1f3c52134ead3561a24ebc058438fd96f3910bb527ac2c235e070a88df460654

Analysis

max time kernel
125s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Size

1.2MB
MD5

0ee29e5197462dfa897abdcaf1d72c99
SHA1

53ef903b9e746e4e8fd92e82d7951bc0880668e6
SHA256

1f3c52134ead3561a24ebc058438fd96f3910bb527ac2c235e070a88df460654
SHA512

0f9ebf88bd9d5096978c8119eabd653015f42eb79ffe168fe26959f00ea60582503d0803b1039d50f25a20c70d816b4f17c49ce6c5bb9ac3d9f5b12cb99fef46
SSDEEP

24576:2aPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWQy60as:2EbazR0vKLXZWy60as

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldbpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inebjihf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe

Malware Backdoor - Berbew 29 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0006000000022d51-6.dat	family_berbew
behavioral2/files/0x0006000000022d51-8.dat	family_berbew
behavioral2/files/0x0006000000022d55-14.dat	family_berbew
behavioral2/files/0x0006000000022d55-16.dat	family_berbew
behavioral2/files/0x0007000000022d4d-22.dat	family_berbew
behavioral2/files/0x0007000000022d4d-24.dat	family_berbew
behavioral2/files/0x0006000000022d58-25.dat	family_berbew
behavioral2/files/0x0006000000022d58-32.dat	family_berbew
behavioral2/files/0x0006000000022d58-30.dat	family_berbew
behavioral2/files/0x0006000000022d5a-38.dat	family_berbew
behavioral2/files/0x0006000000022d5a-40.dat	family_berbew
behavioral2/files/0x0006000000022d5d-48.dat	family_berbew
behavioral2/files/0x0006000000022d5d-46.dat	family_berbew
behavioral2/files/0x0006000000022d5f-56.dat	family_berbew
behavioral2/files/0x0006000000022d5f-54.dat	family_berbew
behavioral2/files/0x0006000000022d61-62.dat	family_berbew
behavioral2/files/0x0006000000022d61-64.dat	family_berbew
behavioral2/files/0x0006000000022d63-71.dat	family_berbew
behavioral2/files/0x0006000000022d63-73.dat	family_berbew
behavioral2/files/0x0006000000022d65-82.dat	family_berbew
behavioral2/files/0x0006000000022d67-89.dat	family_berbew
behavioral2/files/0x0006000000022d67-88.dat	family_berbew
behavioral2/files/0x0006000000022d69-98.dat	family_berbew
behavioral2/files/0x0006000000022d6b-106.dat	family_berbew
behavioral2/files/0x0006000000022d6b-105.dat	family_berbew
behavioral2/files/0x0006000000022d69-97.dat	family_berbew
behavioral2/files/0x0006000000022d65-80.dat	family_berbew
behavioral2/files/0x0006000000022d6d-116.dat	family_berbew
behavioral2/files/0x0006000000022d6d-118.dat	family_berbew

Executes dropped EXE 14 IoCs

pid	Process
2300	Hbgkei32.exe
3416	Hnphoj32.exe
1532	Inebjihf.exe
960	Iolhkh32.exe
732	Iondqhpl.exe
4732	Jldbpl32.exe
4736	Jadgnb32.exe
4816	Jllhpkfk.exe
2836	Oikjkc32.exe
4920	Pjjfdfbb.exe
884	Piocecgj.exe
4416	Pfccogfc.exe
2568	Pjaleemj.exe
3220	Pififb32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Jggocdgo.dll	Hbgkei32.exe
File opened for modification	C:\Windows\SysWOW64\Jldbpl32.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Pfccogfc.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Chjjqebm.dll	Piocecgj.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Hnphoj32.exe	Hbgkei32.exe
File created	C:\Windows\SysWOW64\Inebjihf.exe	Hnphoj32.exe
File opened for modification	C:\Windows\SysWOW64\Iolhkh32.exe	Inebjihf.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Hbgkei32.exe	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
File created	C:\Windows\SysWOW64\Pekihfdc.dll	Jadgnb32.exe
File created	C:\Windows\SysWOW64\Oikjkc32.exe	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Lhnoigkk.dll	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Hnphoj32.exe	Hbgkei32.exe
File created	C:\Windows\SysWOW64\Iolhkh32.exe	Inebjihf.exe
File created	C:\Windows\SysWOW64\Piocecgj.exe	Pjjfdfbb.exe
File opened for modification	C:\Windows\SysWOW64\Piocecgj.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Blnfhilh.dll	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
File created	C:\Windows\SysWOW64\Qgiiak32.dll	Inebjihf.exe
File created	C:\Windows\SysWOW64\Iondqhpl.exe	Iolhkh32.exe
File opened for modification	C:\Windows\SysWOW64\Iondqhpl.exe	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Ihjoke32.dll	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Jllhpkfk.exe	Jadgnb32.exe
File created	C:\Windows\SysWOW64\Iheocj32.dll	Pjjfdfbb.exe
File opened for modification	C:\Windows\SysWOW64\Inebjihf.exe	Hnphoj32.exe
File created	C:\Windows\SysWOW64\Jldbpl32.exe	Iondqhpl.exe
File opened for modification	C:\Windows\SysWOW64\Jadgnb32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Gdgfnm32.dll	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Npmknd32.dll	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Hbgkei32.exe	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
File created	C:\Windows\SysWOW64\Njlmnj32.dll	Hnphoj32.exe
File created	C:\Windows\SysWOW64\Jadgnb32.exe	Jldbpl32.exe
File opened for modification	C:\Windows\SysWOW64\Jllhpkfk.exe	Jadgnb32.exe
File opened for modification	C:\Windows\SysWOW64\Oikjkc32.exe	Jllhpkfk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4764	3220	WerFault.exe	98

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll"	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgiiak32.dll"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjoke32.dll"	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll"	Jldbpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll"	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekihfdc.dll"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnphoj32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2300	4420	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe	86
PID 4420 wrote to memory of 2300	4420	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe	86
PID 4420 wrote to memory of 2300	4420	NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe	86
PID 2300 wrote to memory of 3416	2300	Hbgkei32.exe	87
PID 2300 wrote to memory of 3416	2300	Hbgkei32.exe	87
PID 2300 wrote to memory of 3416	2300	Hbgkei32.exe	87
PID 3416 wrote to memory of 1532	3416	Hnphoj32.exe	89
PID 3416 wrote to memory of 1532	3416	Hnphoj32.exe	89
PID 3416 wrote to memory of 1532	3416	Hnphoj32.exe	89
PID 1532 wrote to memory of 960	1532	Inebjihf.exe	90
PID 1532 wrote to memory of 960	1532	Inebjihf.exe	90
PID 1532 wrote to memory of 960	1532	Inebjihf.exe	90
PID 960 wrote to memory of 732	960	Iolhkh32.exe	91
PID 960 wrote to memory of 732	960	Iolhkh32.exe	91
PID 960 wrote to memory of 732	960	Iolhkh32.exe	91
PID 732 wrote to memory of 4732	732	Iondqhpl.exe	92
PID 732 wrote to memory of 4732	732	Iondqhpl.exe	92
PID 732 wrote to memory of 4732	732	Iondqhpl.exe	92
PID 4732 wrote to memory of 4736	4732	Jldbpl32.exe	93
PID 4732 wrote to memory of 4736	4732	Jldbpl32.exe	93
PID 4732 wrote to memory of 4736	4732	Jldbpl32.exe	93
PID 4736 wrote to memory of 4816	4736	Jadgnb32.exe	94
PID 4736 wrote to memory of 4816	4736	Jadgnb32.exe	94
PID 4736 wrote to memory of 4816	4736	Jadgnb32.exe	94
PID 4816 wrote to memory of 2836	4816	Jllhpkfk.exe	95
PID 4816 wrote to memory of 2836	4816	Jllhpkfk.exe	95
PID 4816 wrote to memory of 2836	4816	Jllhpkfk.exe	95
PID 2836 wrote to memory of 4920	2836	Oikjkc32.exe	96
PID 2836 wrote to memory of 4920	2836	Oikjkc32.exe	96
PID 2836 wrote to memory of 4920	2836	Oikjkc32.exe	96
PID 4920 wrote to memory of 884	4920	Pjjfdfbb.exe	100
PID 4920 wrote to memory of 884	4920	Pjjfdfbb.exe	100
PID 4920 wrote to memory of 884	4920	Pjjfdfbb.exe	100
PID 884 wrote to memory of 4416	884	Piocecgj.exe	97
PID 884 wrote to memory of 4416	884	Piocecgj.exe	97
PID 884 wrote to memory of 4416	884	Piocecgj.exe	97
PID 4416 wrote to memory of 2568	4416	Pfccogfc.exe	99
PID 4416 wrote to memory of 2568	4416	Pfccogfc.exe	99
PID 4416 wrote to memory of 2568	4416	Pfccogfc.exe	99
PID 2568 wrote to memory of 3220	2568	Pjaleemj.exe	98
PID 2568 wrote to memory of 3220	2568	Pjaleemj.exe	98
PID 2568 wrote to memory of 3220	2568	Pjaleemj.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0ee29e5197462dfa897abdcaf1d72c99_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\Hbgkei32.exe
  C:\Windows\system32\Hbgkei32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\Hnphoj32.exe
    C:\Windows\system32\Hnphoj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\Inebjihf.exe
      C:\Windows\system32\Inebjihf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884

C:\Windows\SysWOW64\Pfccogfc.exe
C:\Windows\system32\Pfccogfc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\Pjaleemj.exe
  C:\Windows\system32\Pjaleemj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2568

C:\Windows\SysWOW64\Pififb32.exe
C:\Windows\system32\Pififb32.exe
1⤵
- Executes dropped EXE
PID:3220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 400
  2⤵
  - Program crash
  PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3220 -ip 3220
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hbgkei32.exe

Filesize
1.2MB

MD5
63e19712fd50019785b2b12614da63ab

SHA1
2d2c1ec6d46543454d7860920b6b67796303dd29

SHA256
3d38e60c58e45e2fa98d466bbb96238e9cb74834f74964292339bdf0aeae1a8f

SHA512
391c670c54c44599d93184acda3e799e1d07b46f5a2e95e11dacd03c6a369e94c8bc0545d1d3310cf64956f59476378df828ed963330d4fd81897729480da476

Download Submit
C:\Windows\SysWOW64\Hbgkei32.exe

Filesize
1.2MB

MD5
63e19712fd50019785b2b12614da63ab

SHA1
2d2c1ec6d46543454d7860920b6b67796303dd29

SHA256
3d38e60c58e45e2fa98d466bbb96238e9cb74834f74964292339bdf0aeae1a8f

SHA512
391c670c54c44599d93184acda3e799e1d07b46f5a2e95e11dacd03c6a369e94c8bc0545d1d3310cf64956f59476378df828ed963330d4fd81897729480da476

Download Submit
C:\Windows\SysWOW64\Hnphoj32.exe

Filesize
1.2MB

MD5
e0d9828a1deb32ab54270c0eea1217e9

SHA1
927e7833233de2886d6b5e9f9c2980a6e2bffcb2

SHA256
2ae9043edb7744136b2bb4ece640831eed346bd16f4f88bc1de1ec2546e792ce

SHA512
296202040b9faae2d4b625d2506ca84bd1e2e3b93001ec9f6ff671962e1fd3a466922f0e2f7819a39a2249971a3ad7a4e4e12bbd6eefa17b5d12467edce9bee7

Download Submit
C:\Windows\SysWOW64\Hnphoj32.exe

Filesize
1.2MB

MD5
e0d9828a1deb32ab54270c0eea1217e9

SHA1
927e7833233de2886d6b5e9f9c2980a6e2bffcb2

SHA256
2ae9043edb7744136b2bb4ece640831eed346bd16f4f88bc1de1ec2546e792ce

SHA512
296202040b9faae2d4b625d2506ca84bd1e2e3b93001ec9f6ff671962e1fd3a466922f0e2f7819a39a2249971a3ad7a4e4e12bbd6eefa17b5d12467edce9bee7

Download Submit
C:\Windows\SysWOW64\Inebjihf.exe

Filesize
1.2MB

MD5
a2acb8a74c4dbf8df0f97c65724946a0

SHA1
f41522e8827da369bd8d19d2f514c6ef4bd43a00

SHA256
e8b657d4189e98e07b6dcc5ab1daf6c26de052c85c6f264d97a69381ae03d70e

SHA512
58eef49d15f631ff4e64a42a732ec4539ce553034ec61d3ac84882a049efb9d4ae4de75a5365275fdf0da6775348fbd969626c4b2c19079686388ff3df673a45

Download Submit
C:\Windows\SysWOW64\Inebjihf.exe

Filesize
1.2MB

MD5
a2acb8a74c4dbf8df0f97c65724946a0

SHA1
f41522e8827da369bd8d19d2f514c6ef4bd43a00

SHA256
e8b657d4189e98e07b6dcc5ab1daf6c26de052c85c6f264d97a69381ae03d70e

SHA512
58eef49d15f631ff4e64a42a732ec4539ce553034ec61d3ac84882a049efb9d4ae4de75a5365275fdf0da6775348fbd969626c4b2c19079686388ff3df673a45

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
1.2MB

MD5
33c8638fdfd68d7a534e2d77bd67b982

SHA1
281fb6306a5f976521c2524602dea79cffbc7de2

SHA256
58ab6ade04817f51081ffd229b9e5dfdbc1b50968f6ca7e85f4b56fe6deec8a2

SHA512
ea651c286f5e717882e6270b19e35036661014972faec2bddc9a189cc9b6a9964f630fbc7f0c0033488244eec303410795c5a1745f350c06d9413195a308640a

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
1.2MB

MD5
33c8638fdfd68d7a534e2d77bd67b982

SHA1
281fb6306a5f976521c2524602dea79cffbc7de2

SHA256
58ab6ade04817f51081ffd229b9e5dfdbc1b50968f6ca7e85f4b56fe6deec8a2

SHA512
ea651c286f5e717882e6270b19e35036661014972faec2bddc9a189cc9b6a9964f630fbc7f0c0033488244eec303410795c5a1745f350c06d9413195a308640a

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
1.2MB

MD5
33c8638fdfd68d7a534e2d77bd67b982

SHA1
281fb6306a5f976521c2524602dea79cffbc7de2

SHA256
58ab6ade04817f51081ffd229b9e5dfdbc1b50968f6ca7e85f4b56fe6deec8a2

SHA512
ea651c286f5e717882e6270b19e35036661014972faec2bddc9a189cc9b6a9964f630fbc7f0c0033488244eec303410795c5a1745f350c06d9413195a308640a

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
1.2MB

MD5
0fface3d514fd90612327a87ebca6991

SHA1
4b4d4f1e120b4d76af0c6c575f52a058c21ccc25

SHA256
f5a8d436f3f0da8b937d7b89bfe5d29c36d9673616d3599a7800f1611b804b9e

SHA512
b9464420047c72da086e464f70495f0c54f40483dc385f5c10a2d7a550b673902e1988f5ada0b7e1f54e5a28c687f7abd197452897d1c2cb4c6a7a4f1150cc24

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
1.2MB

MD5
0fface3d514fd90612327a87ebca6991

SHA1
4b4d4f1e120b4d76af0c6c575f52a058c21ccc25

SHA256
f5a8d436f3f0da8b937d7b89bfe5d29c36d9673616d3599a7800f1611b804b9e

SHA512
b9464420047c72da086e464f70495f0c54f40483dc385f5c10a2d7a550b673902e1988f5ada0b7e1f54e5a28c687f7abd197452897d1c2cb4c6a7a4f1150cc24

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
1.2MB

MD5
c331c2d3acd692ced5980917f98b577c

SHA1
bd914f2389d04326ae258c2d3c68d79b64ca6569

SHA256
bc605a127afc6bc44128eaf793411f44423aaf175c9e8886914e68a2cd99d811

SHA512
f157801cc47acd121f099a01c767ec0a26aa38d3ddb2cfdb26f84cca086b64372946539c95816cc72c97d6ca2901f2e71207084b72752e16e347b37f60d4ce42

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
1.2MB

MD5
c331c2d3acd692ced5980917f98b577c

SHA1
bd914f2389d04326ae258c2d3c68d79b64ca6569

SHA256
bc605a127afc6bc44128eaf793411f44423aaf175c9e8886914e68a2cd99d811

SHA512
f157801cc47acd121f099a01c767ec0a26aa38d3ddb2cfdb26f84cca086b64372946539c95816cc72c97d6ca2901f2e71207084b72752e16e347b37f60d4ce42

Download Submit
C:\Windows\SysWOW64\Jldbpl32.exe

Filesize
1.2MB

MD5
4482b49205b094e1acc3709b2ba6ba45

SHA1
cf82aed2deca638e2d522fce231e399e2945c8b6

SHA256
0cbfba5542bba3782e445148b3c0b9e4a51666673d2f2928fe5e0df3ec2adc75

SHA512
cb72a1c0ebbbad739802e464d2be06a5a500e0c7e78f73b391a79f9fd260bc6ef68d179d5c2558b300ccb139650b12065bacfe54c5c1b6c4c973bc2ee748efc0

Download Submit
C:\Windows\SysWOW64\Jldbpl32.exe

Filesize
1.2MB

MD5
4482b49205b094e1acc3709b2ba6ba45

SHA1
cf82aed2deca638e2d522fce231e399e2945c8b6

SHA256
0cbfba5542bba3782e445148b3c0b9e4a51666673d2f2928fe5e0df3ec2adc75

SHA512
cb72a1c0ebbbad739802e464d2be06a5a500e0c7e78f73b391a79f9fd260bc6ef68d179d5c2558b300ccb139650b12065bacfe54c5c1b6c4c973bc2ee748efc0

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
1.2MB

MD5
d0354ddab42164431d7da9142bfa8cb2

SHA1
b1b5c09f03fffe6eb152a39b64f8b9fc806ee5c1

SHA256
10aabc8009c5f626c8db56b09b2df5b26d35882507d38d5877de8db81018b045

SHA512
daaf5e72fca391a099a7d8e60900ce20aeef04c88172eb7aa79f45df47047f5e16073ea17b24e764b93f30a0c4e014e2f7955df12ae36b9f514147d871b26d0b

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
1.2MB

MD5
d0354ddab42164431d7da9142bfa8cb2

SHA1
b1b5c09f03fffe6eb152a39b64f8b9fc806ee5c1

SHA256
10aabc8009c5f626c8db56b09b2df5b26d35882507d38d5877de8db81018b045

SHA512
daaf5e72fca391a099a7d8e60900ce20aeef04c88172eb7aa79f45df47047f5e16073ea17b24e764b93f30a0c4e014e2f7955df12ae36b9f514147d871b26d0b

Download Submit
C:\Windows\SysWOW64\Oikjkc32.exe

Filesize
1.2MB

MD5
54aaf03e5d4fb59fcc1979e8e67a43a3

SHA1
c35d2a6cafd5113541e62413abe7c26a8d936018

SHA256
ce7bf0da9eda1fe96719d9811b16688ade1f03accfdb10733754d210469f48c1

SHA512
33f2bd387c2261c6fafec2bd265073110abe6d9fe1cd75ef7336ca92ca9e450cf53349db2690e913d638ac8d6a3f5ae9112353fa5d5d9b6ccee58f51fa2c1f21

Download Submit
C:\Windows\SysWOW64\Oikjkc32.exe

Filesize
1.2MB

MD5
54aaf03e5d4fb59fcc1979e8e67a43a3

SHA1
c35d2a6cafd5113541e62413abe7c26a8d936018

SHA256
ce7bf0da9eda1fe96719d9811b16688ade1f03accfdb10733754d210469f48c1

SHA512
33f2bd387c2261c6fafec2bd265073110abe6d9fe1cd75ef7336ca92ca9e450cf53349db2690e913d638ac8d6a3f5ae9112353fa5d5d9b6ccee58f51fa2c1f21

Download Submit
C:\Windows\SysWOW64\Pfccogfc.exe

Filesize
1.2MB

MD5
69a6c39113249b49cb30c3f80a3565e2

SHA1
ac4d3d7be423d669088bf107707da30613a580bc

SHA256
7a9dfb590b78a184d10d1ca2e67d65fe248c4cbbe127e22fd2adb93a378f8227

SHA512
122e3ae8fe997b7845e7749abc92d9e1a42fb275569267dbdc594fe7fbe981f1ac27f77b63291eecd0a65621aab6e1ccb16dc70d84859ec0b4a3ece310e265a4

Download Submit
C:\Windows\SysWOW64\Pfccogfc.exe

Filesize
1.2MB

MD5
69a6c39113249b49cb30c3f80a3565e2

SHA1
ac4d3d7be423d669088bf107707da30613a580bc

SHA256
7a9dfb590b78a184d10d1ca2e67d65fe248c4cbbe127e22fd2adb93a378f8227

SHA512
122e3ae8fe997b7845e7749abc92d9e1a42fb275569267dbdc594fe7fbe981f1ac27f77b63291eecd0a65621aab6e1ccb16dc70d84859ec0b4a3ece310e265a4

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
1.2MB

MD5
285defcde5a0e26395e6c36b92e47610

SHA1
76839e7b0afb3f02d84c85a852398b2d8be85b54

SHA256
082a7f16253d7be0c3c9b485a648f97ad93c3cefedac3be9936bfb968e6c287e

SHA512
6d79ee726d8cf826998e54e5c3b0b17830876e47005d0a8e11f699bbeba95dca76faf53d6b829c1481fa9bdef0bab9d0900b847a5bdfdd76d2133772234aed21

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
1.2MB

MD5
285defcde5a0e26395e6c36b92e47610

SHA1
76839e7b0afb3f02d84c85a852398b2d8be85b54

SHA256
082a7f16253d7be0c3c9b485a648f97ad93c3cefedac3be9936bfb968e6c287e

SHA512
6d79ee726d8cf826998e54e5c3b0b17830876e47005d0a8e11f699bbeba95dca76faf53d6b829c1481fa9bdef0bab9d0900b847a5bdfdd76d2133772234aed21

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
1.2MB

MD5
7b45a5cca68d4cf14661bbd752288fc8

SHA1
7ad5ab3a490c333e8e529b528732209a3661507d

SHA256
d93e2a06f1ae3de96f20d706bcc7844c210d52d8e09d88cc56b157554cd2f5dc

SHA512
09e53fe4f3b9ace53dc5bd309258e485267122613f2ff9f21ea6d209c3174a2f99baf6c890943122b195ecd96736211108a5f9f46c1253dd34e42884d2867fdc

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
1.2MB

MD5
7b45a5cca68d4cf14661bbd752288fc8

SHA1
7ad5ab3a490c333e8e529b528732209a3661507d

SHA256
d93e2a06f1ae3de96f20d706bcc7844c210d52d8e09d88cc56b157554cd2f5dc

SHA512
09e53fe4f3b9ace53dc5bd309258e485267122613f2ff9f21ea6d209c3174a2f99baf6c890943122b195ecd96736211108a5f9f46c1253dd34e42884d2867fdc

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
1.2MB

MD5
316a89b5dfa0737f4d5b30c0619ab642

SHA1
9f45c478d19fcb39682027545a71989b09d3d6e4

SHA256
daeaed7dc59643e14662638261a35657b1738b75a2f0a69f5924f08837954b9b

SHA512
b8799f512eeda5ddb6a2b1276b7025a73fa197c08ced257706c0e465d50561aa020e77a87702414b2a62c41e2cd2e2137dec86c8de8af6e8bb109e34c5d574e3

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
1.2MB

MD5
316a89b5dfa0737f4d5b30c0619ab642

SHA1
9f45c478d19fcb39682027545a71989b09d3d6e4

SHA256
daeaed7dc59643e14662638261a35657b1738b75a2f0a69f5924f08837954b9b

SHA512
b8799f512eeda5ddb6a2b1276b7025a73fa197c08ced257706c0e465d50561aa020e77a87702414b2a62c41e2cd2e2137dec86c8de8af6e8bb109e34c5d574e3

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
1.2MB

MD5
be87bc2618bd6a89075b55400341b9c3

SHA1
2846a68c665028a73de94f731e1615db8050881a

SHA256
f4488da7be9e6399f483389a4a4511ca6d635ab5e2932239272d10c6b54662d0

SHA512
1bbe957f016e112d719e91fed8f5467b9a13056cd687d8deb93e5274b60b2637e43f86c2d35555c9aea6a3b18cccfb36b11dc5bc565b12bd8bb4b4c138864fb9

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
1.2MB

MD5
be87bc2618bd6a89075b55400341b9c3

SHA1
2846a68c665028a73de94f731e1615db8050881a

SHA256
f4488da7be9e6399f483389a4a4511ca6d635ab5e2932239272d10c6b54662d0

SHA512
1bbe957f016e112d719e91fed8f5467b9a13056cd687d8deb93e5274b60b2637e43f86c2d35555c9aea6a3b18cccfb36b11dc5bc565b12bd8bb4b4c138864fb9

Download Submit
memory/732-114-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/732-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/960-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/960-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1532-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1532-102-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2568-113-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-74-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-123-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3220-122-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3220-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4416-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4420-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4420-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4732-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4732-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4736-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4736-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4920-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads