2f9390ee31489efb

SHA1
f8ae5e99d194ccb51f79c78dbe645874c9036ba4

SHA256
82900e82e3dfc27c0f67ab1393d501541fea67dcc4ac3af56ea9c15372d69644

SHA512
f9dd0bbfcdfa692433d693306b6b1e9f578ac7c8f045756c537f430132082f9a4d556c74de00251da09b51f1ca2aade25548c08e7a31ee0341683124be8d0b23

Download Submit
C:\Windows\SysWOW64\Eldlhckj.exe

Filesize
56KB

MD5
26d42ca3e1caf5ac4ed24857e3e299b4

SHA1
24885ee37a0fd30569f3a41fddee15fdc9dd1d4f

SHA256
9d10e2e51cd8a8b0ef907505dd89c7458e4cac3de7dd896b278ff678c8415144

SHA512
a7627c839d4bda83f737ca0c4215a45a624ce07c1453f6ce304b961a2d43f4f5b7988ec19c2fa1009a0c7d416d72eeea867418cef4fc66e540105a2dfcac5dff

Download Submit
C:\Windows\SysWOW64\Eldlhckj.exe

Filesize
56KB

MD5
26d42ca3e1caf5ac4ed24857e3e299b4

SHA1
24885ee37a0fd30569f3a41fddee15fdc9dd1d4f

SHA256
9d10e2e51cd8a8b0ef907505dd89c7458e4cac3de7dd896b278ff678c8415144

SHA512
a7627c839d4bda83f737ca0c4215a45a624ce07c1453f6ce304b961a2d43f4f5b7988ec19c2fa1009a0c7d416d72eeea867418cef4fc66e540105a2dfcac5dff

Download Submit
C:\Windows\SysWOW64\Gccmaack.exe

Filesize
56KB

MD5
37e35da1073afbf3de525ac836c4dc0d

SHA1
a2071971191f63eb665be3a706973a6c513cc15c

SHA256
645942a5226788276c8d3b785221c23b8ef07d19f13747a0f93930b97ae45323

SHA512
f05747db39c58cac620fa7e6dc218b5b9c8d95547e5bd497165853a3b8f36c38f1589479032f39c38489f987b7f1b877416141d0ec8a53b087ddcd88fb8e4909

Download Submit
C:\Windows\SysWOW64\Gccmaack.exe

Filesize
56KB

MD5
37e35da1073afbf3de525ac836c4dc0d

SHA1
a2071971191f63eb665be3a706973a6c513cc15c

SHA256
645942a5226788276c8d3b785221c23b8ef07d19f13747a0f93930b97ae45323

SHA512
f05747db39c58cac620fa7e6dc218b5b9c8d95547e5bd497165853a3b8f36c38f1589479032f39c38489f987b7f1b877416141d0ec8a53b087ddcd88fb8e4909

Download Submit
C:\Windows\SysWOW64\Jcihjl32.exe

Filesize
56KB

MD5
2357d2e54f8ac80e25fe4e2372500857

SHA1
b07b7262f21e7eac07f52934c228a9ee64b4f894

SHA256
a669e506eaf0c6ec3f93bdb1e5d4504e94431a9c9b6a0e3dac84926a057a64fa

SHA512
ae3890ac843324fe86806cba4a1f483966122595bc382b1890325b0a879b5810315ad0d14c5376a9e78af0990573f3a13f1a186f5d9bca6cd4c6cdacd9c66582

Download Submit
C:\Windows\SysWOW64\Jcihjl32.exe

Filesize
56KB

MD5
2357d2e54f8ac80e25fe4e2372500857

SHA1
b07b7262f21e7eac07f52934c228a9ee64b4f894

SHA256
a669e506eaf0c6ec3f93bdb1e5d4504e94431a9c9b6a0e3dac84926a057a64fa

SHA512
ae3890ac843324fe86806cba4a1f483966122595bc382b1890325b0a879b5810315ad0d14c5376a9e78af0990573f3a13f1a186f5d9bca6cd4c6cdacd9c66582

Download Submit
C:\Windows\SysWOW64\Jcpojk32.exe

Filesize
56KB

MD5
9b64a7f518f8554b752dca556f1c3967

SHA1
f51f809a48da917efbdb3fa6abff49845625b169

SHA256
0648288c063c0654e8ac520464268c3820e226838f1eea9af5809945c63ab70b

SHA512
fd2ab593d5343d904f4cb931e7c5670110098d8ff8ffe4036fbc98f0931d5e728ad2b35ad84fcb891b860dc86824fcc556541c6cbe19c04e78f2820eb3b22752

Download Submit
C:\Windows\SysWOW64\Jcpojk32.exe

Filesize
56KB

MD5
9b64a7f518f8554b752dca556f1c3967

SHA1
f51f809a48da917efbdb3fa6abff49845625b169

SHA256
0648288c063c0654e8ac520464268c3820e226838f1eea9af5809945c63ab70b

SHA512
fd2ab593d5343d904f4cb931e7c5670110098d8ff8ffe4036fbc98f0931d5e728ad2b35ad84fcb891b860dc86824fcc556541c6cbe19c04e78f2820eb3b22752

Download Submit
C:\Windows\SysWOW64\Kjamhd32.exe

Filesize
56KB

MD5
c7690179c86d83fb0476e09770162531

SHA1
58c94f91af360b3b89a653ace1a5d9505aa6d58b

SHA256
cd32cea3e21f43d0766ddc8ebd8803f8512d1c46f21ec36d0371d6444028dcdf

SHA512
c007531df70afbe8fa1e0fd52c31e8372707d72122787f86ff2725227b74f3dfb58897eb9e3b23a8189fb274e25a517007b244757fd03ed93193662f8d1579c5

Download Submit
C:\Windows\SysWOW64\Kjamhd32.exe

Filesize
56KB

MD5
c7690179c86d83fb0476e09770162531

SHA1
58c94f91af360b3b89a653ace1a5d9505aa6d58b

SHA256
cd32cea3e21f43d0766ddc8ebd8803f8512d1c46f21ec36d0371d6444028dcdf

SHA512
c007531df70afbe8fa1e0fd52c31e8372707d72122787f86ff2725227b74f3dfb58897eb9e3b23a8189fb274e25a517007b244757fd03ed93193662f8d1579c5

Download Submit
C:\Windows\SysWOW64\Lpghfi32.exe

Filesize
56KB

MD5
bc3899adfdf30f324b946a4c37e662ea

SHA1
17acf548ef7afd298fc66ab72a308386b69297ce

SHA256
13c1110fa7d0f4d0168813d7cc0dc67679b0667ff9ea1d1e5b58333e7ea91a7e

SHA512
fba8db9f089767547f63f2fc67e81ebace5898749f13f39684394a68d2804d75d62ddcefc4607bc7384cead1b5a57586f707d1a6d862bef7fbad087238ee7da9

Download Submit
C:\Windows\SysWOW64\Lpghfi32.exe

Filesize
56KB

MD5
bc3899adfdf30f324b946a4c37e662ea

SHA1
17acf548ef7afd298fc66ab72a308386b69297ce

SHA256
13c1110fa7d0f4d0168813d7cc0dc67679b0667ff9ea1d1e5b58333e7ea91a7e

SHA512
fba8db9f089767547f63f2fc67e81ebace5898749f13f39684394a68d2804d75d62ddcefc4607bc7384cead1b5a57586f707d1a6d862bef7fbad087238ee7da9

Download Submit
C:\Windows\SysWOW64\Lpghfi32.exe

Filesize
56KB

MD5
bc3899adfdf30f324b946a4c37e662ea

SHA1
17acf548ef7afd298fc66ab72a308386b69297ce

SHA256
13c1110fa7d0f4d0168813d7cc0dc67679b0667ff9ea1d1e5b58333e7ea91a7e

SHA512
fba8db9f089767547f63f2fc67e81ebace5898749f13f39684394a68d2804d75d62ddcefc4607bc7384cead1b5a57586f707d1a6d862bef7fbad087238ee7da9

Download Submit
C:\Windows\SysWOW64\Mdodbf32.exe

Filesize
56KB

MD5
a80c07b6cfb71eb39dac7d73d8a86a4b

SHA1
4a2dbe4ca6e380c8ba0634604a9b0753c5328a69

SHA256
c80aaeeb84478a787e640e744e3cf30bc195895b20e9833350814acf9e046e12

SHA512
21230619c08c5aad49de9d9df67bbb1e1879a145876b689bc16cff287bb6dae2dce320a2b14c2005dd0f8b384c6ef9c3fbfac9b94eb4bbc6e5f70b1a9198863c

Download Submit
C:\Windows\SysWOW64\Mdodbf32.exe

Filesize
56KB

MD5
a80c07b6cfb71eb39dac7d73d8a86a4b

SHA1
4a2dbe4ca6e380c8ba0634604a9b0753c5328a69

SHA256
c80aaeeb84478a787e640e744e3cf30bc195895b20e9833350814acf9e046e12

SHA512
21230619c08c5aad49de9d9df67bbb1e1879a145876b689bc16cff287bb6dae2dce320a2b14c2005dd0f8b384c6ef9c3fbfac9b94eb4bbc6e5f70b1a9198863c

Download Submit
C:\Windows\SysWOW64\Mffjnc32.exe

Filesize
56KB

MD5
bc3899adfdf30f324b946a4c37e662ea

SHA1
17acf548ef7afd298fc66ab72a308386b69297ce

SHA256
13c1110fa7d0f4d0168813d7cc0dc67679b0667ff9ea1d1e5b58333e7ea91a7e

SHA512
fba8db9f089767547f63f2fc67e81ebace5898749f13f39684394a68d2804d75d62ddcefc4607bc7384cead1b5a57586f707d1a6d862bef7fbad087238ee7da9

Download Submit
C:\Windows\SysWOW64\Mffjnc32.exe

Filesize
56KB

MD5
b19312264bef4ed3a43c49309fe1b09c

SHA1
4b28d5b377e2a8373777899be72c43d87a9fcb8b

SHA256
53635736fbf974436e367224a6651fa9d3d8a6e566c7507639aafe8014be3d4b

SHA512
43f0375b8fd06704fa822569f46d039cd30c58b6a991df3bcddd9992a7514cbfd6d27934b5616c167ef23f6c0096c07b675807f2df31d0aac53022635f98dace

Download Submit
C:\Windows\SysWOW64\Mffjnc32.exe

Filesize
56KB

MD5
b19312264bef4ed3a43c49309fe1b09c

SHA1
4b28d5b377e2a8373777899be72c43d87a9fcb8b

SHA256
53635736fbf974436e367224a6651fa9d3d8a6e566c7507639aafe8014be3d4b

SHA512
43f0375b8fd06704fa822569f46d039cd30c58b6a991df3bcddd9992a7514cbfd6d27934b5616c167ef23f6c0096c07b675807f2df31d0aac53022635f98dace

Download Submit
C:\Windows\SysWOW64\Nhcbidcd.exe

Filesize
56KB

MD5
c81e83e2e926a25a97e495412d921c16

SHA1
af0e533d9658cc5272dd17fe1857e6a68132d609

SHA256
dafec9925935da078c5f82c9306d661586a84099c51c09373143dffb264a9bd1

SHA512
ff48677fe05983620ddeaf0498ba1dc286f3b63a878d9d1074384513b055f0b66ea019020ef87055e82f27bed7e807e0d9cebea5022539dc1f6b56ac003e548c

Download Submit
C:\Windows\SysWOW64\Nhcbidcd.exe

Filesize
56KB

MD5
c81e83e2e926a25a97e495412d921c16

SHA1
af0e533d9658cc5272dd17fe1857e6a68132d609

SHA256
dafec9925935da078c5f82c9306d661586a84099c51c09373143dffb264a9bd1

SHA512
ff48677fe05983620ddeaf0498ba1dc286f3b63a878d9d1074384513b055f0b66ea019020ef87055e82f27bed7e807e0d9cebea5022539dc1f6b56ac003e548c

Download Submit
C:\Windows\SysWOW64\Oinbgk32.exe

Filesize
56KB

MD5
beb3e768fa0532634f9d77e806325473

SHA1
977d8d9d40aef701c66ba3820617e4af1ccebc56

SHA256
6ff97d3431554af5e48d01c261bb12d65c907c4ddfecc2eed0f0f0153bb25d01

SHA512
7ab1f0be9bad0008e67586a26449c8208e4f8940d0da8d5aa4827c365d4623e0db45c49bb868341168858137ac3f25698d434b482c25c9f16ac7d38623f6e6e4

Download Submit
C:\Windows\SysWOW64\Oinbgk32.exe

Filesize
56KB

MD5
beb3e768fa0532634f9d77e806325473

SHA1
977d8d9d40aef701c66ba3820617e4af1ccebc56

SHA256
6ff97d3431554af5e48d01c261bb12d65c907c4ddfecc2eed0f0f0153bb25d01

SHA512
7ab1f0be9bad0008e67586a26449c8208e4f8940d0da8d5aa4827c365d4623e0db45c49bb868341168858137ac3f25698d434b482c25c9f16ac7d38623f6e6e4

Download Submit
C:\Windows\SysWOW64\Pddokabk.exe

Filesize
56KB

MD5
132ec6a0f0bbad894a47e05a5a5add1a

SHA1
02762756c22c39b2d9965db929687d0bc353c183

SHA256
a395a01c29e34bca023a6dc393cff892f6fdfbdcc08f2cb234d2a693a443d922

SHA512
02bbc305a62ef5aaa2865a250faf387220cdee85a067ced06fea77d69d5a67724d69497431370118205254647bb6cbe20c670e3127e858fb98df0c9a7a0a1a9a

Download Submit
C:\Windows\SysWOW64\Pddokabk.exe

Filesize
56KB

MD5
132ec6a0f0bbad894a47e05a5a5add1a

SHA1
02762756c22c39b2d9965db929687d0bc353c183

SHA256
a395a01c29e34bca023a6dc393cff892f6fdfbdcc08f2cb234d2a693a443d922

SHA512
02bbc305a62ef5aaa2865a250faf387220cdee85a067ced06fea77d69d5a67724d69497431370118205254647bb6cbe20c670e3127e858fb98df0c9a7a0a1a9a

Download Submit
C:\Windows\SysWOW64\Pddokabk.exe

Filesize
56KB

MD5
132ec6a0f0bbad894a47e05a5a5add1a

SHA1
02762756c22c39b2d9965db929687d0bc353c183

SHA256
a395a01c29e34bca023a6dc393cff892f6fdfbdcc08f2cb234d2a693a443d922

SHA512
02bbc305a62ef5aaa2865a250faf387220cdee85a067ced06fea77d69d5a67724d69497431370118205254647bb6cbe20c670e3127e858fb98df0c9a7a0a1a9a

Download Submit
C:\Windows\SysWOW64\Pkgaglpp.exe

Filesize
56KB

MD5
7a5646df6ff7291a8c549f7d496d9913

SHA1
dcd225d822840aeefb815b37b78fec212959f68f

SHA256
a530e423f5751ba177825b60a726753da927d3de508f7179428e1ae84f2aa9c9

SHA512
f1da5e91eda504967a77c634fd7ec1324743cb4f625b2762c2d6c4036ebca7c054acd37a3ddf4c400dcf6cc6ba346662f3c3b5a46b27ea19d41a54eae442e62b

Download Submit
C:\Windows\SysWOW64\Pkgaglpp.exe

Filesize
56KB

MD5
7a5646df6ff7291a8c549f7d496d9913

SHA1
dcd225d822840aeefb815b37b78fec212959f68f

SHA256
a530e423f5751ba177825b60a726753da927d3de508f7179428e1ae84f2aa9c9

SHA512
f1da5e91eda504967a77c634fd7ec1324743cb4f625b2762c2d6c4036ebca7c054acd37a3ddf4c400dcf6cc6ba346662f3c3b5a46b27ea19d41a54eae442e62b

Download Submit
memory/336-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/336-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-74-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3888-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3888-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads