81a38637f2949fbcf49331b60ccee9ab1923f3b9453e2e18e4d60872c2323ec8

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Size

128KB
MD5

ac984490a1b2814af2ad2abf6bb4e9c0
SHA1

7dfa6b968e72603b81a38c28f438e4ca1e4367f5
SHA256

81a38637f2949fbcf49331b60ccee9ab1923f3b9453e2e18e4d60872c2323ec8
SHA512

1f782427e1f585a41bc7baa03b67bc811289136f6938bfb4689ab190ea3e2074cfa74685d940f18af28a793e1a24b9fc86351b3cb194ad6260188645468dce96
SSDEEP

3072:zoRM3sb1jnmUE+RwmiJ9IDlRxyhTbhgu+tAcrbFAJc+i:zVOfisDshsrtMk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gndbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiobo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hchqbkkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilmedf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hchqbkkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgihop32.exe

Executes dropped EXE 27 IoCs

pid	Process
3520	Kbhmbdle.exe
3872	Ledepn32.exe
3176	Mjggal32.exe
4484	Mjpjgj32.exe
3116	Nhhdnf32.exe
1268	Njljch32.exe
3712	Ojemig32.exe
3644	Ojhiogdd.exe
3384	Qpbnhl32.exe
3124	Ajohfcpj.exe
4900	Biiobo32.exe
1588	Bbfmgd32.exe
3264	Cmgqpkip.exe
2700	Dgihop32.exe
5096	Ecbeip32.exe
3188	Fgiaemic.exe
4560	Fgnjqm32.exe
4832	Gcghkm32.exe
5048	Gndbie32.exe
1600	Hchqbkkm.exe
436	Ilfodgeg.exe
2748	Igmoih32.exe
3548	Ilmedf32.exe
4908	Jeolckne.exe
1616	Keceoj32.exe
4884	Klpjad32.exe
2448	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajohfcpj.exe	Qpbnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Bbfmgd32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Bbfmgd32.exe
File created	C:\Windows\SysWOW64\Dndhqgbm.dll	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Njljch32.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Gccebdmn.dll	Hchqbkkm.exe
File opened for modification	C:\Windows\SysWOW64\Igmoih32.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Fcndmiqg.dll	Ledepn32.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Keceoj32.exe
File created	C:\Windows\SysWOW64\Kbhmbdle.exe	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
File created	C:\Windows\SysWOW64\Cnaqob32.dll	Mjpjgj32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbnhl32.exe	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Ajohfcpj.exe	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Biiobo32.exe	Ajohfcpj.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Hchqbkkm.exe	Gndbie32.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mjggal32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Afjpan32.dll	Biiobo32.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Bbfmgd32.exe
File opened for modification	C:\Windows\SysWOW64\Ilfodgeg.exe	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Jeolckne.exe	Jdmcdhhe.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Lfqedp32.dll	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Ledepn32.exe
File created	C:\Windows\SysWOW64\Cmgilf32.dll	Mjggal32.exe
File opened for modification	C:\Windows\SysWOW64\Dgihop32.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Pqgpcnpb.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Ledepn32.exe	Kbhmbdle.exe
File opened for modification	C:\Windows\SysWOW64\Mjggal32.exe	Ledepn32.exe
File created	C:\Windows\SysWOW64\Pjhfcm32.dll	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Biiobo32.exe	Ajohfcpj.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Igmoih32.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Lajbnn32.dll	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ledepn32.exe	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Keceoj32.exe	Jeolckne.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Nhhdnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojemig32.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Ojemig32.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Jjnmkgom.dll	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Dadeofnh.dll	Gndbie32.exe
File created	C:\Windows\SysWOW64\Ilmedf32.exe	Igmoih32.exe
File created	C:\Windows\SysWOW64\Gndbie32.exe	Gcghkm32.exe
File opened for modification	C:\Windows\SysWOW64\Gndbie32.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Epaaihpg.dll	Igmoih32.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Jeolckne.exe
File created	C:\Windows\SysWOW64\Ghikqj32.dll	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Nhhdnf32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Bbfmgd32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Ecbeip32.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Gcghkm32.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Gfdcpb32.dll	Gcghkm32.exe
File opened for modification	C:\Windows\SysWOW64\Hchqbkkm.exe	Gndbie32.exe
File created	C:\Windows\SysWOW64\Hbhgkfkg.dll	Jeolckne.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mjggal32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2892	2448	WerFault.exe	118
4056	2448	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aannbg32.dll"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll"	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdcpb32.dll"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll"	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccebdmn.dll"	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghikqj32.dll"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igmoih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadeofnh.dll"	Gndbie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledepn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3520	4092	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe	91
PID 4092 wrote to memory of 3520	4092	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe	91
PID 4092 wrote to memory of 3520	4092	NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe	91
PID 3520 wrote to memory of 3872	3520	Kbhmbdle.exe	92
PID 3520 wrote to memory of 3872	3520	Kbhmbdle.exe	92
PID 3520 wrote to memory of 3872	3520	Kbhmbdle.exe	92
PID 3872 wrote to memory of 3176	3872	Ledepn32.exe	93
PID 3872 wrote to memory of 3176	3872	Ledepn32.exe	93
PID 3872 wrote to memory of 3176	3872	Ledepn32.exe	93
PID 3176 wrote to memory of 4484	3176	Mjggal32.exe	94
PID 3176 wrote to memory of 4484	3176	Mjggal32.exe	94
PID 3176 wrote to memory of 4484	3176	Mjggal32.exe	94
PID 4484 wrote to memory of 3116	4484	Mjpjgj32.exe	95
PID 4484 wrote to memory of 3116	4484	Mjpjgj32.exe	95
PID 4484 wrote to memory of 3116	4484	Mjpjgj32.exe	95
PID 3116 wrote to memory of 1268	3116	Nhhdnf32.exe	96
PID 3116 wrote to memory of 1268	3116	Nhhdnf32.exe	96
PID 3116 wrote to memory of 1268	3116	Nhhdnf32.exe	96
PID 1268 wrote to memory of 3712	1268	Njljch32.exe	97
PID 1268 wrote to memory of 3712	1268	Njljch32.exe	97
PID 1268 wrote to memory of 3712	1268	Njljch32.exe	97
PID 3712 wrote to memory of 3644	3712	Ojemig32.exe	98
PID 3712 wrote to memory of 3644	3712	Ojemig32.exe	98
PID 3712 wrote to memory of 3644	3712	Ojemig32.exe	98
PID 3644 wrote to memory of 3384	3644	Ojhiogdd.exe	99
PID 3644 wrote to memory of 3384	3644	Ojhiogdd.exe	99
PID 3644 wrote to memory of 3384	3644	Ojhiogdd.exe	99
PID 3384 wrote to memory of 3124	3384	Qpbnhl32.exe	100
PID 3384 wrote to memory of 3124	3384	Qpbnhl32.exe	100
PID 3384 wrote to memory of 3124	3384	Qpbnhl32.exe	100
PID 3124 wrote to memory of 4900	3124	Ajohfcpj.exe	101
PID 3124 wrote to memory of 4900	3124	Ajohfcpj.exe	101
PID 3124 wrote to memory of 4900	3124	Ajohfcpj.exe	101
PID 4900 wrote to memory of 1588	4900	Biiobo32.exe	102
PID 4900 wrote to memory of 1588	4900	Biiobo32.exe	102
PID 4900 wrote to memory of 1588	4900	Biiobo32.exe	102
PID 1588 wrote to memory of 3264	1588	Bbfmgd32.exe	103
PID 1588 wrote to memory of 3264	1588	Bbfmgd32.exe	103
PID 1588 wrote to memory of 3264	1588	Bbfmgd32.exe	103
PID 3264 wrote to memory of 2700	3264	Cmgqpkip.exe	104
PID 3264 wrote to memory of 2700	3264	Cmgqpkip.exe	104
PID 3264 wrote to memory of 2700	3264	Cmgqpkip.exe	104
PID 2700 wrote to memory of 5096	2700	Dgihop32.exe	105
PID 2700 wrote to memory of 5096	2700	Dgihop32.exe	105
PID 2700 wrote to memory of 5096	2700	Dgihop32.exe	105
PID 5096 wrote to memory of 3188	5096	Ecbeip32.exe	106
PID 5096 wrote to memory of 3188	5096	Ecbeip32.exe	106
PID 5096 wrote to memory of 3188	5096	Ecbeip32.exe	106
PID 3188 wrote to memory of 4560	3188	Fgiaemic.exe	107
PID 3188 wrote to memory of 4560	3188	Fgiaemic.exe	107
PID 3188 wrote to memory of 4560	3188	Fgiaemic.exe	107
PID 4560 wrote to memory of 4832	4560	Fgnjqm32.exe	108
PID 4560 wrote to memory of 4832	4560	Fgnjqm32.exe	108
PID 4560 wrote to memory of 4832	4560	Fgnjqm32.exe	108
PID 4832 wrote to memory of 5048	4832	Gcghkm32.exe	109
PID 4832 wrote to memory of 5048	4832	Gcghkm32.exe	109
PID 4832 wrote to memory of 5048	4832	Gcghkm32.exe	109
PID 5048 wrote to memory of 1600	5048	Gndbie32.exe	110
PID 5048 wrote to memory of 1600	5048	Gndbie32.exe	110
PID 5048 wrote to memory of 1600	5048	Gndbie32.exe	110
PID 1600 wrote to memory of 436	1600	Hchqbkkm.exe	111
PID 1600 wrote to memory of 436	1600	Hchqbkkm.exe	111
PID 1600 wrote to memory of 436	1600	Hchqbkkm.exe	111
PID 436 wrote to memory of 2748	436	Ilfodgeg.exe	112

C:\Users\Admin\AppData\Local\Temp\NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ac984490a1b2814af2ad2abf6bb4e9c0_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\SysWOW64\Kbhmbdle.exe
  C:\Windows\system32\Kbhmbdle.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\Ledepn32.exe
    C:\Windows\system32\Ledepn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\SysWOW64\Mjggal32.exe
      C:\Windows\system32\Mjggal32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        29⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 400
        30⤵
        Program crash
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 400
        30⤵
        Program crash
        
        PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2448 -ip 2448
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
128KB

MD5
f8de1a63f745d5ea207d48c1835b37fe

SHA1
29990fb43501ead48925cb54a2f1f74873c2c45a

SHA256
185cca1784822287c1f84c634d19cb89d5b73ed8ae7c08fb227697ef5e69074a

SHA512
397096e76cbe8039747d79f2bf12b6467008a7a6c45b1894296fb650b69740aac066002269a989f51eaf9a66c606bf31250ad6f2dae19201d5734269b6323f85

Download Submit
C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
128KB

MD5
f8de1a63f745d5ea207d48c1835b37fe

SHA1
29990fb43501ead48925cb54a2f1f74873c2c45a

SHA256
185cca1784822287c1f84c634d19cb89d5b73ed8ae7c08fb227697ef5e69074a

SHA512
397096e76cbe8039747d79f2bf12b6467008a7a6c45b1894296fb650b69740aac066002269a989f51eaf9a66c606bf31250ad6f2dae19201d5734269b6323f85

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
128KB

MD5
729ffd60ae3b73cbf033d97a54daceda

SHA1
4225eef285c85937df978c68b40bf8626808fcec

SHA256
81cedc6e16a0c750a8c8f0005e9e02970c3c7cb7555c5664564e1f14d84a7628

SHA512
2a0f0997eb2ce2b09cf5ad01341478897a299ca6a42ee3c2f0b24183b9e83df89d10d2ed0509a8232b7946d47d73da774016a67f9bceddf850464a868e315ed5

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
128KB

MD5
729ffd60ae3b73cbf033d97a54daceda

SHA1
4225eef285c85937df978c68b40bf8626808fcec

SHA256
81cedc6e16a0c750a8c8f0005e9e02970c3c7cb7555c5664564e1f14d84a7628

SHA512
2a0f0997eb2ce2b09cf5ad01341478897a299ca6a42ee3c2f0b24183b9e83df89d10d2ed0509a8232b7946d47d73da774016a67f9bceddf850464a868e315ed5

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
128KB

MD5
c6fbf108f8b530376f894b444926abfe

SHA1
2748eca23cdd2cbe19d0380bbc445050c32602b7

SHA256
f91dabbfc4e5735ffed6246613066e4a9fa6ebe32dc58fbaa2d0f0a96be04ff4

SHA512
e0aea5dde2ae213e601c0970d1f01a932a18de686c9c93d622dbf48fb79546f1124af571d55eef7f383df0ed894ea1f6a53f23a101741d02c9f4fda98020fff5

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
128KB

MD5
c6fbf108f8b530376f894b444926abfe

SHA1
2748eca23cdd2cbe19d0380bbc445050c32602b7

SHA256
f91dabbfc4e5735ffed6246613066e4a9fa6ebe32dc58fbaa2d0f0a96be04ff4

SHA512
e0aea5dde2ae213e601c0970d1f01a932a18de686c9c93d622dbf48fb79546f1124af571d55eef7f383df0ed894ea1f6a53f23a101741d02c9f4fda98020fff5

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
128KB

MD5
7b259868236c13bc10a88606ada9fcbb

SHA1
29821edc59be8ee9ed623c7319d6d20ea4403495

SHA256
09cc051b81c844f2229ba3fb54673b124a942e989523126d13bb0a00587da0b5

SHA512
ab11dd13927b30dd4dc8f6f8f9058957a965bbfa660639ba059383529b4a81ec02f9e91e9d210718fc26c3f941b4816e13716dbd46003926940d8594576af604

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
128KB

MD5
7b259868236c13bc10a88606ada9fcbb

SHA1
29821edc59be8ee9ed623c7319d6d20ea4403495

SHA256
09cc051b81c844f2229ba3fb54673b124a942e989523126d13bb0a00587da0b5

SHA512
ab11dd13927b30dd4dc8f6f8f9058957a965bbfa660639ba059383529b4a81ec02f9e91e9d210718fc26c3f941b4816e13716dbd46003926940d8594576af604

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
128KB

MD5
2d1c3e4fbbc8ecd14d85f57a4d33e909

SHA1
425cd0286dbe25ef52669f76222b3163ddfc7bb2

SHA256
f96cc7931de32a40c0f2abda80f98086daac5b63a6129115bb199b687042dad9

SHA512
29b20d998249d0624ca480cd4c8cba5ad01aab2d8ef0de809fabaa878c6b397a2aed31ab0e44d7eeb6999b93db9a0f4ffa487deadd06d4c56c1a68a7ed3183a0

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
128KB

MD5
2d1c3e4fbbc8ecd14d85f57a4d33e909

SHA1
425cd0286dbe25ef52669f76222b3163ddfc7bb2

SHA256
f96cc7931de32a40c0f2abda80f98086daac5b63a6129115bb199b687042dad9

SHA512
29b20d998249d0624ca480cd4c8cba5ad01aab2d8ef0de809fabaa878c6b397a2aed31ab0e44d7eeb6999b93db9a0f4ffa487deadd06d4c56c1a68a7ed3183a0

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
128KB

MD5
2d1c3e4fbbc8ecd14d85f57a4d33e909

SHA1
425cd0286dbe25ef52669f76222b3163ddfc7bb2

SHA256
f96cc7931de32a40c0f2abda80f98086daac5b63a6129115bb199b687042dad9

SHA512
29b20d998249d0624ca480cd4c8cba5ad01aab2d8ef0de809fabaa878c6b397a2aed31ab0e44d7eeb6999b93db9a0f4ffa487deadd06d4c56c1a68a7ed3183a0

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
128KB

MD5
7c75bb8beb499a80581aa3f22e56a1fe

SHA1
02904e220930380ab3dc69cdf16aae3021085705

SHA256
b0e22d8d715873bc1bf01d5eb30809865d46133f5ecb6aa11af220d7afbb0c55

SHA512
eb57ec4ae9f1d7e0be9033bb2e0cd9ce78ddc04cbf9cc7fa215000bc10803b088d15445222e56347040152a6156fbca20f7c044c8123cc70f41aa6b5cc56f28b

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
128KB

MD5
7c75bb8beb499a80581aa3f22e56a1fe

SHA1
02904e220930380ab3dc69cdf16aae3021085705

SHA256
b0e22d8d715873bc1bf01d5eb30809865d46133f5ecb6aa11af220d7afbb0c55

SHA512
eb57ec4ae9f1d7e0be9033bb2e0cd9ce78ddc04cbf9cc7fa215000bc10803b088d15445222e56347040152a6156fbca20f7c044c8123cc70f41aa6b5cc56f28b

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
128KB

MD5
bff5a8a6a4f9a6566b14fd3b468b5ae9

SHA1
f7d543e22e95506e784390a70607da0a9332f3d3

SHA256
21e6b56b994b37618ab51a8201984483b41cfb49f899b457a6863205134af907

SHA512
6bd8da94c77dda1c31327d404dae5b8dd2abc6b613851432a7504d444dd03d2e5caae51157ce1a19d31c9f50254ec49606bc4fec0e1003f763c6b01b6e0bd4d1

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
128KB

MD5
bff5a8a6a4f9a6566b14fd3b468b5ae9

SHA1
f7d543e22e95506e784390a70607da0a9332f3d3

SHA256
21e6b56b994b37618ab51a8201984483b41cfb49f899b457a6863205134af907

SHA512
6bd8da94c77dda1c31327d404dae5b8dd2abc6b613851432a7504d444dd03d2e5caae51157ce1a19d31c9f50254ec49606bc4fec0e1003f763c6b01b6e0bd4d1

Download Submit
C:\Windows\SysWOW64\Fgnjqm32.exe

Filesize
128KB

MD5
484321d21aa89df7167c3d0629ab65e7

SHA1
ad05777dba7cbf71d4c29eb50faf8bc24852d53f

SHA256
930e2681a95634436d3aa5200fea4d69e92c5534d32e5fc3cfdc4b98d05c1b66

SHA512
5cdcd76b119d8bdce85448dd6f1a5c37da86a40903bac5bdeed1795d9994134361b9b72150a5c79bc357c564a19ddbe0612d0c914b138a261ebec49dd4a6b9d1

Download Submit
C:\Windows\SysWOW64\Fgnjqm32.exe

Filesize
128KB

MD5
484321d21aa89df7167c3d0629ab65e7

SHA1
ad05777dba7cbf71d4c29eb50faf8bc24852d53f

SHA256
930e2681a95634436d3aa5200fea4d69e92c5534d32e5fc3cfdc4b98d05c1b66

SHA512
5cdcd76b119d8bdce85448dd6f1a5c37da86a40903bac5bdeed1795d9994134361b9b72150a5c79bc357c564a19ddbe0612d0c914b138a261ebec49dd4a6b9d1

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
128KB

MD5
abe277f790fff606e7e023d91cbcc648

SHA1
ffdb181b764faa87196232f45345e2fe0d9fe6a1

SHA256
641c9471a24696f1c213d9075bb2dd5fdf996aa7091cedde99061159be550e49

SHA512
fe6b1bcd28435c39ebc191dac70487f16df40799fbb80df38ba297ed628b4d6973276f254b9e6909423ceef69abcaa3334f9a736b974b1e325106b8260a051a7

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
128KB

MD5
abe277f790fff606e7e023d91cbcc648

SHA1
ffdb181b764faa87196232f45345e2fe0d9fe6a1

SHA256
641c9471a24696f1c213d9075bb2dd5fdf996aa7091cedde99061159be550e49

SHA512
fe6b1bcd28435c39ebc191dac70487f16df40799fbb80df38ba297ed628b4d6973276f254b9e6909423ceef69abcaa3334f9a736b974b1e325106b8260a051a7

Download Submit
C:\Windows\SysWOW64\Gndbie32.exe

Filesize
128KB

MD5
d011cd0410b907b7105dda2ffcfd1f81

SHA1
1f287ac4c61049849276f8050bfa5f12ca03b2f9

SHA256
e8a4629205e7d27715247820bd01652493a4298cd6666cf8669681460db07272

SHA512
73f533bc6f81a065f8e1ed17b9737396a1811b5955224eb178b536180bdf4e118671893e2b9f857ab185c6ce7d0b6fe2eb8a9e66e0a82a4a923e43e06356f2c7

Download Submit
C:\Windows\SysWOW64\Gndbie32.exe

Filesize
128KB

MD5
d011cd0410b907b7105dda2ffcfd1f81

SHA1
1f287ac4c61049849276f8050bfa5f12ca03b2f9

SHA256
e8a4629205e7d27715247820bd01652493a4298cd6666cf8669681460db07272

SHA512
73f533bc6f81a065f8e1ed17b9737396a1811b5955224eb178b536180bdf4e118671893e2b9f857ab185c6ce7d0b6fe2eb8a9e66e0a82a4a923e43e06356f2c7

Download Submit
C:\Windows\SysWOW64\Gndbie32.exe

Filesize
128KB

MD5
d011cd0410b907b7105dda2ffcfd1f81

SHA1
1f287ac4c61049849276f8050bfa5f12ca03b2f9

SHA256
e8a4629205e7d27715247820bd01652493a4298cd6666cf8669681460db07272

SHA512
73f533bc6f81a065f8e1ed17b9737396a1811b5955224eb178b536180bdf4e118671893e2b9f857ab185c6ce7d0b6fe2eb8a9e66e0a82a4a923e43e06356f2c7

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
128KB

MD5
763bec5bd2ea4fe2e14610b341c67c16

SHA1
e54346ea95ecf1d2da8b6ac55642ccd5f990f2a0

SHA256
8a28e762712009c3f9ade3e3139d6720fc6732b461b618947dfbe836a800d9a0

SHA512
5d00884fa7f7174b13b738acbbedf4f35e5aa48a02461e15606748d0604dd83de82849e31186ad2ed8df41f35bb29ea6825d2adaeffa1bd29e93a066373c687e

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
128KB

MD5
763bec5bd2ea4fe2e14610b341c67c16

SHA1
e54346ea95ecf1d2da8b6ac55642ccd5f990f2a0

SHA256
8a28e762712009c3f9ade3e3139d6720fc6732b461b618947dfbe836a800d9a0

SHA512
5d00884fa7f7174b13b738acbbedf4f35e5aa48a02461e15606748d0604dd83de82849e31186ad2ed8df41f35bb29ea6825d2adaeffa1bd29e93a066373c687e

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
128KB

MD5
f20edb36ec6120951287d27afc6430d2

SHA1
3a3301813ff9ba17e10a486a68674e870f53db10

SHA256
0930a3db0663cd32c606ddc687c9678c27c7f7c6942a5b90a12178993ad98d56

SHA512
33245d7255397e872390a8c8f5d6fcd22bfcda25061c6e180d8962f9d131ba65ae5ef53413d0a6105775c1f90087b37145e7fe99ba9082b18c2e08e40fd3da8d

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
128KB

MD5
f20edb36ec6120951287d27afc6430d2

SHA1
3a3301813ff9ba17e10a486a68674e870f53db10

SHA256
0930a3db0663cd32c606ddc687c9678c27c7f7c6942a5b90a12178993ad98d56

SHA512
33245d7255397e872390a8c8f5d6fcd22bfcda25061c6e180d8962f9d131ba65ae5ef53413d0a6105775c1f90087b37145e7fe99ba9082b18c2e08e40fd3da8d

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
128KB

MD5
fd5cd0f655c24ef20c5dcc6c58e5faf3

SHA1
429c1d41e7337da91ca08a859a9bd1825456d535

SHA256
ad49ede8ff58066a01f1226fa04a4c87af622332965dba448b3798200800526e

SHA512
65bc0f7424f48150121f527118375142a0f43e7083d106d1cd9fa6eda62d9e88ad9915c97d03d3495dfdf95a36d8ee6359db56accb04442dceba4a20451acd57

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
128KB

MD5
fd5cd0f655c24ef20c5dcc6c58e5faf3

SHA1
429c1d41e7337da91ca08a859a9bd1825456d535

SHA256
ad49ede8ff58066a01f1226fa04a4c87af622332965dba448b3798200800526e

SHA512
65bc0f7424f48150121f527118375142a0f43e7083d106d1cd9fa6eda62d9e88ad9915c97d03d3495dfdf95a36d8ee6359db56accb04442dceba4a20451acd57

Download Submit
C:\Windows\SysWOW64\Ilmedf32.exe

Filesize
128KB

MD5
0ac5c363e04daf1992c2327694ed8df8

SHA1
cf1dae4d489e154d13cd54c6a07e0c43c5464a49

SHA256
ff6866999e89f53d9f7d4a2b67f89fa2269bf5efd9e0c346a7d6c2cdd0d2dc42

SHA512
3852fd351030f139da731ac147ce508cd79e1c07dc71d8f23b4379d513e328f0d6d40726badcac11a74635f4bd938d1df80a56b711de0287b41d3b07eb8759e4

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
128KB

MD5
a66fff4b035866e9856d7099b20736a4

SHA1
ac518097d66f57fdfba2a12e66d6a3c129663a9d

SHA256
8a414597a63cc3fb9de70fe1f2110bd80ec149acaf52b8f841ec3072bd35ca78

SHA512
17199cd3ad266fb544fdb977a642836530e68a8ba30b3c3d19b8e4a063574ab9b64a07e105dacdf9301d66b40bf1c16f2bebe29280974ac80e323f0680515cc3

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
128KB

MD5
a66fff4b035866e9856d7099b20736a4

SHA1
ac518097d66f57fdfba2a12e66d6a3c129663a9d

SHA256
8a414597a63cc3fb9de70fe1f2110bd80ec149acaf52b8f841ec3072bd35ca78

SHA512
17199cd3ad266fb544fdb977a642836530e68a8ba30b3c3d19b8e4a063574ab9b64a07e105dacdf9301d66b40bf1c16f2bebe29280974ac80e323f0680515cc3

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
128KB

MD5
17147a47a6524f4b09bc8dbf8d0b10b1

SHA1
9ce3d0917dcdd1a7ecfe49db6fa3c325ec125b72

SHA256
58efc2efaa96ec88e6a34508f56fbeffd86693afdd6b33f909996edad0eddf16

SHA512
59da9d661595a19acca292ccb760aae398eabd70f79fb2b19068887eaa2e45c2c2b9e25df62ffb66c5b1f94db14e77c0dd105d3b818f493cd4cdacf5c9b26366

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
128KB

MD5
17147a47a6524f4b09bc8dbf8d0b10b1

SHA1
9ce3d0917dcdd1a7ecfe49db6fa3c325ec125b72

SHA256
58efc2efaa96ec88e6a34508f56fbeffd86693afdd6b33f909996edad0eddf16

SHA512
59da9d661595a19acca292ccb760aae398eabd70f79fb2b19068887eaa2e45c2c2b9e25df62ffb66c5b1f94db14e77c0dd105d3b818f493cd4cdacf5c9b26366

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
128KB

MD5
bc288d0f0c6bf4e36f6a34d9f229f825

SHA1
be937a42bdc568787869c0f4dd168218184a3818

SHA256
04b51f2e75757d283dcd7f7dd6880e4defcd9b71ecd7bbcf4f55580d2d537ea0

SHA512
324a7c34c65f4991474627d8c4d1661345dbfe37f078ba46ca86b03b300c557bc383d7140bef48ba9bd5f124afcfb129562a7f30e2d5f6adf6c1fed00de61247

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
128KB

MD5
bc288d0f0c6bf4e36f6a34d9f229f825

SHA1
be937a42bdc568787869c0f4dd168218184a3818

SHA256
04b51f2e75757d283dcd7f7dd6880e4defcd9b71ecd7bbcf4f55580d2d537ea0

SHA512
324a7c34c65f4991474627d8c4d1661345dbfe37f078ba46ca86b03b300c557bc383d7140bef48ba9bd5f124afcfb129562a7f30e2d5f6adf6c1fed00de61247

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
128KB

MD5
20e1978dd1b7c34c49c00343b3cfd320

SHA1
0f2ba50c9253f105b7acfa9ac6a306a2f97dba32

SHA256
16eb3c65841307c6043652111c889cf98a5267d7b842b3825eed20f281ea8835

SHA512
7a841c22ae80ecb5092275d42609a9bc469134ed3a1182e84c62aef791eeca76d78019d32f7f2265af5669649a93be7da30670cd403ba26dfb18332d1e1fcd0b

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
128KB

MD5
20e1978dd1b7c34c49c00343b3cfd320

SHA1
0f2ba50c9253f105b7acfa9ac6a306a2f97dba32

SHA256
16eb3c65841307c6043652111c889cf98a5267d7b842b3825eed20f281ea8835

SHA512
7a841c22ae80ecb5092275d42609a9bc469134ed3a1182e84c62aef791eeca76d78019d32f7f2265af5669649a93be7da30670cd403ba26dfb18332d1e1fcd0b

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
128KB

MD5
cb57a0222c48dba5d97040610fea2f6f

SHA1
8c584a623062769b6f7d2209dbf44339852a5d0a

SHA256
fe9af2e530c0b9b81eb1390da21a415150f9d02b1d2d7a2fcf2af88bbe3735b1

SHA512
a9714a7528f00928ec3c8e214ffaf2994069c3e106d1c1ddd284d6f1892397357a13564799ff2f00eb29f9b13e135204a08f04f38b49b92c570701ae33782751

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
128KB

MD5
cb57a0222c48dba5d97040610fea2f6f

SHA1
8c584a623062769b6f7d2209dbf44339852a5d0a

SHA256
fe9af2e530c0b9b81eb1390da21a415150f9d02b1d2d7a2fcf2af88bbe3735b1

SHA512
a9714a7528f00928ec3c8e214ffaf2994069c3e106d1c1ddd284d6f1892397357a13564799ff2f00eb29f9b13e135204a08f04f38b49b92c570701ae33782751

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
128KB

MD5
6b36665be2c9a7b24ea769dca31bb0cc

SHA1
b748d709d57114adc15642fd2dcdea6eaf8f609e

SHA256
53e5fccef6f24d349493fe7e4edbb727cdd361e5c78f9f3b927c68cdc38ba607

SHA512
5e006fdeb06ac21e34a3d473e32e2e7d298605ac5facd17417fa0c2f06aac2339998ff1946574143422dffe35131109114d5efa18c7e77d4337242d86856f1db

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
128KB

MD5
6b36665be2c9a7b24ea769dca31bb0cc

SHA1
b748d709d57114adc15642fd2dcdea6eaf8f609e

SHA256
53e5fccef6f24d349493fe7e4edbb727cdd361e5c78f9f3b927c68cdc38ba607

SHA512
5e006fdeb06ac21e34a3d473e32e2e7d298605ac5facd17417fa0c2f06aac2339998ff1946574143422dffe35131109114d5efa18c7e77d4337242d86856f1db

Download Submit
C:\Windows\SysWOW64\Mjggal32.exe

Filesize
128KB

MD5
f83867654d7d21a3c706126f064fbddc

SHA1
3dbc10a4dfdeb353f3e8c444fe16fb79cccf8b3f

SHA256
ce710939bb36345f8031645502e6cf498cfa2d75410a195f60dd08d717dea9c5

SHA512
0ea8ed71531de28ea2337c9c0ca2d40bbe90540162a4b6157cf742dd73bb39835f33aeee64aa44db42129256c237fc56ae28f2f8ed73ed15f463bfcb70a291ac

Download Submit
C:\Windows\SysWOW64\Mjggal32.exe

Filesize
128KB

MD5
f83867654d7d21a3c706126f064fbddc

SHA1
3dbc10a4dfdeb353f3e8c444fe16fb79cccf8b3f

SHA256
ce710939bb36345f8031645502e6cf498cfa2d75410a195f60dd08d717dea9c5

SHA512
0ea8ed71531de28ea2337c9c0ca2d40bbe90540162a4b6157cf742dd73bb39835f33aeee64aa44db42129256c237fc56ae28f2f8ed73ed15f463bfcb70a291ac

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
128KB

MD5
098282b9fe6b07162215e12ac538f557

SHA1
7d555051daf9917a8aff8ede7ebbecb073acce47

SHA256
8555abdbe22542a8c34b9183770caeea1eecc9663fd4479b3d2f368416dedb9d

SHA512
1e9fefbfb53f4c9117a009c8cb8b655b7d67aacb455b988d8f7ab4fe36b171142e75507653b5ee79965e1cae39da148f788d09e302427ae4137325a6d0830a90

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
128KB

MD5
098282b9fe6b07162215e12ac538f557

SHA1
7d555051daf9917a8aff8ede7ebbecb073acce47

SHA256
8555abdbe22542a8c34b9183770caeea1eecc9663fd4479b3d2f368416dedb9d

SHA512
1e9fefbfb53f4c9117a009c8cb8b655b7d67aacb455b988d8f7ab4fe36b171142e75507653b5ee79965e1cae39da148f788d09e302427ae4137325a6d0830a90

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
128KB

MD5
45834c425536a53b3564787dcb8f38fa

SHA1
5e1c34be51732f76683d4db46531139e335c3f77

SHA256
ffd8995f0d00c65e391c1f04c2057d89b413e71a0e6af69b720f224598a8d36f

SHA512
e5189b6f0ee32eb4838f472d73452600a3a13a591f837d45c2a9d40eb63c46ed5745e5ef2246e2e69ce4addf44e881ed9c41766c0235033b92dd4471dd3c0c22

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
128KB

MD5
45834c425536a53b3564787dcb8f38fa

SHA1
5e1c34be51732f76683d4db46531139e335c3f77

SHA256
ffd8995f0d00c65e391c1f04c2057d89b413e71a0e6af69b720f224598a8d36f

SHA512
e5189b6f0ee32eb4838f472d73452600a3a13a591f837d45c2a9d40eb63c46ed5745e5ef2246e2e69ce4addf44e881ed9c41766c0235033b92dd4471dd3c0c22

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
64KB

MD5
0ecb611600e5e7169b5f2472c5a38a12

SHA1
c5c5a2f0c3655da2257340c8f0ebb30905287ee5

SHA256
15de899c9abede3d77d74d9b3964cc73b4b05645708a3c616ff962c5fc4bd4c2

SHA512
c211390bf0a5f56bdeeb2f72e494d7aeb06e0294f4e9f64f9c3680ed4f3b054d6665f771ce04018a784f50fc7f6f921d5ac37fe8f0820001e5a3ae0d8ee3ee7b

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
128KB

MD5
1e1ab4b040b4a58547efb241d0a33fdf

SHA1
14abb381b618364c7f8a11ec079b6aa0f02a7a8b

SHA256
95dfb53f322a612145d1ad22e059011902a459597027d216dbcbc4277019000a

SHA512
0218a74331175ce452b9c72a45c9999dde02dc0016e218bcde984ac74cc021f573adb3f7c6e9db9e94fa935b7ba28fd34471ad5d706e0e600c948ec7a0e8325a

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
128KB

MD5
1e1ab4b040b4a58547efb241d0a33fdf

SHA1
14abb381b618364c7f8a11ec079b6aa0f02a7a8b

SHA256
95dfb53f322a612145d1ad22e059011902a459597027d216dbcbc4277019000a

SHA512
0218a74331175ce452b9c72a45c9999dde02dc0016e218bcde984ac74cc021f573adb3f7c6e9db9e94fa935b7ba28fd34471ad5d706e0e600c948ec7a0e8325a

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
128KB

MD5
22596156b45bcfbcb54c10c31bb90c85

SHA1
dcc07febee7f65bb474279ccef1e3ddb33ad39d4

SHA256
74751405819d1c7fca0527551c4e5403246b5a847500f5366ed0648bf690eadf

SHA512
41cfb9855902b6267c00aa320e9dce3092f602a680d9e30273d40c1067f7e3867a9784b4e5e19c82308942eaacf3d835c26e9db3870482b5a34ba473a288c9e6

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
128KB

MD5
22596156b45bcfbcb54c10c31bb90c85

SHA1
dcc07febee7f65bb474279ccef1e3ddb33ad39d4

SHA256
74751405819d1c7fca0527551c4e5403246b5a847500f5366ed0648bf690eadf

SHA512
41cfb9855902b6267c00aa320e9dce3092f602a680d9e30273d40c1067f7e3867a9784b4e5e19c82308942eaacf3d835c26e9db3870482b5a34ba473a288c9e6

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
128KB

MD5
22596156b45bcfbcb54c10c31bb90c85

SHA1
dcc07febee7f65bb474279ccef1e3ddb33ad39d4

SHA256
74751405819d1c7fca0527551c4e5403246b5a847500f5366ed0648bf690eadf

SHA512
41cfb9855902b6267c00aa320e9dce3092f602a680d9e30273d40c1067f7e3867a9784b4e5e19c82308942eaacf3d835c26e9db3870482b5a34ba473a288c9e6

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
128KB

MD5
9c9a8d5f15ac69e12ed2cd8990ed8dea

SHA1
349a08f576510549de2452da14e47a7d82f8e968

SHA256
c144ae6d19538f0af674141720a17ec104225b9dbaeb5f4dbf2776bcd6b65fc6

SHA512
20e713a60c83e283e13b4aeb3f15c7ef2633da103a92deb0acc8e7918c49f70a42a291da4b552ef46459bff72f1208086a7a5b62e18b65ff18795dd5c30343a1

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
128KB

MD5
9c9a8d5f15ac69e12ed2cd8990ed8dea

SHA1
349a08f576510549de2452da14e47a7d82f8e968

SHA256
c144ae6d19538f0af674141720a17ec104225b9dbaeb5f4dbf2776bcd6b65fc6

SHA512
20e713a60c83e283e13b4aeb3f15c7ef2633da103a92deb0acc8e7918c49f70a42a291da4b552ef46459bff72f1208086a7a5b62e18b65ff18795dd5c30343a1

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
128KB

MD5
597f57cc3427039978ea6d9aa08c2a62

SHA1
0f4739dd371e53f36710226599185d1c9e51685c

SHA256
32f6fdc22a7512c5c71ce5c3de0fb782781ae4988c1808c75076cbc6c6d8c8d8

SHA512
32e372ab3cd6272c39277e16a516e0c3bb9b7fa25305a39b83f43ae1875b4a860acb172993a74acf038873880df7b515f4d8b5eea6975ea564c9f28a9775de9b

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
128KB

MD5
597f57cc3427039978ea6d9aa08c2a62

SHA1
0f4739dd371e53f36710226599185d1c9e51685c

SHA256
32f6fdc22a7512c5c71ce5c3de0fb782781ae4988c1808c75076cbc6c6d8c8d8

SHA512
32e372ab3cd6272c39277e16a516e0c3bb9b7fa25305a39b83f43ae1875b4a860acb172993a74acf038873880df7b515f4d8b5eea6975ea564c9f28a9775de9b

Download Submit
memory/436-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads