6b9cf055ab53634353ddf6d5852d9903b4b91d6d7def9bb2434fa30bb6383303

Analysis

max time kernel
125s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 17:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
Size

59KB
MD5

ebb2f655ac280f5f4be303ac67b99aff
SHA1

0ab1a6818011e04676fbb8dd2cf1801d37de5443
SHA256

6b9cf055ab53634353ddf6d5852d9903b4b91d6d7def9bb2434fa30bb6383303
SHA512

6d1b7bb7ba8741256e5122a3245a3b861a6c7daca043881c73d6938c8defe588512973fca3380985b965823011a45c644f0943abd3fb7f1fbdb0f432f2da6895
SSDEEP

768:4IheiWJ221A2FAFcVtf2mhTWzqY9R2mSRl/xHo8TNwd5ZK6SZ/1H54l5nf1fZMEd:+ZJB1j/fHKzff3ilpIe6oOPNCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogmiepcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miklkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihjjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjinjnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djbbhafj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glinjqhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jodlof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcikfcab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgmebnpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jonlimkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miklkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmdjha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jodlof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkflpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjcjmclj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Limpiomm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjpoio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkflpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgmebnpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbphcpog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehklmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djbbhafj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjpoio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giddddad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iooimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iooimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmgof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikkdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdihfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihjjln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Limpiomm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmiepcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbphcpog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlhlleeh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjinjnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdjha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlhlleeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehklmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giddddad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdihfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glinjqhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jonlimkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnenchoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnenchoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikkdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjcjmclj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcikfcab.exe

Executes dropped EXE 28 IoCs

pid	Process
4572	Hgmebnpd.exe
452	Jonlimkg.exe
1656	Jmdjha32.exe
3084	Kjcjmclj.exe
4056	Limpiomm.exe
4732	Miklkm32.exe
5000	Ogmiepcf.exe
3264	Pnenchoc.exe
2700	Qdihfq32.exe
1436	Adnbapjp.exe
440	Ajmgof32.exe
2732	Bnfoac32.exe
2092	Dbphcpog.exe
4336	Dlhlleeh.exe
2456	Djbbhafj.exe
3568	Ehklmd32.exe
2288	Fjpoio32.exe
1360	Glinjqhb.exe
2924	Giddddad.exe
3388	Hikkdc32.exe
4128	Iooimi32.exe
4972	Ihjjln32.exe
2176	Jbkbkbfo.exe
2252	Jodlof32.exe
3608	Kmjinjnj.exe
2656	Kcikfcab.exe
4992	Lkflpe32.exe
5092	Mbldhn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Limpiomm.exe	Kjcjmclj.exe
File opened for modification	C:\Windows\SysWOW64\Limpiomm.exe	Kjcjmclj.exe
File created	C:\Windows\SysWOW64\Dekibcga.dll	Kjcjmclj.exe
File created	C:\Windows\SysWOW64\Fpffjn32.dll	Miklkm32.exe
File created	C:\Windows\SysWOW64\Ihjjln32.exe	Iooimi32.exe
File created	C:\Windows\SysWOW64\Hholim32.dll	Jbkbkbfo.exe
File created	C:\Windows\SysWOW64\Jmdjha32.exe	Jonlimkg.exe
File created	C:\Windows\SysWOW64\Djbbhafj.exe	Dlhlleeh.exe
File created	C:\Windows\SysWOW64\Jbkbkbfo.exe	Ihjjln32.exe
File created	C:\Windows\SysWOW64\Qdihfq32.exe	Pnenchoc.exe
File created	C:\Windows\SysWOW64\Pnenchoc.exe	Ogmiepcf.exe
File created	C:\Windows\SysWOW64\Adnbapjp.exe	Qdihfq32.exe
File created	C:\Windows\SysWOW64\Glinjqhb.exe	Fjpoio32.exe
File opened for modification	C:\Windows\SysWOW64\Giddddad.exe	Glinjqhb.exe
File opened for modification	C:\Windows\SysWOW64\Lkflpe32.exe	Kcikfcab.exe
File created	C:\Windows\SysWOW64\Jdlbgl32.dll	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
File created	C:\Windows\SysWOW64\Dbphcpog.exe	Bnfoac32.exe
File opened for modification	C:\Windows\SysWOW64\Ehklmd32.exe	Djbbhafj.exe
File created	C:\Windows\SysWOW64\Bbappaql.dll	Djbbhafj.exe
File created	C:\Windows\SysWOW64\Iooimi32.exe	Hikkdc32.exe
File created	C:\Windows\SysWOW64\Gemabmdn.dll	Iooimi32.exe
File created	C:\Windows\SysWOW64\Kqiibcbk.dll	Ihjjln32.exe
File created	C:\Windows\SysWOW64\Blgmmd32.dll	Kcikfcab.exe
File created	C:\Windows\SysWOW64\Djdlpdhq.dll	Ajmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Mbldhn32.exe	Lkflpe32.exe
File opened for modification	C:\Windows\SysWOW64\Jodlof32.exe	Jbkbkbfo.exe
File created	C:\Windows\SysWOW64\Kigmon32.dll	Lkflpe32.exe
File created	C:\Windows\SysWOW64\Polnbakm.dll	Adnbapjp.exe
File created	C:\Windows\SysWOW64\Hikkdc32.exe	Giddddad.exe
File opened for modification	C:\Windows\SysWOW64\Hikkdc32.exe	Giddddad.exe
File created	C:\Windows\SysWOW64\Miklkm32.exe	Limpiomm.exe
File created	C:\Windows\SysWOW64\Emldnf32.dll	Dbphcpog.exe
File created	C:\Windows\SysWOW64\Nopkoobi.dll	Dlhlleeh.exe
File created	C:\Windows\SysWOW64\Bhbiql32.dll	Giddddad.exe
File opened for modification	C:\Windows\SysWOW64\Jbkbkbfo.exe	Ihjjln32.exe
File created	C:\Windows\SysWOW64\Kmjinjnj.exe	Jodlof32.exe
File opened for modification	C:\Windows\SysWOW64\Miklkm32.exe	Limpiomm.exe
File created	C:\Windows\SysWOW64\Olanmmjm.dll	Limpiomm.exe
File created	C:\Windows\SysWOW64\Dafhdj32.dll	Ogmiepcf.exe
File created	C:\Windows\SysWOW64\Hgmebnpd.exe	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
File created	C:\Windows\SysWOW64\Ajmgof32.exe	Adnbapjp.exe
File created	C:\Windows\SysWOW64\Fjpoio32.exe	Ehklmd32.exe
File opened for modification	C:\Windows\SysWOW64\Fjpoio32.exe	Ehklmd32.exe
File created	C:\Windows\SysWOW64\Hgonpaol.dll	Hikkdc32.exe
File created	C:\Windows\SysWOW64\Lcmmho32.dll	Jodlof32.exe
File opened for modification	C:\Windows\SysWOW64\Hgmebnpd.exe	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
File opened for modification	C:\Windows\SysWOW64\Bnfoac32.exe	Ajmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Dbphcpog.exe	Bnfoac32.exe
File created	C:\Windows\SysWOW64\Giddddad.exe	Glinjqhb.exe
File created	C:\Windows\SysWOW64\Jodlof32.exe	Jbkbkbfo.exe
File created	C:\Windows\SysWOW64\Kcikfcab.exe	Kmjinjnj.exe
File opened for modification	C:\Windows\SysWOW64\Kcikfcab.exe	Kmjinjnj.exe
File created	C:\Windows\SysWOW64\Gohokhje.dll	Hgmebnpd.exe
File opened for modification	C:\Windows\SysWOW64\Iooimi32.exe	Hikkdc32.exe
File created	C:\Windows\SysWOW64\Eqnmad32.dll	Kmjinjnj.exe
File created	C:\Windows\SysWOW64\Ocikabbg.dll	Pnenchoc.exe
File created	C:\Windows\SysWOW64\Mcckpooc.dll	Jmdjha32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmiepcf.exe	Miklkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pnenchoc.exe	Ogmiepcf.exe
File opened for modification	C:\Windows\SysWOW64\Qdihfq32.exe	Pnenchoc.exe
File created	C:\Windows\SysWOW64\Dlhlleeh.exe	Dbphcpog.exe
File created	C:\Windows\SysWOW64\Lmlihj32.dll	Ehklmd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjinjnj.exe	Jodlof32.exe
File created	C:\Windows\SysWOW64\Jonlimkg.exe	Hgmebnpd.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1588	5092	WerFault.exe	120
3992	5092	WerFault.exe	120

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafhdj32.dll"	Ogmiepcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehklmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jonlimkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jodlof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olanmmjm.dll"	Limpiomm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnbapjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlhlleeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djbbhafj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmmho32.dll"	Jodlof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjinjnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekibcga.dll"	Kjcjmclj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Limpiomm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogmiepcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhackbjl.dll"	Glinjqhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlbgl32.dll"	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlhlleeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hholim32.dll"	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgmmd32.dll"	Kcikfcab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohokhje.dll"	Hgmebnpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Limpiomm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjpoio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbphcpog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlihj32.dll"	Ehklmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpffjn32.dll"	Miklkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnenchoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjpoio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdihfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abflab32.dll"	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopkoobi.dll"	Dlhlleeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giddddad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjinjnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigmon32.dll"	Lkflpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miklkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glinjqhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbiql32.dll"	Giddddad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polnbakm.dll"	Adnbapjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbphcpog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emldnf32.dll"	Dbphcpog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djbbhafj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikkdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgmebnpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmdjha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miklkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jodlof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogmiepcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnenchoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glinjqhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcikfcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcckpooc.dll"	Jmdjha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmdjha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjcjmclj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcikfcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafnik32.dll"	Qdihfq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giddddad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4572	3484	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe	93
PID 3484 wrote to memory of 4572	3484	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe	93
PID 3484 wrote to memory of 4572	3484	NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe	93
PID 4572 wrote to memory of 452	4572	Hgmebnpd.exe	94
PID 4572 wrote to memory of 452	4572	Hgmebnpd.exe	94
PID 4572 wrote to memory of 452	4572	Hgmebnpd.exe	94
PID 452 wrote to memory of 1656	452	Jonlimkg.exe	95
PID 452 wrote to memory of 1656	452	Jonlimkg.exe	95
PID 452 wrote to memory of 1656	452	Jonlimkg.exe	95
PID 1656 wrote to memory of 3084	1656	Jmdjha32.exe	96
PID 1656 wrote to memory of 3084	1656	Jmdjha32.exe	96
PID 1656 wrote to memory of 3084	1656	Jmdjha32.exe	96
PID 3084 wrote to memory of 4056	3084	Kjcjmclj.exe	97
PID 3084 wrote to memory of 4056	3084	Kjcjmclj.exe	97
PID 3084 wrote to memory of 4056	3084	Kjcjmclj.exe	97
PID 4056 wrote to memory of 4732	4056	Limpiomm.exe	98
PID 4056 wrote to memory of 4732	4056	Limpiomm.exe	98
PID 4056 wrote to memory of 4732	4056	Limpiomm.exe	98
PID 4732 wrote to memory of 5000	4732	Miklkm32.exe	99
PID 4732 wrote to memory of 5000	4732	Miklkm32.exe	99
PID 4732 wrote to memory of 5000	4732	Miklkm32.exe	99
PID 5000 wrote to memory of 3264	5000	Ogmiepcf.exe	100
PID 5000 wrote to memory of 3264	5000	Ogmiepcf.exe	100
PID 5000 wrote to memory of 3264	5000	Ogmiepcf.exe	100
PID 3264 wrote to memory of 2700	3264	Pnenchoc.exe	101
PID 3264 wrote to memory of 2700	3264	Pnenchoc.exe	101
PID 3264 wrote to memory of 2700	3264	Pnenchoc.exe	101
PID 2700 wrote to memory of 1436	2700	Qdihfq32.exe	102
PID 2700 wrote to memory of 1436	2700	Qdihfq32.exe	102
PID 2700 wrote to memory of 1436	2700	Qdihfq32.exe	102
PID 1436 wrote to memory of 440	1436	Adnbapjp.exe	103
PID 1436 wrote to memory of 440	1436	Adnbapjp.exe	103
PID 1436 wrote to memory of 440	1436	Adnbapjp.exe	103
PID 440 wrote to memory of 2732	440	Ajmgof32.exe	104
PID 440 wrote to memory of 2732	440	Ajmgof32.exe	104
PID 440 wrote to memory of 2732	440	Ajmgof32.exe	104
PID 2732 wrote to memory of 2092	2732	Bnfoac32.exe	105
PID 2732 wrote to memory of 2092	2732	Bnfoac32.exe	105
PID 2732 wrote to memory of 2092	2732	Bnfoac32.exe	105
PID 2092 wrote to memory of 4336	2092	Dbphcpog.exe	106
PID 2092 wrote to memory of 4336	2092	Dbphcpog.exe	106
PID 2092 wrote to memory of 4336	2092	Dbphcpog.exe	106
PID 4336 wrote to memory of 2456	4336	Dlhlleeh.exe	107
PID 4336 wrote to memory of 2456	4336	Dlhlleeh.exe	107
PID 4336 wrote to memory of 2456	4336	Dlhlleeh.exe	107
PID 2456 wrote to memory of 3568	2456	Djbbhafj.exe	108
PID 2456 wrote to memory of 3568	2456	Djbbhafj.exe	108
PID 2456 wrote to memory of 3568	2456	Djbbhafj.exe	108
PID 3568 wrote to memory of 2288	3568	Ehklmd32.exe	109
PID 3568 wrote to memory of 2288	3568	Ehklmd32.exe	109
PID 3568 wrote to memory of 2288	3568	Ehklmd32.exe	109
PID 2288 wrote to memory of 1360	2288	Fjpoio32.exe	110
PID 2288 wrote to memory of 1360	2288	Fjpoio32.exe	110
PID 2288 wrote to memory of 1360	2288	Fjpoio32.exe	110
PID 1360 wrote to memory of 2924	1360	Glinjqhb.exe	111
PID 1360 wrote to memory of 2924	1360	Glinjqhb.exe	111
PID 1360 wrote to memory of 2924	1360	Glinjqhb.exe	111
PID 2924 wrote to memory of 3388	2924	Giddddad.exe	112
PID 2924 wrote to memory of 3388	2924	Giddddad.exe	112
PID 2924 wrote to memory of 3388	2924	Giddddad.exe	112
PID 3388 wrote to memory of 4128	3388	Hikkdc32.exe	113
PID 3388 wrote to memory of 4128	3388	Hikkdc32.exe	113
PID 3388 wrote to memory of 4128	3388	Hikkdc32.exe	113
PID 4128 wrote to memory of 4972	4128	Iooimi32.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ebb2f655ac280f5f4be303ac67b99aff_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\Hgmebnpd.exe
  C:\Windows\system32\Hgmebnpd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\Jonlimkg.exe
    C:\Windows\system32\Jonlimkg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\SysWOW64\Jmdjha32.exe
      C:\Windows\system32\Jmdjha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\Kjcjmclj.exe
        
        C:\Windows\system32\Kjcjmclj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\SysWOW64\Limpiomm.exe
        
        C:\Windows\system32\Limpiomm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Miklkm32.exe
        
        C:\Windows\system32\Miklkm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ogmiepcf.exe
        
        C:\Windows\system32\Ogmiepcf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Qdihfq32.exe
        
        C:\Windows\system32\Qdihfq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Adnbapjp.exe
        
        C:\Windows\system32\Adnbapjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Dbphcpog.exe
        
        C:\Windows\system32\Dbphcpog.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Dlhlleeh.exe
        
        C:\Windows\system32\Dlhlleeh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Djbbhafj.exe
        
        C:\Windows\system32\Djbbhafj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Ehklmd32.exe
        
        C:\Windows\system32\Ehklmd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Glinjqhb.exe
        
        C:\Windows\system32\Glinjqhb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Giddddad.exe
        
        C:\Windows\system32\Giddddad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Hikkdc32.exe
        
        C:\Windows\system32\Hikkdc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Iooimi32.exe
        
        C:\Windows\system32\Iooimi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Ihjjln32.exe
        
        C:\Windows\system32\Ihjjln32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Jbkbkbfo.exe
        
        C:\Windows\system32\Jbkbkbfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Jodlof32.exe
        
        C:\Windows\system32\Jodlof32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Kmjinjnj.exe
        
        C:\Windows\system32\Kmjinjnj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Kcikfcab.exe
        
        C:\Windows\system32\Kcikfcab.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        29⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 400
        30⤵
        Program crash
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 400
        30⤵
        Program crash
        
        PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5092 -ip 5092
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnbapjp.exe

Filesize
59KB

MD5
3c295da70e064c589cc975a1595d2293

SHA1
d04454019857abc3d6a798532d9bf707918331a6

SHA256
c427d6d966a04b5ea356e5c0b27111895de90fd0733275a910e7a3e0dbc06807

SHA512
bc56b3ed94279f1a115d3774f18d0a17889b8633216c5385314b40658f5b67ea361ebe2d4500aff4870f0decf92291d3353f99d8993488d19a6f157af8915c1f

Download Submit
C:\Windows\SysWOW64\Adnbapjp.exe

Filesize
59KB

MD5
3c295da70e064c589cc975a1595d2293

SHA1
d04454019857abc3d6a798532d9bf707918331a6

SHA256
c427d6d966a04b5ea356e5c0b27111895de90fd0733275a910e7a3e0dbc06807

SHA512
bc56b3ed94279f1a115d3774f18d0a17889b8633216c5385314b40658f5b67ea361ebe2d4500aff4870f0decf92291d3353f99d8993488d19a6f157af8915c1f

Download Submit
C:\Windows\SysWOW64\Ajmgof32.exe

Filesize
59KB

MD5
e464ff972bb8b3d1c2fb38754159eb9f

SHA1
b0432b67dde5968bf1aa2498caa2cac6f47eb9ac

SHA256
4105f5110ba7882b0b9534b977c949af52489ac1eab24fdd82021e75ff3d80e1

SHA512
a95c69af1e3b422364191a1da4249abead8190f538278f5978bf3ada41e741a34b976ad9a2d81e1ff9f3f420c7bf050aa7b4cba29b6f79757050d72e75096c92

Download Submit
C:\Windows\SysWOW64\Ajmgof32.exe

Filesize
59KB

MD5
e464ff972bb8b3d1c2fb38754159eb9f

SHA1
b0432b67dde5968bf1aa2498caa2cac6f47eb9ac

SHA256
4105f5110ba7882b0b9534b977c949af52489ac1eab24fdd82021e75ff3d80e1

SHA512
a95c69af1e3b422364191a1da4249abead8190f538278f5978bf3ada41e741a34b976ad9a2d81e1ff9f3f420c7bf050aa7b4cba29b6f79757050d72e75096c92

Download Submit
C:\Windows\SysWOW64\Bnfoac32.exe

Filesize
59KB

MD5
b5649865fd9cbc73a419cf995c6c5f48

SHA1
5c0f274182e576e06a20428d297de66a0dcff05a

SHA256
c7e099d552a0cf5faff0583a6f1668ea04930e99a69e7e1bc3d70760147eb291

SHA512
8440158026d511c47e76c8c5164452e9eb1e86a344f44a4c16f711d5c94f87a34428e9b6bc1a3d6d10de6cef5375223dcc7db191d16d4acabb7e3a26036b294a

Download Submit
C:\Windows\SysWOW64\Bnfoac32.exe

Filesize
59KB

MD5
b5649865fd9cbc73a419cf995c6c5f48

SHA1
5c0f274182e576e06a20428d297de66a0dcff05a

SHA256
c7e099d552a0cf5faff0583a6f1668ea04930e99a69e7e1bc3d70760147eb291

SHA512
8440158026d511c47e76c8c5164452e9eb1e86a344f44a4c16f711d5c94f87a34428e9b6bc1a3d6d10de6cef5375223dcc7db191d16d4acabb7e3a26036b294a

Download Submit
C:\Windows\SysWOW64\Dbphcpog.exe

Filesize
59KB

MD5
f724dac7acd5544550db6d23dd6de335

SHA1
7b4cc91c58fa7bb97ec92440873c8cb5057b1935

SHA256
59d526575b6b8a0ce510708caf9089a860684f5d51f6317890c31e725cdce346

SHA512
ed56b35a8daee1043f5848c84d0e972e0f49188606c1d496635c3587d25e19a859edf0eccc256645bbd356eb384a3f3fe532935d6c87c25b21ae6f8dfeb0c219

Download Submit
C:\Windows\SysWOW64\Dbphcpog.exe

Filesize
59KB

MD5
f724dac7acd5544550db6d23dd6de335

SHA1
7b4cc91c58fa7bb97ec92440873c8cb5057b1935

SHA256
59d526575b6b8a0ce510708caf9089a860684f5d51f6317890c31e725cdce346

SHA512
ed56b35a8daee1043f5848c84d0e972e0f49188606c1d496635c3587d25e19a859edf0eccc256645bbd356eb384a3f3fe532935d6c87c25b21ae6f8dfeb0c219

Download Submit
C:\Windows\SysWOW64\Djbbhafj.exe

Filesize
59KB

MD5
191ba6643e27cbe1ba10912c6ec447ac

SHA1
e3c481927c88ae9989b35aee63258a22c8fa2a59

SHA256
48eedb468971ef727daced015864333cfe636a2e2f08277f7d945d89d800fe85

SHA512
dc24bd446193b45ed0943159109dc6df6a69a0620b7f2b11336dedb6e8522833019f914a0b33dfc767656ecfcc89660014be57124300cebd6dc8e150969e9cc1

Download Submit
C:\Windows\SysWOW64\Djbbhafj.exe

Filesize
59KB

MD5
191ba6643e27cbe1ba10912c6ec447ac

SHA1
e3c481927c88ae9989b35aee63258a22c8fa2a59

SHA256
48eedb468971ef727daced015864333cfe636a2e2f08277f7d945d89d800fe85

SHA512
dc24bd446193b45ed0943159109dc6df6a69a0620b7f2b11336dedb6e8522833019f914a0b33dfc767656ecfcc89660014be57124300cebd6dc8e150969e9cc1

Download Submit
C:\Windows\SysWOW64\Dlhlleeh.exe

Filesize
59KB

MD5
f724dac7acd5544550db6d23dd6de335

SHA1
7b4cc91c58fa7bb97ec92440873c8cb5057b1935

SHA256
59d526575b6b8a0ce510708caf9089a860684f5d51f6317890c31e725cdce346

SHA512
ed56b35a8daee1043f5848c84d0e972e0f49188606c1d496635c3587d25e19a859edf0eccc256645bbd356eb384a3f3fe532935d6c87c25b21ae6f8dfeb0c219

Download Submit
C:\Windows\SysWOW64\Dlhlleeh.exe

Filesize
59KB

MD5
14f78a9abeda8a0d903634382b1f9200

SHA1
0a34f73771110c41a4340c1e12a299bc3944e9d1

SHA256
b33bc90ebe9bf2c2674062baa7475b31cc602d5e9b5c0ce9e5b19bad1723fc7b

SHA512
702b0078b0bf7b67367cf3cfb54b37b212b2d0ac9cbff027c480038b4a834ceeaa7f7c4cd06cd5812a226d1f41a1ce9272f16d9ea21b46e78952155a795f5b3e

Download Submit
C:\Windows\SysWOW64\Dlhlleeh.exe

Filesize
59KB

MD5
14f78a9abeda8a0d903634382b1f9200

SHA1
0a34f73771110c41a4340c1e12a299bc3944e9d1

SHA256
b33bc90ebe9bf2c2674062baa7475b31cc602d5e9b5c0ce9e5b19bad1723fc7b

SHA512
702b0078b0bf7b67367cf3cfb54b37b212b2d0ac9cbff027c480038b4a834ceeaa7f7c4cd06cd5812a226d1f41a1ce9272f16d9ea21b46e78952155a795f5b3e

Download Submit
C:\Windows\SysWOW64\Ehklmd32.exe

Filesize
59KB

MD5
9fd366ca7f6447053f1e4b96428c24da

SHA1
c5e99d40385ab2f128f4f6fbadd8cfae92c1a520

SHA256
b69c59bc05289688a24326aa6885d07e5bb3c55c38f6ebfb5af87e8884bfd267

SHA512
2584928e2be0c5a1f6a1de3ad0a5f44b1d2a6a6e6a6fd1eb1098776f3dab87c163eeb1db353a73e0571822ce82f241a3ca6c33b669c494a48c06ae5ad87e1e6e

Download Submit
C:\Windows\SysWOW64\Ehklmd32.exe

Filesize
59KB

MD5
9fd366ca7f6447053f1e4b96428c24da

SHA1
c5e99d40385ab2f128f4f6fbadd8cfae92c1a520

SHA256
b69c59bc05289688a24326aa6885d07e5bb3c55c38f6ebfb5af87e8884bfd267

SHA512
2584928e2be0c5a1f6a1de3ad0a5f44b1d2a6a6e6a6fd1eb1098776f3dab87c163eeb1db353a73e0571822ce82f241a3ca6c33b669c494a48c06ae5ad87e1e6e

Download Submit
C:\Windows\SysWOW64\Ehklmd32.exe

Filesize
59KB

MD5
9fd366ca7f6447053f1e4b96428c24da

SHA1
c5e99d40385ab2f128f4f6fbadd8cfae92c1a520

SHA256
b69c59bc05289688a24326aa6885d07e5bb3c55c38f6ebfb5af87e8884bfd267

SHA512
2584928e2be0c5a1f6a1de3ad0a5f44b1d2a6a6e6a6fd1eb1098776f3dab87c163eeb1db353a73e0571822ce82f241a3ca6c33b669c494a48c06ae5ad87e1e6e

Download Submit
C:\Windows\SysWOW64\Fjpoio32.exe

Filesize
59KB

MD5
9fd366ca7f6447053f1e4b96428c24da

SHA1
c5e99d40385ab2f128f4f6fbadd8cfae92c1a520

SHA256
b69c59bc05289688a24326aa6885d07e5bb3c55c38f6ebfb5af87e8884bfd267

SHA512
2584928e2be0c5a1f6a1de3ad0a5f44b1d2a6a6e6a6fd1eb1098776f3dab87c163eeb1db353a73e0571822ce82f241a3ca6c33b669c494a48c06ae5ad87e1e6e

Download Submit
C:\Windows\SysWOW64\Fjpoio32.exe

Filesize
59KB

MD5
4f3f8854002d63d571d0ab4aede946e8

SHA1
85f96eb54c54a7adcfd62f98e8593155675a8e28

SHA256
e95d56eb4652ccc0425f61ba34bc765f2509e27d7dc4f82455364e0288928dda

SHA512
3e4cff1d8c27deb1dec329dcc9e6edce80fbccc748f407f911a9716a27c2c8eb6dc1ff95d10481d891580c39a33ae28fb02833d63562251a2be6419117f23b64

Download Submit
C:\Windows\SysWOW64\Fjpoio32.exe

Filesize
59KB

MD5
4f3f8854002d63d571d0ab4aede946e8

SHA1
85f96eb54c54a7adcfd62f98e8593155675a8e28

SHA256
e95d56eb4652ccc0425f61ba34bc765f2509e27d7dc4f82455364e0288928dda

SHA512
3e4cff1d8c27deb1dec329dcc9e6edce80fbccc748f407f911a9716a27c2c8eb6dc1ff95d10481d891580c39a33ae28fb02833d63562251a2be6419117f23b64

Download Submit
C:\Windows\SysWOW64\Giddddad.exe

Filesize
59KB

MD5
09257668354834afd0080e1e1de20f24

SHA1
e941da4930776587bda548288161785e9585717d

SHA256
7969584e68b91f3e6ad5228ad37fc5a21dcafbcbdc5d41b60caaadb6a5fd854e

SHA512
bb8e7602d81c5eb048e4f56948ad57365da6f39f767c09f7bf7d0a2207ad721314b990e222567ff4156bf679374180f5234d8241fc480873679b70cf5976c557

Download Submit
C:\Windows\SysWOW64\Giddddad.exe

Filesize
59KB

MD5
09257668354834afd0080e1e1de20f24

SHA1
e941da4930776587bda548288161785e9585717d

SHA256
7969584e68b91f3e6ad5228ad37fc5a21dcafbcbdc5d41b60caaadb6a5fd854e

SHA512
bb8e7602d81c5eb048e4f56948ad57365da6f39f767c09f7bf7d0a2207ad721314b990e222567ff4156bf679374180f5234d8241fc480873679b70cf5976c557

Download Submit
C:\Windows\SysWOW64\Glinjqhb.exe

Filesize
59KB

MD5
531a1642aea3091671bbaaec10556be0

SHA1
f9050957bd3e37a1128d8f0652ae91d88a775ac9

SHA256
8c313d66dcb63b33adf2aac1d106a634c8ca3e5f07f0305f5a04d16d95094f96

SHA512
b8db3c4a7ef53ce27c51232161b880f965b8781f44da718a8c90121d53490663e8d49b230208887ff95514f25e248e58da146882b7045c0669c2c8d84af8deaf

Download Submit
C:\Windows\SysWOW64\Glinjqhb.exe

Filesize
59KB

MD5
531a1642aea3091671bbaaec10556be0

SHA1
f9050957bd3e37a1128d8f0652ae91d88a775ac9

SHA256
8c313d66dcb63b33adf2aac1d106a634c8ca3e5f07f0305f5a04d16d95094f96

SHA512
b8db3c4a7ef53ce27c51232161b880f965b8781f44da718a8c90121d53490663e8d49b230208887ff95514f25e248e58da146882b7045c0669c2c8d84af8deaf

Download Submit
C:\Windows\SysWOW64\Hgmebnpd.exe

Filesize
59KB

MD5
73260c5f707dd44bcba57bae3a787eda

SHA1
da25846d0d5ee07bd47c99c1da84af538e3ee10f

SHA256
071223624732d39e9e69162f7b552eaa0812e3a81ee76921d2f40c80ebed748f

SHA512
e9a93d2150c05f1338e9d702e9e2c2ddfed83cbd55b003d6afbb4da57d4217e5d9f0c208d45aca78b03bc44f6a3899c0d100432c43026bb63c64f19763ecb3c2

Download Submit
C:\Windows\SysWOW64\Hgmebnpd.exe

Filesize
59KB

MD5
73260c5f707dd44bcba57bae3a787eda

SHA1
da25846d0d5ee07bd47c99c1da84af538e3ee10f

SHA256
071223624732d39e9e69162f7b552eaa0812e3a81ee76921d2f40c80ebed748f

SHA512
e9a93d2150c05f1338e9d702e9e2c2ddfed83cbd55b003d6afbb4da57d4217e5d9f0c208d45aca78b03bc44f6a3899c0d100432c43026bb63c64f19763ecb3c2

Download Submit
C:\Windows\SysWOW64\Hikkdc32.exe

Filesize
59KB

MD5
921aab2d019db10d92cda0b3e871dfa0

SHA1
03506aebf3ecaccef64fe40bf9c15dd0957af2cb

SHA256
692c76fd2fdce3f2fc9bc37d3529ffdb4a648db0a5aa9fac6063d6f95905a11c

SHA512
3d1d2074a331575f0c87d6a8544f9b020ebe67bf226f5dfdff5c92684bccc512351772cf6d5f72947d2f49e3b1fac064ba3fb67f996100c88ec01ff457f461ef

Download Submit
C:\Windows\SysWOW64\Hikkdc32.exe

Filesize
59KB

MD5
921aab2d019db10d92cda0b3e871dfa0

SHA1
03506aebf3ecaccef64fe40bf9c15dd0957af2cb

SHA256
692c76fd2fdce3f2fc9bc37d3529ffdb4a648db0a5aa9fac6063d6f95905a11c

SHA512
3d1d2074a331575f0c87d6a8544f9b020ebe67bf226f5dfdff5c92684bccc512351772cf6d5f72947d2f49e3b1fac064ba3fb67f996100c88ec01ff457f461ef

Download Submit
C:\Windows\SysWOW64\Ihjjln32.exe

Filesize
59KB

MD5
afca3f7a3f5e92639a49f22e2f108fa8

SHA1
681d99606fac794b2b9b20dfed141a0dfab643b9

SHA256
856be90a4ab1878b676a201f0de4fdd5c3a8013c1b13f65fe48e15994172d2e7

SHA512
7f8bdc320c2fb4725ca13ed4f73a847d7a793c2e59c287b0ad5670e2bcb2880d39eb79239d6955ba93f7bb9b96c84b709e0ed74bf39e06ac6ffd5d5f9a5ea285

Download Submit
C:\Windows\SysWOW64\Ihjjln32.exe

Filesize
59KB

MD5
afca3f7a3f5e92639a49f22e2f108fa8

SHA1
681d99606fac794b2b9b20dfed141a0dfab643b9

SHA256
856be90a4ab1878b676a201f0de4fdd5c3a8013c1b13f65fe48e15994172d2e7

SHA512
7f8bdc320c2fb4725ca13ed4f73a847d7a793c2e59c287b0ad5670e2bcb2880d39eb79239d6955ba93f7bb9b96c84b709e0ed74bf39e06ac6ffd5d5f9a5ea285

Download Submit
C:\Windows\SysWOW64\Iooimi32.exe

Filesize
59KB

MD5
aba6eae319e77b65a9367b6dc51bcfda

SHA1
fa6330cb94f231f9cfe1a88b1e26f1310773d1b0

SHA256
5f26f6569f54d7cd73f5dbd106b35aecc02e088427c42e724130c1d7e491366c

SHA512
7400bc0dc823ee311bc7c018cfa1a1af23ea40c014dbcefd3987c88144c514585b78c00d452efafd1d0c6caf51420ca69a7c561bb1c92c2257f9b5a8f294cd8d

Download Submit
C:\Windows\SysWOW64\Iooimi32.exe

Filesize
59KB

MD5
aba6eae319e77b65a9367b6dc51bcfda

SHA1
fa6330cb94f231f9cfe1a88b1e26f1310773d1b0

SHA256
5f26f6569f54d7cd73f5dbd106b35aecc02e088427c42e724130c1d7e491366c

SHA512
7400bc0dc823ee311bc7c018cfa1a1af23ea40c014dbcefd3987c88144c514585b78c00d452efafd1d0c6caf51420ca69a7c561bb1c92c2257f9b5a8f294cd8d

Download Submit
C:\Windows\SysWOW64\Iooimi32.exe

Filesize
59KB

MD5
aba6eae319e77b65a9367b6dc51bcfda

SHA1
fa6330cb94f231f9cfe1a88b1e26f1310773d1b0

SHA256
5f26f6569f54d7cd73f5dbd106b35aecc02e088427c42e724130c1d7e491366c

SHA512
7400bc0dc823ee311bc7c018cfa1a1af23ea40c014dbcefd3987c88144c514585b78c00d452efafd1d0c6caf51420ca69a7c561bb1c92c2257f9b5a8f294cd8d

Download Submit
C:\Windows\SysWOW64\Jbkbkbfo.exe

Filesize
59KB

MD5
d912eb55a29e67935860f5a704126a0c

SHA1
dc55d114adaffd48d1f73f9be6e0d6d05a6cd07f

SHA256
458fe466d144b6935762567dcb1e0379ec99777146e35a593b1b845f59e319c0

SHA512
646ed1511dbdbd08006d5961e20f2d65ae48d529fbf17cf90385af0aa763bdedb80089b4287b66be3d54893b8dc3dd0a4496df4d4cab420514d357f8442d2688

Download Submit
C:\Windows\SysWOW64\Jbkbkbfo.exe

Filesize
59KB

MD5
d912eb55a29e67935860f5a704126a0c

SHA1
dc55d114adaffd48d1f73f9be6e0d6d05a6cd07f

SHA256
458fe466d144b6935762567dcb1e0379ec99777146e35a593b1b845f59e319c0

SHA512
646ed1511dbdbd08006d5961e20f2d65ae48d529fbf17cf90385af0aa763bdedb80089b4287b66be3d54893b8dc3dd0a4496df4d4cab420514d357f8442d2688

Download Submit
C:\Windows\SysWOW64\Jmdjha32.exe

Filesize
59KB

MD5
94cc9a1330910e2eddb5b68529593bbc

SHA1
b8018270d0d24b8a71391bfd288bcfb4333ed9ad

SHA256
c0b05c5c56f6d27972c173ff07e6382849d2da9105fcac6d64aa582458b9b109

SHA512
e819289c7929bba63378f213de2507f0517c4129297c204900daf4728cd20e0dce1ae4495ecc3d55b77bc8380d745d24954b8e859d7b500b5b70f9466b57b34e

Download Submit
C:\Windows\SysWOW64\Jmdjha32.exe

Filesize
59KB

MD5
94cc9a1330910e2eddb5b68529593bbc

SHA1
b8018270d0d24b8a71391bfd288bcfb4333ed9ad

SHA256
c0b05c5c56f6d27972c173ff07e6382849d2da9105fcac6d64aa582458b9b109

SHA512
e819289c7929bba63378f213de2507f0517c4129297c204900daf4728cd20e0dce1ae4495ecc3d55b77bc8380d745d24954b8e859d7b500b5b70f9466b57b34e

Download Submit
C:\Windows\SysWOW64\Jodlof32.exe

Filesize
59KB

MD5
c064aa4fc76f3bbac34aea9df8d0e781

SHA1
8aeaf0741c6e408b6904164d1423db4247f4949d

SHA256
d5fac3115f598aff04be27da492cb3ef229776a77390149aab55e96e32e60e1b

SHA512
eac2c167920f9a4ac8a778d71d8a162dc9df0181b7542f4a30af3dc043251ab50e110a1e2c4e45714809129fbcbe36a9c54bdeae19ac4565c4ce4262e2e7c1ff

Download Submit
C:\Windows\SysWOW64\Jodlof32.exe

Filesize
59KB

MD5
c064aa4fc76f3bbac34aea9df8d0e781

SHA1
8aeaf0741c6e408b6904164d1423db4247f4949d

SHA256
d5fac3115f598aff04be27da492cb3ef229776a77390149aab55e96e32e60e1b

SHA512
eac2c167920f9a4ac8a778d71d8a162dc9df0181b7542f4a30af3dc043251ab50e110a1e2c4e45714809129fbcbe36a9c54bdeae19ac4565c4ce4262e2e7c1ff

Download Submit
C:\Windows\SysWOW64\Jonlimkg.exe

Filesize
59KB

MD5
06762654cca35927bfe439b9bf5dc5c3

SHA1
3d86073e7db0025b2907db4b02f0c597c1965c1c

SHA256
f975bec921b7262635ae38c5810ade9cc49325cb2afa804a5d1e95863155fd9f

SHA512
ade6728f529f29ec1b25f2482b7664eaec4c810ddcb359b02b835ccd5775e4ae2a8791571ad3940f17d804f56460518ea76b600dd34ef299ff79ce5c1e275122

Download Submit
C:\Windows\SysWOW64\Jonlimkg.exe

Filesize
59KB

MD5
06762654cca35927bfe439b9bf5dc5c3

SHA1
3d86073e7db0025b2907db4b02f0c597c1965c1c

SHA256
f975bec921b7262635ae38c5810ade9cc49325cb2afa804a5d1e95863155fd9f

SHA512
ade6728f529f29ec1b25f2482b7664eaec4c810ddcb359b02b835ccd5775e4ae2a8791571ad3940f17d804f56460518ea76b600dd34ef299ff79ce5c1e275122

Download Submit
C:\Windows\SysWOW64\Jonlimkg.exe

Filesize
59KB

MD5
06762654cca35927bfe439b9bf5dc5c3

SHA1
3d86073e7db0025b2907db4b02f0c597c1965c1c

SHA256
f975bec921b7262635ae38c5810ade9cc49325cb2afa804a5d1e95863155fd9f

SHA512
ade6728f529f29ec1b25f2482b7664eaec4c810ddcb359b02b835ccd5775e4ae2a8791571ad3940f17d804f56460518ea76b600dd34ef299ff79ce5c1e275122

Download Submit
C:\Windows\SysWOW64\Kcikfcab.exe

Filesize
59KB

MD5
179c17519bc673fef9dd9a04f389782b

SHA1
0f7591f08ba16c8c3c5f22abe336699113f17f95

SHA256
29ffc3509ad868abeccbe4c86e7a1e1cf786080a2a4a7c4a876b2882cff89d7f

SHA512
c7a821ef0f4360de13091300b2e9f30d29f2723413c2c182d27f517650bb9c1e56407611221d2dc3a0e512f98631e7fa65257282394a8b64553201e9e3097286

Download Submit
C:\Windows\SysWOW64\Kcikfcab.exe

Filesize
59KB

MD5
179c17519bc673fef9dd9a04f389782b

SHA1
0f7591f08ba16c8c3c5f22abe336699113f17f95

SHA256
29ffc3509ad868abeccbe4c86e7a1e1cf786080a2a4a7c4a876b2882cff89d7f

SHA512
c7a821ef0f4360de13091300b2e9f30d29f2723413c2c182d27f517650bb9c1e56407611221d2dc3a0e512f98631e7fa65257282394a8b64553201e9e3097286

Download Submit
C:\Windows\SysWOW64\Kjcjmclj.exe

Filesize
59KB

MD5
94cc9a1330910e2eddb5b68529593bbc

SHA1
b8018270d0d24b8a71391bfd288bcfb4333ed9ad

SHA256
c0b05c5c56f6d27972c173ff07e6382849d2da9105fcac6d64aa582458b9b109

SHA512
e819289c7929bba63378f213de2507f0517c4129297c204900daf4728cd20e0dce1ae4495ecc3d55b77bc8380d745d24954b8e859d7b500b5b70f9466b57b34e

Download Submit
C:\Windows\SysWOW64\Kjcjmclj.exe

Filesize
59KB

MD5
70a4fe15db8e22578f0ed9fc66ec91a3

SHA1
9c60a6d381c3c1abfc09a5e85054dea9aa082ff0

SHA256
0893dc61db6f5b8ce77b2836155175b2fe8624817f9c871adeac5467bcb1f9bb

SHA512
3083a7046da87a98ad1d8442bdf9c53211942073afb8d60c1dbea27d7c9afb736427ec1e2d6eda846066f1831c7ec905053b30d8e850caa90e32edcdf6b02fed

Download Submit
C:\Windows\SysWOW64\Kjcjmclj.exe

Filesize
59KB

MD5
70a4fe15db8e22578f0ed9fc66ec91a3

SHA1
9c60a6d381c3c1abfc09a5e85054dea9aa082ff0

SHA256
0893dc61db6f5b8ce77b2836155175b2fe8624817f9c871adeac5467bcb1f9bb

SHA512
3083a7046da87a98ad1d8442bdf9c53211942073afb8d60c1dbea27d7c9afb736427ec1e2d6eda846066f1831c7ec905053b30d8e850caa90e32edcdf6b02fed

Download Submit
C:\Windows\SysWOW64\Kmjinjnj.exe

Filesize
59KB

MD5
c064aa4fc76f3bbac34aea9df8d0e781

SHA1
8aeaf0741c6e408b6904164d1423db4247f4949d

SHA256
d5fac3115f598aff04be27da492cb3ef229776a77390149aab55e96e32e60e1b

SHA512
eac2c167920f9a4ac8a778d71d8a162dc9df0181b7542f4a30af3dc043251ab50e110a1e2c4e45714809129fbcbe36a9c54bdeae19ac4565c4ce4262e2e7c1ff

Download Submit
C:\Windows\SysWOW64\Kmjinjnj.exe

Filesize
59KB

MD5
17e723a38ca8d1d41dd09cc650a4fd54

SHA1
14c0b2338385ef7a31008129c96aeb2f72c616b1

SHA256
2d0a5047f3d616953bec89119ded97e3e8d4b36a61835a8ff0e3e3d14b59656c

SHA512
78fd6cdc5d042ca12cd833a76639931dea3711b6f2a1ef621f23a21601e3787a6c4b1a03ac98cc3653595baf75bdd54a496988043af5f527c7ed1cfd8536b302

Download Submit
C:\Windows\SysWOW64\Kmjinjnj.exe

Filesize
59KB

MD5
17e723a38ca8d1d41dd09cc650a4fd54

SHA1
14c0b2338385ef7a31008129c96aeb2f72c616b1

SHA256
2d0a5047f3d616953bec89119ded97e3e8d4b36a61835a8ff0e3e3d14b59656c

SHA512
78fd6cdc5d042ca12cd833a76639931dea3711b6f2a1ef621f23a21601e3787a6c4b1a03ac98cc3653595baf75bdd54a496988043af5f527c7ed1cfd8536b302

Download Submit
C:\Windows\SysWOW64\Limpiomm.exe

Filesize
59KB

MD5
bcb1e5363cea16fa7e4c44099a3cb10a

SHA1
eb7e687da872ac155f7801c113e8f4ca4f657fb9

SHA256
f788f228b101a5c5f560208b4bf6c2c707eda9b6361b4af85443841cb392a5b3

SHA512
2433414fa80e24c69e679022aae8f7704aba5499b5a7eb9ac78b20264a10cd8f2bcd082a065d21c6dc2913e18ce25c8dc047b350b00fd707cd3e71268d843709

Download Submit
C:\Windows\SysWOW64\Limpiomm.exe

Filesize
59KB

MD5
bcb1e5363cea16fa7e4c44099a3cb10a

SHA1
eb7e687da872ac155f7801c113e8f4ca4f657fb9

SHA256
f788f228b101a5c5f560208b4bf6c2c707eda9b6361b4af85443841cb392a5b3

SHA512
2433414fa80e24c69e679022aae8f7704aba5499b5a7eb9ac78b20264a10cd8f2bcd082a065d21c6dc2913e18ce25c8dc047b350b00fd707cd3e71268d843709

Download Submit
C:\Windows\SysWOW64\Lkflpe32.exe

Filesize
59KB

MD5
cb5d1d869aeb55a983a0e2a14aed0b6c

SHA1
bf418188492376092d9072fbf439568f3788f30f

SHA256
47865a3334c2e5c50af885614c6cffe0d0e30b6bb24412fce9fd7e39e50c04b0

SHA512
f1eee4ece094f60ff9533c659dc671fbb4df139f6c390db5d35620e4ee5abaeeb97e7c9bf0c0007a3e93fdfb35c0c09d413338cf7d7e0db2bd8af5ca674ab946

Download Submit
C:\Windows\SysWOW64\Lkflpe32.exe

Filesize
59KB

MD5
cb5d1d869aeb55a983a0e2a14aed0b6c

SHA1
bf418188492376092d9072fbf439568f3788f30f

SHA256
47865a3334c2e5c50af885614c6cffe0d0e30b6bb24412fce9fd7e39e50c04b0

SHA512
f1eee4ece094f60ff9533c659dc671fbb4df139f6c390db5d35620e4ee5abaeeb97e7c9bf0c0007a3e93fdfb35c0c09d413338cf7d7e0db2bd8af5ca674ab946

Download Submit
C:\Windows\SysWOW64\Mbldhn32.exe

Filesize
59KB

MD5
48cf5bc28610e036cd3e3cd00b45ec42

SHA1
0b4e6c131d2602f986cabe0a9773b8a50f1dae92

SHA256
f2df0a88795d17a4375f84e91d1e65326666a39ef8245952221973bbd5a44e4e

SHA512
b6ff0c86bd9760841cf96ca9585cce11caf0bdeea7b473b758b1eec8a8a391a11fbe4dc4ffad302488c7b9cb8cffb3e68603250f46d47f3ac031ff01fdc1ac31

Download Submit
C:\Windows\SysWOW64\Mbldhn32.exe

Filesize
59KB

MD5
48cf5bc28610e036cd3e3cd00b45ec42

SHA1
0b4e6c131d2602f986cabe0a9773b8a50f1dae92

SHA256
f2df0a88795d17a4375f84e91d1e65326666a39ef8245952221973bbd5a44e4e

SHA512
b6ff0c86bd9760841cf96ca9585cce11caf0bdeea7b473b758b1eec8a8a391a11fbe4dc4ffad302488c7b9cb8cffb3e68603250f46d47f3ac031ff01fdc1ac31

Download Submit
C:\Windows\SysWOW64\Miklkm32.exe

Filesize
59KB

MD5
1fb4042a4caaa6763111aa94fd23105e

SHA1
bfcd56a92abf795f8ca6f2495c3115e731453b2b

SHA256
88e17a1b6d862e5bc0e505ef71fa30431bf4804285b807399f6e99aa811b0ce8

SHA512
75ad7e00bc24fe2cfc6f79a8ead5b46f8927f792cf2a5b51caabbc71ada6e9c298bcd50952facda44b7be29c097f56fc0d547a2f3b4df837574029242e19e6b8

Download Submit
C:\Windows\SysWOW64\Miklkm32.exe

Filesize
59KB

MD5
1fb4042a4caaa6763111aa94fd23105e

SHA1
bfcd56a92abf795f8ca6f2495c3115e731453b2b

SHA256
88e17a1b6d862e5bc0e505ef71fa30431bf4804285b807399f6e99aa811b0ce8

SHA512
75ad7e00bc24fe2cfc6f79a8ead5b46f8927f792cf2a5b51caabbc71ada6e9c298bcd50952facda44b7be29c097f56fc0d547a2f3b4df837574029242e19e6b8

Download Submit
C:\Windows\SysWOW64\Miklkm32.exe

Filesize
59KB

MD5
1fb4042a4caaa6763111aa94fd23105e

SHA1
bfcd56a92abf795f8ca6f2495c3115e731453b2b

SHA256
88e17a1b6d862e5bc0e505ef71fa30431bf4804285b807399f6e99aa811b0ce8

SHA512
75ad7e00bc24fe2cfc6f79a8ead5b46f8927f792cf2a5b51caabbc71ada6e9c298bcd50952facda44b7be29c097f56fc0d547a2f3b4df837574029242e19e6b8

Download Submit
C:\Windows\SysWOW64\Ogmiepcf.exe

Filesize
59KB

MD5
4410b709d7abbaf0d3e6850bae08b0fc

SHA1
58d6ecc197eb74f5ef3ed0779e70110d38546d52

SHA256
5570018744db8b75c1066d38434b249f3ae4748f48ef0ac7c5136dda866138b8

SHA512
85fdae53c85a5bdf4418085a569a2128d0266fd24a00c0fccc24637dccb87ebb2a5797afe6e24acbf46bc18aecb43b52563b0c360ea67673a495ea4db9acecba

Download Submit
C:\Windows\SysWOW64\Ogmiepcf.exe

Filesize
59KB

MD5
4410b709d7abbaf0d3e6850bae08b0fc

SHA1
58d6ecc197eb74f5ef3ed0779e70110d38546d52

SHA256
5570018744db8b75c1066d38434b249f3ae4748f48ef0ac7c5136dda866138b8

SHA512
85fdae53c85a5bdf4418085a569a2128d0266fd24a00c0fccc24637dccb87ebb2a5797afe6e24acbf46bc18aecb43b52563b0c360ea67673a495ea4db9acecba

Download Submit
C:\Windows\SysWOW64\Pnenchoc.exe

Filesize
59KB

MD5
038dc39fda3761905d9b4f734a8c5a20

SHA1
4be9a95a62eeaa3f686afe6ef234a938a70e2431

SHA256
cf9339cbee3cfc5b22ff9b667dc7caa417e96bdc12921a3508c159cd3a38c68c

SHA512
57139c10ecdb87ecdd46763cc48a64a476da7fa6f7c224f58492c72e82c7300b4f1a9f6360592fdbf2c64118b55aa4946b5d1e1bdffb00bc29af3052d370b2bc

Download Submit
C:\Windows\SysWOW64\Pnenchoc.exe

Filesize
59KB

MD5
038dc39fda3761905d9b4f734a8c5a20

SHA1
4be9a95a62eeaa3f686afe6ef234a938a70e2431

SHA256
cf9339cbee3cfc5b22ff9b667dc7caa417e96bdc12921a3508c159cd3a38c68c

SHA512
57139c10ecdb87ecdd46763cc48a64a476da7fa6f7c224f58492c72e82c7300b4f1a9f6360592fdbf2c64118b55aa4946b5d1e1bdffb00bc29af3052d370b2bc

Download Submit
C:\Windows\SysWOW64\Pnenchoc.exe

Filesize
59KB

MD5
038dc39fda3761905d9b4f734a8c5a20

SHA1
4be9a95a62eeaa3f686afe6ef234a938a70e2431

SHA256
cf9339cbee3cfc5b22ff9b667dc7caa417e96bdc12921a3508c159cd3a38c68c

SHA512
57139c10ecdb87ecdd46763cc48a64a476da7fa6f7c224f58492c72e82c7300b4f1a9f6360592fdbf2c64118b55aa4946b5d1e1bdffb00bc29af3052d370b2bc

Download Submit
C:\Windows\SysWOW64\Qdihfq32.exe

Filesize
59KB

MD5
da63629c305e23aeaad838f6c373f160

SHA1
606acafc70264fe339eece8ced79c346f5ae16d5

SHA256
e01539d9048b9a51b8ea68132be089ff53a9786c099ec176bdb6e836d987ff40

SHA512
4bed7024bc212dda658671d3bceb3aa0f126a84b4b7af1fd938f608dd9bd3e897a974522dfa8d9790634c6ed69b7c7bacd4800b1c5a841c800c930113e67039c

Download Submit
C:\Windows\SysWOW64\Qdihfq32.exe

Filesize
59KB

MD5
da63629c305e23aeaad838f6c373f160

SHA1
606acafc70264fe339eece8ced79c346f5ae16d5

SHA256
e01539d9048b9a51b8ea68132be089ff53a9786c099ec176bdb6e836d987ff40

SHA512
4bed7024bc212dda658671d3bceb3aa0f126a84b4b7af1fd938f608dd9bd3e897a974522dfa8d9790634c6ed69b7c7bacd4800b1c5a841c800c930113e67039c

Download Submit
memory/440-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/440-236-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/452-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/452-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1360-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1360-243-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-235-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-228-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2092-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2092-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2252-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2252-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2288-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2288-242-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2700-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2700-234-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2924-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2924-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3084-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3084-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3264-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3264-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3388-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3388-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3484-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3484-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3568-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3568-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3608-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3608-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4056-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4056-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4128-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4128-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4336-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4336-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4572-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4572-226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4732-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4732-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4992-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4992-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5092-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5092-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads