b45dd48691e0fb1133863e353e35dd31092364615ef79da42c3ef6d1b38afe42

Analysis

max time kernel
85s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d2b432be01dcd995802d854308d48a80.exe
Size

387KB
MD5

d2b432be01dcd995802d854308d48a80
SHA1

c42aabd492a4049402e908d4750d9a7983df9ee8
SHA256

b45dd48691e0fb1133863e353e35dd31092364615ef79da42c3ef6d1b38afe42
SHA512

b2fa1b18c6942e19187a0aca8352d96e818d175780e2070b36654e9d7d13e25ce0fff03e2e2d4375d0d650ab3b20e6fdcaa82ca10681cbd0e4ea913582c54d21
SSDEEP

6144:CM0rxzJOEgHixuqjwszeXmpzKPJG9EeIMT:qxYHiPjoPJG9EeIW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.d2b432be01dcd995802d854308d48a80.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.d2b432be01dcd995802d854308d48a80.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe

Executes dropped EXE 24 IoCs

pid	Process
212	Ambgef32.exe
4604	Agglboim.exe
4672	Amddjegd.exe
4636	Agjhgngj.exe
3476	Aeniabfd.exe
4040	Aadifclh.exe
2736	Bnhjohkb.exe
1564	Bebblb32.exe
5100	Bffkij32.exe
3044	Bmpcfdmg.exe
1372	Bclhhnca.exe
464	Bmemac32.exe
3940	Cabfga32.exe
4488	Caebma32.exe
1064	Cjmgfgdf.exe
2208	Chagok32.exe
5044	Ceehho32.exe
4892	Danecp32.exe
2212	Dfknkg32.exe
3932	Ddonekbl.exe
3212	Dodbbdbb.exe
4912	Ddakjkqi.exe
2016	Dogogcpo.exe
3064	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	NEAS.d2b432be01dcd995802d854308d48a80.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	NEAS.d2b432be01dcd995802d854308d48a80.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	NEAS.d2b432be01dcd995802d854308d48a80.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Agjhgngj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	3064	WerFault.exe	111

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	NEAS.d2b432be01dcd995802d854308d48a80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.d2b432be01dcd995802d854308d48a80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.d2b432be01dcd995802d854308d48a80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.d2b432be01dcd995802d854308d48a80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.d2b432be01dcd995802d854308d48a80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 212	2856	NEAS.d2b432be01dcd995802d854308d48a80.exe	86
PID 2856 wrote to memory of 212	2856	NEAS.d2b432be01dcd995802d854308d48a80.exe	86
PID 2856 wrote to memory of 212	2856	NEAS.d2b432be01dcd995802d854308d48a80.exe	86
PID 212 wrote to memory of 4604	212	Ambgef32.exe	87
PID 212 wrote to memory of 4604	212	Ambgef32.exe	87
PID 212 wrote to memory of 4604	212	Ambgef32.exe	87
PID 4604 wrote to memory of 4672	4604	Agglboim.exe	88
PID 4604 wrote to memory of 4672	4604	Agglboim.exe	88
PID 4604 wrote to memory of 4672	4604	Agglboim.exe	88
PID 4672 wrote to memory of 4636	4672	Amddjegd.exe	89
PID 4672 wrote to memory of 4636	4672	Amddjegd.exe	89
PID 4672 wrote to memory of 4636	4672	Amddjegd.exe	89
PID 4636 wrote to memory of 3476	4636	Agjhgngj.exe	90
PID 4636 wrote to memory of 3476	4636	Agjhgngj.exe	90
PID 4636 wrote to memory of 3476	4636	Agjhgngj.exe	90
PID 3476 wrote to memory of 4040	3476	Aeniabfd.exe	93
PID 3476 wrote to memory of 4040	3476	Aeniabfd.exe	93
PID 3476 wrote to memory of 4040	3476	Aeniabfd.exe	93
PID 4040 wrote to memory of 2736	4040	Aadifclh.exe	92
PID 4040 wrote to memory of 2736	4040	Aadifclh.exe	92
PID 4040 wrote to memory of 2736	4040	Aadifclh.exe	92
PID 2736 wrote to memory of 1564	2736	Bnhjohkb.exe	94
PID 2736 wrote to memory of 1564	2736	Bnhjohkb.exe	94
PID 2736 wrote to memory of 1564	2736	Bnhjohkb.exe	94
PID 1564 wrote to memory of 5100	1564	Bebblb32.exe	95
PID 1564 wrote to memory of 5100	1564	Bebblb32.exe	95
PID 1564 wrote to memory of 5100	1564	Bebblb32.exe	95
PID 5100 wrote to memory of 3044	5100	Bffkij32.exe	96
PID 5100 wrote to memory of 3044	5100	Bffkij32.exe	96
PID 5100 wrote to memory of 3044	5100	Bffkij32.exe	96
PID 3044 wrote to memory of 1372	3044	Bmpcfdmg.exe	97
PID 3044 wrote to memory of 1372	3044	Bmpcfdmg.exe	97
PID 3044 wrote to memory of 1372	3044	Bmpcfdmg.exe	97
PID 1372 wrote to memory of 464	1372	Bclhhnca.exe	98
PID 1372 wrote to memory of 464	1372	Bclhhnca.exe	98
PID 1372 wrote to memory of 464	1372	Bclhhnca.exe	98
PID 464 wrote to memory of 3940	464	Bmemac32.exe	100
PID 464 wrote to memory of 3940	464	Bmemac32.exe	100
PID 464 wrote to memory of 3940	464	Bmemac32.exe	100
PID 3940 wrote to memory of 4488	3940	Cabfga32.exe	101
PID 3940 wrote to memory of 4488	3940	Cabfga32.exe	101
PID 3940 wrote to memory of 4488	3940	Cabfga32.exe	101
PID 4488 wrote to memory of 1064	4488	Caebma32.exe	102
PID 4488 wrote to memory of 1064	4488	Caebma32.exe	102
PID 4488 wrote to memory of 1064	4488	Caebma32.exe	102
PID 1064 wrote to memory of 2208	1064	Cjmgfgdf.exe	103
PID 1064 wrote to memory of 2208	1064	Cjmgfgdf.exe	103
PID 1064 wrote to memory of 2208	1064	Cjmgfgdf.exe	103
PID 2208 wrote to memory of 5044	2208	Chagok32.exe	104
PID 2208 wrote to memory of 5044	2208	Chagok32.exe	104
PID 2208 wrote to memory of 5044	2208	Chagok32.exe	104
PID 5044 wrote to memory of 4892	5044	Ceehho32.exe	105
PID 5044 wrote to memory of 4892	5044	Ceehho32.exe	105
PID 5044 wrote to memory of 4892	5044	Ceehho32.exe	105
PID 4892 wrote to memory of 2212	4892	Danecp32.exe	106
PID 4892 wrote to memory of 2212	4892	Danecp32.exe	106
PID 4892 wrote to memory of 2212	4892	Danecp32.exe	106
PID 2212 wrote to memory of 3932	2212	Dfknkg32.exe	107
PID 2212 wrote to memory of 3932	2212	Dfknkg32.exe	107
PID 2212 wrote to memory of 3932	2212	Dfknkg32.exe	107
PID 3932 wrote to memory of 3212	3932	Ddonekbl.exe	108
PID 3932 wrote to memory of 3212	3932	Ddonekbl.exe	108
PID 3932 wrote to memory of 3212	3932	Ddonekbl.exe	108
PID 3212 wrote to memory of 4912	3212	Dodbbdbb.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.d2b432be01dcd995802d854308d48a80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d2b432be01dcd995802d854308d48a80.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Ambgef32.exe
  C:\Windows\system32\Ambgef32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\Agglboim.exe
    C:\Windows\system32\Agglboim.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\Amddjegd.exe
      C:\Windows\system32\Amddjegd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040

C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Bebblb32.exe
  C:\Windows\system32\Bebblb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\Bffkij32.exe
    C:\Windows\system32\Bffkij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\Bmpcfdmg.exe
      C:\Windows\system32\Bmpcfdmg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        18⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 396
        19⤵
        Program crash
        
        PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3064 -ip 3064
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
387KB

MD5
7a325f3ce70b530cbc6e132ca118c599

SHA1
27cbdb020203b97930da0493e7502a19d0d8ccfc

SHA256
d8ad8cfc20e7485cec503537b6bee2f31de4b8fb042985dc31b53ee5f837128f

SHA512
8f5bd64f4479761e502d0a243b79d31f88d0ebf77512c2b39eeeb420ee5247cacb6ea0ff6051ac4611ad0cd822d6b2cf2e345386a4881c063fa29bf056be120e

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
387KB

MD5
7a325f3ce70b530cbc6e132ca118c599

SHA1
27cbdb020203b97930da0493e7502a19d0d8ccfc

SHA256
d8ad8cfc20e7485cec503537b6bee2f31de4b8fb042985dc31b53ee5f837128f

SHA512
8f5bd64f4479761e502d0a243b79d31f88d0ebf77512c2b39eeeb420ee5247cacb6ea0ff6051ac4611ad0cd822d6b2cf2e345386a4881c063fa29bf056be120e

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
387KB

MD5
fd7f4d9a5bdff66f161ae4bc35b00993

SHA1
7f0247685fc09a5ab268f65939c56bce8e19fc77

SHA256
c07473494e54d13713a93459f51b25e7bc3ff2eca7dfa536abd9806ab033209f

SHA512
a281217f2cdc6cd1969a5ff7ae40c3a8196a6d403300373b809b68e7636014e9b04e0d6d5b0adf5a265ce090ca136208727c307c822b8b8fa0b6557fe93cda59

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
387KB

MD5
fd7f4d9a5bdff66f161ae4bc35b00993

SHA1
7f0247685fc09a5ab268f65939c56bce8e19fc77

SHA256
c07473494e54d13713a93459f51b25e7bc3ff2eca7dfa536abd9806ab033209f

SHA512
a281217f2cdc6cd1969a5ff7ae40c3a8196a6d403300373b809b68e7636014e9b04e0d6d5b0adf5a265ce090ca136208727c307c822b8b8fa0b6557fe93cda59

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
387KB

MD5
46c992be044fd34692b8f25be1686582

SHA1
a8dc9c72043e814028fb8dcbecd5e0273197910f

SHA256
fbd436a4aeb3eebb024382d08401d0658ab6bc902a14599d086bd82a3ee252a3

SHA512
bc8672f0f3a3e95c078a776ffff0def8c53ee34c2c74dd824bc9520be7acd4aa9b090fa5da3ae12d1f95a5b0a515feba2decb67574ee5517a0735032c8422a1f

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
387KB

MD5
46c992be044fd34692b8f25be1686582

SHA1
a8dc9c72043e814028fb8dcbecd5e0273197910f

SHA256
fbd436a4aeb3eebb024382d08401d0658ab6bc902a14599d086bd82a3ee252a3

SHA512
bc8672f0f3a3e95c078a776ffff0def8c53ee34c2c74dd824bc9520be7acd4aa9b090fa5da3ae12d1f95a5b0a515feba2decb67574ee5517a0735032c8422a1f

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
387KB

MD5
4355533d6693449a4564f9028c66f39a

SHA1
3e4befeef9e511b566f32837325c42cd2af5cd57

SHA256
7857610c5898f8a075739a86aef18833e7f91674ae22955bc511a8dccac4ad9a

SHA512
4c985c8f50400475b5148ecb6e8391bc59ad4f7bc7210a343507e72d9fb486b7559489fbbd84000b8bb860864f7395a317246097fbfee5d1e000fc35c818e537

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
387KB

MD5
4355533d6693449a4564f9028c66f39a

SHA1
3e4befeef9e511b566f32837325c42cd2af5cd57

SHA256
7857610c5898f8a075739a86aef18833e7f91674ae22955bc511a8dccac4ad9a

SHA512
4c985c8f50400475b5148ecb6e8391bc59ad4f7bc7210a343507e72d9fb486b7559489fbbd84000b8bb860864f7395a317246097fbfee5d1e000fc35c818e537

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
387KB

MD5
ccab7ca4e5cbcb8e6dc3ea30661b5fdb

SHA1
71c13dcd646da378a767938fbcc18f4d308af9f2

SHA256
1c2c259312985c8d9a1dbeba8cb8e8dc8a73da57c4e4ef21149b139159eaee3e

SHA512
5deae4ab85d6bc57cff386e43a697bf1a211278273cc5dc916400d34d80e11a12afdaedcf96e32b86f5a230cf72470f8fc3d2a170e852f0b7956db102100c309

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
387KB

MD5
ccab7ca4e5cbcb8e6dc3ea30661b5fdb

SHA1
71c13dcd646da378a767938fbcc18f4d308af9f2

SHA256
1c2c259312985c8d9a1dbeba8cb8e8dc8a73da57c4e4ef21149b139159eaee3e

SHA512
5deae4ab85d6bc57cff386e43a697bf1a211278273cc5dc916400d34d80e11a12afdaedcf96e32b86f5a230cf72470f8fc3d2a170e852f0b7956db102100c309

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
387KB

MD5
ee5d4bd156c907aaecc9c3595b8baba2

SHA1
d82fb7b32e82d7ef9f2b9982ec91dd031a4ffca7

SHA256
ae449d5090ccfa8c3373c946d3e7200d3bcaca47c9e44d5085ac282e384c4abc

SHA512
3b59eb6526789f8955a56fab291bf8198af494212333e13a8773c3d6c793511a6c49b569f0be68f59d1b657c126a50cf8e14a0d4584e8d3ca18635a00a8490cf

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
387KB

MD5
ee5d4bd156c907aaecc9c3595b8baba2

SHA1
d82fb7b32e82d7ef9f2b9982ec91dd031a4ffca7

SHA256
ae449d5090ccfa8c3373c946d3e7200d3bcaca47c9e44d5085ac282e384c4abc

SHA512
3b59eb6526789f8955a56fab291bf8198af494212333e13a8773c3d6c793511a6c49b569f0be68f59d1b657c126a50cf8e14a0d4584e8d3ca18635a00a8490cf

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
387KB

MD5
11a249440da66538e306b0e9c3a5396c

SHA1
6e024d733779331f91a42dc16a721578867d0b36

SHA256
1788e827dc4c084f2ecc57e29c0a996203b2bf2644f038521809098072fa6549

SHA512
50d1bca23d44ed50bb5f03e80912fada5ba2d075f7ce3b96221677fb02360a7a3fbddc74b02a4c94afd59e712a4c60fe2e1834a135f6ff9ec0f24d6f7e7c7804

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
387KB

MD5
11a249440da66538e306b0e9c3a5396c

SHA1
6e024d733779331f91a42dc16a721578867d0b36

SHA256
1788e827dc4c084f2ecc57e29c0a996203b2bf2644f038521809098072fa6549

SHA512
50d1bca23d44ed50bb5f03e80912fada5ba2d075f7ce3b96221677fb02360a7a3fbddc74b02a4c94afd59e712a4c60fe2e1834a135f6ff9ec0f24d6f7e7c7804

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
387KB

MD5
f2e94d0854f8e61e2ee3a4bb398e24b0

SHA1
4470f316fbd6961ddf9fbeeb59ca05027b46a4e2

SHA256
448f265190a642634b5e5fc3e4b23dfd7cb87c60ae0e2427275e412f1d46af6b

SHA512
ffe9cf49403b54a050a9460cb8af2cf44b7e49b03c25f963a8bcd24ce4d4ebbe19a34ebb5c9bfc6273ae7691fe4fad1f93ece6c7fa2d76d8ee252a56968d82ec

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
387KB

MD5
f2e94d0854f8e61e2ee3a4bb398e24b0

SHA1
4470f316fbd6961ddf9fbeeb59ca05027b46a4e2

SHA256
448f265190a642634b5e5fc3e4b23dfd7cb87c60ae0e2427275e412f1d46af6b

SHA512
ffe9cf49403b54a050a9460cb8af2cf44b7e49b03c25f963a8bcd24ce4d4ebbe19a34ebb5c9bfc6273ae7691fe4fad1f93ece6c7fa2d76d8ee252a56968d82ec

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
387KB

MD5
db57bdff176e141ea8ea9c8efa63fc5c

SHA1
2956d381ef0883bd4f7efc844b10ec75b23f4a04

SHA256
c389a8f94c89d585bd896ad2cd4376b1ef79c939fdfc34fe76a3654be3aaf575

SHA512
6f34d436e276a1aafa88052c57c45e3c546c27be13a149625022c9003cc41c5e6d70c322c03df2de14fd5480398b888d9c09a63d5a3fc5bddd43ab2bb6c035c0

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
387KB

MD5
db57bdff176e141ea8ea9c8efa63fc5c

SHA1
2956d381ef0883bd4f7efc844b10ec75b23f4a04

SHA256
c389a8f94c89d585bd896ad2cd4376b1ef79c939fdfc34fe76a3654be3aaf575

SHA512
6f34d436e276a1aafa88052c57c45e3c546c27be13a149625022c9003cc41c5e6d70c322c03df2de14fd5480398b888d9c09a63d5a3fc5bddd43ab2bb6c035c0

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
387KB

MD5
0e1deb78f8ceae848319d7e90a98f70b

SHA1
f52740a548628ab7d65c85e0ed1ebef69c382ded

SHA256
8074fb1bb056f68891507b59d29fee70d4a29b9b63e58382d3a96d4fa7f38dd4

SHA512
d4d805b662791c098d95c5c0182837874429101a355990b61bfda8cff47e8d66f95e99b89b8244514a63b9d6736c3941b642618635cb0c18a6be4c9ea2f350ba

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
387KB

MD5
0e1deb78f8ceae848319d7e90a98f70b

SHA1
f52740a548628ab7d65c85e0ed1ebef69c382ded

SHA256
8074fb1bb056f68891507b59d29fee70d4a29b9b63e58382d3a96d4fa7f38dd4

SHA512
d4d805b662791c098d95c5c0182837874429101a355990b61bfda8cff47e8d66f95e99b89b8244514a63b9d6736c3941b642618635cb0c18a6be4c9ea2f350ba

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
387KB

MD5
fc68e7830bc01d3929bade43abd8d00d

SHA1
65c5691f3ab71d1660e70a9051c228e5cd8c39c2

SHA256
6b98bfdeb350cd3551863b629dada4459d756a1872ca11419d7368aae9f8ea5c

SHA512
078929f3d597d3f0d3d806c63ae62d5c6c155c8ae67215c24ce311b48e98d4de2aed5f8886b304fd4c7574c16e1a366f789853395fe6610e0cf624038aea4acd

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
387KB

MD5
fc68e7830bc01d3929bade43abd8d00d

SHA1
65c5691f3ab71d1660e70a9051c228e5cd8c39c2

SHA256
6b98bfdeb350cd3551863b629dada4459d756a1872ca11419d7368aae9f8ea5c

SHA512
078929f3d597d3f0d3d806c63ae62d5c6c155c8ae67215c24ce311b48e98d4de2aed5f8886b304fd4c7574c16e1a366f789853395fe6610e0cf624038aea4acd

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
387KB

MD5
3bea01d5a275480c85d0e5d77b6cb802

SHA1
fd3ad795428e59413f50ef27a3bbe72263f0b186

SHA256
f353c2983210d925466e250bf34e0a1279f216107ea41500af10333db9dc6a4c

SHA512
6d1beb5e438b5a5b859adff8a1e2e57264152ee9c5ececaee0d6dd4fd845220178ee516661f1e1d6d6fc4699d6da2606d63f9af485716f1e5df6d22f959c998c

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
387KB

MD5
3bea01d5a275480c85d0e5d77b6cb802

SHA1
fd3ad795428e59413f50ef27a3bbe72263f0b186

SHA256
f353c2983210d925466e250bf34e0a1279f216107ea41500af10333db9dc6a4c

SHA512
6d1beb5e438b5a5b859adff8a1e2e57264152ee9c5ececaee0d6dd4fd845220178ee516661f1e1d6d6fc4699d6da2606d63f9af485716f1e5df6d22f959c998c

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
387KB

MD5
20f7c52e0cad41247be112426e603352

SHA1
d43e5a3e4bf2d73fb5a15e42ccbea038c0b08861

SHA256
b716db5528ba25fdfe463800ea8ad561b7b95eb37916696b4c8e56e742d6bd52

SHA512
4b12c23a3946bd242ddcf3bf43981547fc77aa3d6002fce4334575b7391cb69b78e7a9a80df52d57127614d44e9e855cda15344d7340a6bd72c02d805b62d482

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
387KB

MD5
20f7c52e0cad41247be112426e603352

SHA1
d43e5a3e4bf2d73fb5a15e42ccbea038c0b08861

SHA256
b716db5528ba25fdfe463800ea8ad561b7b95eb37916696b4c8e56e742d6bd52

SHA512
4b12c23a3946bd242ddcf3bf43981547fc77aa3d6002fce4334575b7391cb69b78e7a9a80df52d57127614d44e9e855cda15344d7340a6bd72c02d805b62d482

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
387KB

MD5
c41d9266c95a04eb685dc65ca19ca126

SHA1
95ce254304fe265395eae5bda5a2041691f96545

SHA256
62d708788ab599c2eb503996fbdd03ec8bfe8695f41b6802d07e8b3de818d9a3

SHA512
4c98e1f9292b664405cf4572ea975365958c12cb4a4deb9a34dd99cd5d277376f2e25c46b719b07da76111daa5b41494cb99c0d1c56efd537212732d8b8e5d9c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
387KB

MD5
c41d9266c95a04eb685dc65ca19ca126

SHA1
95ce254304fe265395eae5bda5a2041691f96545

SHA256
62d708788ab599c2eb503996fbdd03ec8bfe8695f41b6802d07e8b3de818d9a3

SHA512
4c98e1f9292b664405cf4572ea975365958c12cb4a4deb9a34dd99cd5d277376f2e25c46b719b07da76111daa5b41494cb99c0d1c56efd537212732d8b8e5d9c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
387KB

MD5
9b32ee8174903cb6c340f6605f5db0f6

SHA1
986dbb6cc96555a0090bb35d81d9bacddfa8e015

SHA256
df7b77d7f14f9dc2dc9ee91d0c600ac5f898c01453dc4f2b9ec897e962777dfe

SHA512
5e3fb8bbb4e20ce9ece24802d1488d5a832603beb78c2b7301aa20d87adbb551f03afef93468635235400739e99b7de26a379d3c8b0ce6151371a8fe96432fa0

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
387KB

MD5
9b32ee8174903cb6c340f6605f5db0f6

SHA1
986dbb6cc96555a0090bb35d81d9bacddfa8e015

SHA256
df7b77d7f14f9dc2dc9ee91d0c600ac5f898c01453dc4f2b9ec897e962777dfe

SHA512
5e3fb8bbb4e20ce9ece24802d1488d5a832603beb78c2b7301aa20d87adbb551f03afef93468635235400739e99b7de26a379d3c8b0ce6151371a8fe96432fa0

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
387KB

MD5
d5c2011a4f34fce60460599fe47be7ef

SHA1
7005cc8198bb56665e56a1fa66fcd8b635ee6ad5

SHA256
de8fa6083eaf29e4215faa6ead28d0915736413f4e64601c456035b8ed360968

SHA512
8339ed089ab697eef0dd2f02539b027c3c42ce6fab1d6523207b6617a8e8f26a16cbd8b29647949258c8b88d54b0d9be51102aa0a8c6b0ccd2e7219a6658659c

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
387KB

MD5
d5c2011a4f34fce60460599fe47be7ef

SHA1
7005cc8198bb56665e56a1fa66fcd8b635ee6ad5

SHA256
de8fa6083eaf29e4215faa6ead28d0915736413f4e64601c456035b8ed360968

SHA512
8339ed089ab697eef0dd2f02539b027c3c42ce6fab1d6523207b6617a8e8f26a16cbd8b29647949258c8b88d54b0d9be51102aa0a8c6b0ccd2e7219a6658659c

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
387KB

MD5
a8b58c2a6effbdac5d00fd876c1e1387

SHA1
919bef035fd326f17006a4dd3a8604d90e0ec4d1

SHA256
4a355c69fa967f6c62e5dbd8307d0c257fc5c09a1973af3110b36a44a10ca9d8

SHA512
4acda3c3aba01003150138a9dbf17fcbfd3617b2af2f4add2f6095d2188ff4e38c3b42566a17123c80f3a528e200001210b0fff525e9085816cb6d26001892da

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
387KB

MD5
a8b58c2a6effbdac5d00fd876c1e1387

SHA1
919bef035fd326f17006a4dd3a8604d90e0ec4d1

SHA256
4a355c69fa967f6c62e5dbd8307d0c257fc5c09a1973af3110b36a44a10ca9d8

SHA512
4acda3c3aba01003150138a9dbf17fcbfd3617b2af2f4add2f6095d2188ff4e38c3b42566a17123c80f3a528e200001210b0fff525e9085816cb6d26001892da

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
387KB

MD5
16ba6615b1b241f045fe215ece694348

SHA1
94c4f53860529a8bbce4b0071a6e565ad026340b

SHA256
1fc710120e76994a563b7fc0e87ba7c98d41141a6c123084567675012fda4e46

SHA512
4690f507fc9ad62998308516eadb2ac6df7d6911d8b58dbb9e02565a7a6a6cfd88709c1ab737f60af7ebf3f21e9402b3954892b34bacefc02f100bde8a4aed44

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
387KB

MD5
16ba6615b1b241f045fe215ece694348

SHA1
94c4f53860529a8bbce4b0071a6e565ad026340b

SHA256
1fc710120e76994a563b7fc0e87ba7c98d41141a6c123084567675012fda4e46

SHA512
4690f507fc9ad62998308516eadb2ac6df7d6911d8b58dbb9e02565a7a6a6cfd88709c1ab737f60af7ebf3f21e9402b3954892b34bacefc02f100bde8a4aed44

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
387KB

MD5
397c2232e99f1c0d42ce455ea0eb548c

SHA1
2a2e9a7dd0a7f6d22a85df09e84fbfe9b9fba117

SHA256
ba0a9e5ddf9c5ce587a044c37e3177a78711ed990dfbb5b90876c27647fdc3ed

SHA512
a2f9c1e421ad30b37b7052f8b226ba75677e7fde56fe46093373181a23785faaf0ba42137916464a3678640e20900ace8f6283b20593f32b17e250e1a6e608ef

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
387KB

MD5
397c2232e99f1c0d42ce455ea0eb548c

SHA1
2a2e9a7dd0a7f6d22a85df09e84fbfe9b9fba117

SHA256
ba0a9e5ddf9c5ce587a044c37e3177a78711ed990dfbb5b90876c27647fdc3ed

SHA512
a2f9c1e421ad30b37b7052f8b226ba75677e7fde56fe46093373181a23785faaf0ba42137916464a3678640e20900ace8f6283b20593f32b17e250e1a6e608ef

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
387KB

MD5
c6b4104ea74a174fd557acff07728db8

SHA1
40b49af47dce9fc61e6a4681b661fbbd56662e7f

SHA256
1403a52fc8efd3f7bc2069893435e73ab113b8015fa7f9388f58fb853b755659

SHA512
fda4395cae9f16d8fb63a1b9c0cd3f92eeb6316af832638687b4c4234ea884c06c600d92043620ef3b25cc7036965d06eeecb96d0afd8ef9bec524a1f65129ff

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
387KB

MD5
c6b4104ea74a174fd557acff07728db8

SHA1
40b49af47dce9fc61e6a4681b661fbbd56662e7f

SHA256
1403a52fc8efd3f7bc2069893435e73ab113b8015fa7f9388f58fb853b755659

SHA512
fda4395cae9f16d8fb63a1b9c0cd3f92eeb6316af832638687b4c4234ea884c06c600d92043620ef3b25cc7036965d06eeecb96d0afd8ef9bec524a1f65129ff

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
387KB

MD5
63906568593df995e4df061a1436d2fc

SHA1
45d9c60dda74d4521305e68493d06c11e67ab01f

SHA256
429cd14a0309a3aba0e6c53579d2e22d3a4d5f033c83f8106acd97a32172f1be

SHA512
d7272df631c62eacfc549902d23d26466a0a358eeb9cc4237ab825fd41dabca49bd2aed7c31df623c7ceb0e26aacd919ab1150fcd15da7e7863eca0ef3c92215

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
387KB

MD5
63906568593df995e4df061a1436d2fc

SHA1
45d9c60dda74d4521305e68493d06c11e67ab01f

SHA256
429cd14a0309a3aba0e6c53579d2e22d3a4d5f033c83f8106acd97a32172f1be

SHA512
d7272df631c62eacfc549902d23d26466a0a358eeb9cc4237ab825fd41dabca49bd2aed7c31df623c7ceb0e26aacd919ab1150fcd15da7e7863eca0ef3c92215

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
387KB

MD5
f5a879cb428571560e9f277873768329

SHA1
c474b3352ec62b88bbcf392095a8da73cfb7a215

SHA256
a39fc79edfe750e95d3fc6882ea3336fb488370e85733cf9b14bc05750a149a3

SHA512
1e30eef63ca904abcc954f3c3cc18f325cddbd4462127ce99037d38c3baef85b7ae4454aefd90c21b53a926e8071dd1af0bf9e0728cfd1b7593e4c6b98594e40

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
387KB

MD5
f5a879cb428571560e9f277873768329

SHA1
c474b3352ec62b88bbcf392095a8da73cfb7a215

SHA256
a39fc79edfe750e95d3fc6882ea3336fb488370e85733cf9b14bc05750a149a3

SHA512
1e30eef63ca904abcc954f3c3cc18f325cddbd4462127ce99037d38c3baef85b7ae4454aefd90c21b53a926e8071dd1af0bf9e0728cfd1b7593e4c6b98594e40

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
387KB

MD5
59af83834507ce706e15ec72e6df64f0

SHA1
dda36d9fca286adf6670874cbf98f5c2feb98fb4

SHA256
e55c4c1fb994de1e6e25d3f0489ae7956e0965074e8dba1a4b785e02ed07b8ac

SHA512
dfbd2722c721f03be6c13f59252ff80b97751204d72e0520cb9a7a05f6534d3e487b3cd687d0cfe814e7d3b82e419374e6965e1e30808ea1a148bf6a67e9fa8c

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
387KB

MD5
59af83834507ce706e15ec72e6df64f0

SHA1
dda36d9fca286adf6670874cbf98f5c2feb98fb4

SHA256
e55c4c1fb994de1e6e25d3f0489ae7956e0965074e8dba1a4b785e02ed07b8ac

SHA512
dfbd2722c721f03be6c13f59252ff80b97751204d72e0520cb9a7a05f6534d3e487b3cd687d0cfe814e7d3b82e419374e6965e1e30808ea1a148bf6a67e9fa8c

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
387KB

MD5
c534bc880054a3dec5b2da73de286ecc

SHA1
d0e7da21b4a676f452b491b28f6743c27fa00c57

SHA256
a569b1afde192619608f854ea1ec20cae1ea24658b31ab6774adb77417432afc

SHA512
aae9744a660d3a87020e1d117af4d3e6050f71ea7957d057f5e4f943549986ee9d9952ca0248a85de6733c7a9a14f13cb2052ee7700440939806d76ca13e8f18

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
387KB

MD5
c534bc880054a3dec5b2da73de286ecc

SHA1
d0e7da21b4a676f452b491b28f6743c27fa00c57

SHA256
a569b1afde192619608f854ea1ec20cae1ea24658b31ab6774adb77417432afc

SHA512
aae9744a660d3a87020e1d117af4d3e6050f71ea7957d057f5e4f943549986ee9d9952ca0248a85de6733c7a9a14f13cb2052ee7700440939806d76ca13e8f18

Download Submit
memory/212-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads