5ea59b84e103a011234d114df98430c8fe77d75b3a66996e7d1c2dde565cf763

Analysis

max time kernel
106s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
Size

55KB
MD5

fce62eb66a914baf1021f01fd7120124
SHA1

2fd949c85a28bb68fe57d79f20ac3ae6dea13e4b
SHA256

5ea59b84e103a011234d114df98430c8fe77d75b3a66996e7d1c2dde565cf763
SHA512

14f59fffcbdb3a562cd36697d55ecb1d98b11497a387f2f1923f3cbebdab47218d40107d7a7c212c6360fdf34d126b42b2ad0e0d711f1bb9e45128c0a9268324
SSDEEP

768:wWFhuTI69yy3CiLoXiJWXPh4nPMd036nMm2qm7gNqK30+BihVRmhoJZ/1H5/Xdnh:wp9yGWJ4nPMdxqK3zWkmr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabmmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Defheg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgqie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afceko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabmmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllffa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afeban32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjlap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afeban32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afceko32.exe

Executes dropped EXE 27 IoCs

pid	Process
4652	Pomncfge.exe
1600	Qppkhfec.exe
3300	Qpbgnecp.exe
3284	Aijlgkjq.exe
920	Afnlpohj.exe
664	Apgqie32.exe
532	Amkabind.exe
400	Afceko32.exe
4968	Afeban32.exe
856	Bemlhj32.exe
1504	Beoimjce.exe
5092	Bimach32.exe
4672	Bfabmmhe.exe
1924	Cdebfago.exe
1188	Cmmgof32.exe
3720	Cffkhl32.exe
1740	Cdjlap32.exe
4356	Cifdjg32.exe
3860	Ciiaogon.exe
4876	Cdnelpod.exe
4256	Cmgjee32.exe
2568	Dbcbnlcl.exe
2140	Dllffa32.exe
4084	Dfakcj32.exe
3876	Ddekmo32.exe
208	Defheg32.exe
4032	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Beoimjce.exe	Bemlhj32.exe
File opened for modification	C:\Windows\SysWOW64\Cifdjg32.exe	Cdjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Dbcbnlcl.exe	Cmgjee32.exe
File opened for modification	C:\Windows\SysWOW64\Dllffa32.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qppkhfec.exe
File opened for modification	C:\Windows\SysWOW64\Defheg32.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Ciiaogon.exe	Cifdjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdebfago.exe	Bfabmmhe.exe
File created	C:\Windows\SysWOW64\Hgfjbh32.dll	Cmmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Bfabmmhe.exe	Bimach32.exe
File created	C:\Windows\SysWOW64\Piifjomf.dll	Bimach32.exe
File created	C:\Windows\SysWOW64\Cfmidc32.dll	Bfabmmhe.exe
File opened for modification	C:\Windows\SysWOW64\Cmmgof32.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Cffkhl32.exe	Cmmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Dfiefp32.dll	Afceko32.exe
File created	C:\Windows\SysWOW64\Cdebfago.exe	Bfabmmhe.exe
File created	C:\Windows\SysWOW64\Cbhkkpon.dll	Cdebfago.exe
File opened for modification	C:\Windows\SysWOW64\Cffkhl32.exe	Cmmgof32.exe
File created	C:\Windows\SysWOW64\Afeban32.exe	Afceko32.exe
File created	C:\Windows\SysWOW64\Mmccbngq.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Bemlhj32.exe	Afeban32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabmmhe.exe	Bimach32.exe
File created	C:\Windows\SysWOW64\Cmmgof32.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Pfdnkk32.dll	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Cdnelpod.exe	Ciiaogon.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjee32.exe	Cdnelpod.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Dllffa32.exe
File created	C:\Windows\SysWOW64\Defheg32.exe	Ddekmo32.exe
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
File created	C:\Windows\SysWOW64\Oahmla32.dll	Apgqie32.exe
File opened for modification	C:\Windows\SysWOW64\Ciiaogon.exe	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Cbccbiml.dll	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Amkabind.exe	Apgqie32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Apgqie32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Fobkem32.dll	Amkabind.exe
File created	C:\Windows\SysWOW64\Agccao32.dll	Bemlhj32.exe
File opened for modification	C:\Windows\SysWOW64\Bimach32.exe	Beoimjce.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Defheg32.exe
File created	C:\Windows\SysWOW64\Cimhefgb.dll	Pomncfge.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Cmgjee32.exe	Cdnelpod.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Cqbolk32.dll	Afeban32.exe
File created	C:\Windows\SysWOW64\Hiagoigj.dll	Cffkhl32.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Qpbgnecp.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Dmabgl32.dll	Beoimjce.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cdjlap32.exe
File created	C:\Windows\SysWOW64\Ddekmo32.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Ldbeqlcg.dll	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
File created	C:\Windows\SysWOW64\Pbphca32.dll	Qppkhfec.exe
File opened for modification	C:\Windows\SysWOW64\Bemlhj32.exe	Afeban32.exe
File opened for modification	C:\Windows\SysWOW64\Beoimjce.exe	Bemlhj32.exe
File created	C:\Windows\SysWOW64\Cdjlap32.exe	Cffkhl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	4032	WerFault.exe	116

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahmla32.dll"	Apgqie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiagoigj.dll"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afceko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbolk32.dll"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bimach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dllffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobkem32.dll"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dllffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beoimjce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bemlhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bimach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffkhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgqie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfgoq.dll"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbccbiml.dll"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbeqlcg.dll"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amkabind.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdnkk32.dll"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll"	Cdjlap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agccao32.dll"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabgl32.dll"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll"	Bimach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll"	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfjbh32.dll"	Cmmgof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4652	4944	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe	89
PID 4944 wrote to memory of 4652	4944	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe	89
PID 4944 wrote to memory of 4652	4944	NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe	89
PID 4652 wrote to memory of 1600	4652	Pomncfge.exe	90
PID 4652 wrote to memory of 1600	4652	Pomncfge.exe	90
PID 4652 wrote to memory of 1600	4652	Pomncfge.exe	90
PID 1600 wrote to memory of 3300	1600	Qppkhfec.exe	91
PID 1600 wrote to memory of 3300	1600	Qppkhfec.exe	91
PID 1600 wrote to memory of 3300	1600	Qppkhfec.exe	91
PID 3300 wrote to memory of 3284	3300	Qpbgnecp.exe	92
PID 3300 wrote to memory of 3284	3300	Qpbgnecp.exe	92
PID 3300 wrote to memory of 3284	3300	Qpbgnecp.exe	92
PID 3284 wrote to memory of 920	3284	Aijlgkjq.exe	93
PID 3284 wrote to memory of 920	3284	Aijlgkjq.exe	93
PID 3284 wrote to memory of 920	3284	Aijlgkjq.exe	93
PID 920 wrote to memory of 664	920	Afnlpohj.exe	94
PID 920 wrote to memory of 664	920	Afnlpohj.exe	94
PID 920 wrote to memory of 664	920	Afnlpohj.exe	94
PID 664 wrote to memory of 532	664	Apgqie32.exe	95
PID 664 wrote to memory of 532	664	Apgqie32.exe	95
PID 664 wrote to memory of 532	664	Apgqie32.exe	95
PID 532 wrote to memory of 400	532	Amkabind.exe	96
PID 532 wrote to memory of 400	532	Amkabind.exe	96
PID 532 wrote to memory of 400	532	Amkabind.exe	96
PID 400 wrote to memory of 4968	400	Afceko32.exe	97
PID 400 wrote to memory of 4968	400	Afceko32.exe	97
PID 400 wrote to memory of 4968	400	Afceko32.exe	97
PID 4968 wrote to memory of 856	4968	Afeban32.exe	98
PID 4968 wrote to memory of 856	4968	Afeban32.exe	98
PID 4968 wrote to memory of 856	4968	Afeban32.exe	98
PID 856 wrote to memory of 1504	856	Bemlhj32.exe	99
PID 856 wrote to memory of 1504	856	Bemlhj32.exe	99
PID 856 wrote to memory of 1504	856	Bemlhj32.exe	99
PID 1504 wrote to memory of 5092	1504	Beoimjce.exe	100
PID 1504 wrote to memory of 5092	1504	Beoimjce.exe	100
PID 1504 wrote to memory of 5092	1504	Beoimjce.exe	100
PID 5092 wrote to memory of 4672	5092	Bimach32.exe	101
PID 5092 wrote to memory of 4672	5092	Bimach32.exe	101
PID 5092 wrote to memory of 4672	5092	Bimach32.exe	101
PID 4672 wrote to memory of 1924	4672	Bfabmmhe.exe	102
PID 4672 wrote to memory of 1924	4672	Bfabmmhe.exe	102
PID 4672 wrote to memory of 1924	4672	Bfabmmhe.exe	102
PID 1924 wrote to memory of 1188	1924	Cdebfago.exe	103
PID 1924 wrote to memory of 1188	1924	Cdebfago.exe	103
PID 1924 wrote to memory of 1188	1924	Cdebfago.exe	103
PID 1188 wrote to memory of 3720	1188	Cmmgof32.exe	104
PID 1188 wrote to memory of 3720	1188	Cmmgof32.exe	104
PID 1188 wrote to memory of 3720	1188	Cmmgof32.exe	104
PID 3720 wrote to memory of 1740	3720	Cffkhl32.exe	105
PID 3720 wrote to memory of 1740	3720	Cffkhl32.exe	105
PID 3720 wrote to memory of 1740	3720	Cffkhl32.exe	105
PID 1740 wrote to memory of 4356	1740	Cdjlap32.exe	106
PID 1740 wrote to memory of 4356	1740	Cdjlap32.exe	106
PID 1740 wrote to memory of 4356	1740	Cdjlap32.exe	106
PID 4356 wrote to memory of 3860	4356	Cifdjg32.exe	107
PID 4356 wrote to memory of 3860	4356	Cifdjg32.exe	107
PID 4356 wrote to memory of 3860	4356	Cifdjg32.exe	107
PID 3860 wrote to memory of 4876	3860	Ciiaogon.exe	108
PID 3860 wrote to memory of 4876	3860	Ciiaogon.exe	108
PID 3860 wrote to memory of 4876	3860	Ciiaogon.exe	108
PID 4876 wrote to memory of 4256	4876	Cdnelpod.exe	109
PID 4876 wrote to memory of 4256	4876	Cdnelpod.exe	109
PID 4876 wrote to memory of 4256	4876	Cdnelpod.exe	109
PID 4256 wrote to memory of 2568	4256	Cmgjee32.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fce62eb66a914baf1021f01fd7120124_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\Pomncfge.exe
  C:\Windows\system32\Pomncfge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\Qppkhfec.exe
    C:\Windows\system32\Qppkhfec.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\Qpbgnecp.exe
      C:\Windows\system32\Qpbgnecp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        28⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 404
        29⤵
        Program crash
        
        PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4032 -ip 4032
1⤵
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afceko32.exe

Filesize
55KB

MD5
3d025057d1b1514e1d84a6ccd2f3c288

SHA1
5a700f88424c98e5c799d0f40520594d94a6d669

SHA256
d25c76366923eac6c69288578610d5c3a749310d0b1bf5553c243547a36b496a

SHA512
986a89008c0dfed229105b47070ea49771fbb974505c934c09f63fd1d4b0ee65862edfa258bbd8d85b71eb1021bb1bc5bdd660f9fcd130aeb8fb09536ea8407d

Download Submit
C:\Windows\SysWOW64\Afceko32.exe

Filesize
55KB

MD5
3d025057d1b1514e1d84a6ccd2f3c288

SHA1
5a700f88424c98e5c799d0f40520594d94a6d669

SHA256
d25c76366923eac6c69288578610d5c3a749310d0b1bf5553c243547a36b496a

SHA512
986a89008c0dfed229105b47070ea49771fbb974505c934c09f63fd1d4b0ee65862edfa258bbd8d85b71eb1021bb1bc5bdd660f9fcd130aeb8fb09536ea8407d

Download Submit
C:\Windows\SysWOW64\Afeban32.exe

Filesize
55KB

MD5
1136515d6e72c8e8088275dd0f29141f

SHA1
a54a9887fe0b705e52f7ee7d09cae99bdf3242f6

SHA256
f582bf1bb296fd95ba4b021efb9b99c5f5d31d3894db7e4740e96dad7aa4db9a

SHA512
d35444cfcbcf8a4ac47e843b61eac2c526c40cb232d13e0af01d5d51086d6ce276cc9eaabf2e89dff8f2a1c35e5e2059966841790757c466f480443bd0c77ae8

Download Submit
C:\Windows\SysWOW64\Afeban32.exe

Filesize
55KB

MD5
1136515d6e72c8e8088275dd0f29141f

SHA1
a54a9887fe0b705e52f7ee7d09cae99bdf3242f6

SHA256
f582bf1bb296fd95ba4b021efb9b99c5f5d31d3894db7e4740e96dad7aa4db9a

SHA512
d35444cfcbcf8a4ac47e843b61eac2c526c40cb232d13e0af01d5d51086d6ce276cc9eaabf2e89dff8f2a1c35e5e2059966841790757c466f480443bd0c77ae8

Download Submit
C:\Windows\SysWOW64\Afnlpohj.exe

Filesize
55KB

MD5
ca182e27335afecc9e9f49de3f54e32b

SHA1
88c5f145ce7d9ae45c3f46317cfb8e82f76fe419

SHA256
b151b1efd87971bb4bf378038fc064e2adf2f6482a4ead2ebf652d63d6409697

SHA512
73d3e52ae038049760c6ea9d51c33cd528e56847811b307a2ccf9dc970758abd03d6e120eb1886b9f188a2d035521ae1daba38435499991b8b0975fc9d51d3c3

Download Submit
C:\Windows\SysWOW64\Afnlpohj.exe

Filesize
55KB

MD5
ca182e27335afecc9e9f49de3f54e32b

SHA1
88c5f145ce7d9ae45c3f46317cfb8e82f76fe419

SHA256
b151b1efd87971bb4bf378038fc064e2adf2f6482a4ead2ebf652d63d6409697

SHA512
73d3e52ae038049760c6ea9d51c33cd528e56847811b307a2ccf9dc970758abd03d6e120eb1886b9f188a2d035521ae1daba38435499991b8b0975fc9d51d3c3

Download Submit
C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
55KB

MD5
5851e6814f2d53551f91275f8288cad9

SHA1
5bdecdec383eefde70a5e8b6291a79cf4936a05b

SHA256
75357bf8b0b485c586d6a45181603154e9f1368d6f3ac31b365c54529a90c895

SHA512
4b73585e1f1e96d0a5bff963c9b023be3b4f356f920f345119e7afb5c33732165948d296c820bf40dccc5aacef3df9111bf7ad146fdcb2fae2c58494491d10dc

Download Submit
C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
55KB

MD5
5851e6814f2d53551f91275f8288cad9

SHA1
5bdecdec383eefde70a5e8b6291a79cf4936a05b

SHA256
75357bf8b0b485c586d6a45181603154e9f1368d6f3ac31b365c54529a90c895

SHA512
4b73585e1f1e96d0a5bff963c9b023be3b4f356f920f345119e7afb5c33732165948d296c820bf40dccc5aacef3df9111bf7ad146fdcb2fae2c58494491d10dc

Download Submit
C:\Windows\SysWOW64\Amkabind.exe

Filesize
55KB

MD5
9dc72178227e2f4faad298905062efb2

SHA1
0a7672c0e9f8ea6afc3d926cd19a5d974cddae1c

SHA256
bf84b8ec2d4dbf26a894341f0ad66b29b42edbd5cf4c53aaa831ad8dd4132920

SHA512
ac12aa3d4920e25078997916ebad31b16a9080dcf92613ab53ba4d2f9e85a89cb39fb08446b218b9d90451f80240e92d47655fe678d40b574042a125ab85633a

Download Submit
C:\Windows\SysWOW64\Amkabind.exe

Filesize
55KB

MD5
9dc72178227e2f4faad298905062efb2

SHA1
0a7672c0e9f8ea6afc3d926cd19a5d974cddae1c

SHA256
bf84b8ec2d4dbf26a894341f0ad66b29b42edbd5cf4c53aaa831ad8dd4132920

SHA512
ac12aa3d4920e25078997916ebad31b16a9080dcf92613ab53ba4d2f9e85a89cb39fb08446b218b9d90451f80240e92d47655fe678d40b574042a125ab85633a

Download Submit
C:\Windows\SysWOW64\Apgqie32.exe

Filesize
55KB

MD5
289cb7a0f3b8535709485871f1bb4a22

SHA1
11e2d9e4237af15cfb65b7ea83605985d840dc27

SHA256
2f8642d3d98c69c4a19ab57bebc23042d1e957999a38f6bede1f94b0397f67ed

SHA512
bf8ac7e470a3d71e51f4d25d44319ed97aac7f69ff9a308724d3e16ad64cff763b8a2251327009c459ba736275aad178979c57aea2d69b2dd8338b906b4e84df

Download Submit
C:\Windows\SysWOW64\Apgqie32.exe

Filesize
55KB

MD5
289cb7a0f3b8535709485871f1bb4a22

SHA1
11e2d9e4237af15cfb65b7ea83605985d840dc27

SHA256
2f8642d3d98c69c4a19ab57bebc23042d1e957999a38f6bede1f94b0397f67ed

SHA512
bf8ac7e470a3d71e51f4d25d44319ed97aac7f69ff9a308724d3e16ad64cff763b8a2251327009c459ba736275aad178979c57aea2d69b2dd8338b906b4e84df

Download Submit
C:\Windows\SysWOW64\Bemlhj32.exe

Filesize
55KB

MD5
b168b87f6b3244330ed15b512bc99c92

SHA1
c59b7b39213356d49afe9cac5e3c0fc33262d739

SHA256
a4eaf4717b7dc8e6435c5896050e8cd570e8c396cfcad447406ea45324342e45

SHA512
12f8658c2c95e964d5cd5fed3a71ae5a5f7c2aa78a71d701ed20051c66233610b49d48064a0ec955bc208187c8a084bb82dfeced26c451b6828777837a459067

Download Submit
C:\Windows\SysWOW64\Bemlhj32.exe

Filesize
55KB

MD5
b168b87f6b3244330ed15b512bc99c92

SHA1
c59b7b39213356d49afe9cac5e3c0fc33262d739

SHA256
a4eaf4717b7dc8e6435c5896050e8cd570e8c396cfcad447406ea45324342e45

SHA512
12f8658c2c95e964d5cd5fed3a71ae5a5f7c2aa78a71d701ed20051c66233610b49d48064a0ec955bc208187c8a084bb82dfeced26c451b6828777837a459067

Download Submit
C:\Windows\SysWOW64\Beoimjce.exe

Filesize
55KB

MD5
0c5df54472791b4d5f2a268678a228de

SHA1
6d0e26f3b1bff5f92daeba4899e1f710bcdc62e9

SHA256
5e18b79bbcf196e3213f60b4f3817c70ae01b8b606e69424b286be6ab5d8a549

SHA512
e1309dac6ad19e987ac4ab372e3b4fdd689c0e6bc1c0da720254fe3f1952c160fedf38e101e03b94706e40fcdbb7f10c4bc3191a413667e577de1be2358b5394

Download Submit
C:\Windows\SysWOW64\Beoimjce.exe

Filesize
55KB

MD5
0c5df54472791b4d5f2a268678a228de

SHA1
6d0e26f3b1bff5f92daeba4899e1f710bcdc62e9

SHA256
5e18b79bbcf196e3213f60b4f3817c70ae01b8b606e69424b286be6ab5d8a549

SHA512
e1309dac6ad19e987ac4ab372e3b4fdd689c0e6bc1c0da720254fe3f1952c160fedf38e101e03b94706e40fcdbb7f10c4bc3191a413667e577de1be2358b5394

Download Submit
C:\Windows\SysWOW64\Bfabmmhe.exe

Filesize
55KB

MD5
17dfa050378383c2a4d0aa99c321eceb

SHA1
ea667339c5595f1abb3f6e240f7c5aecc05a1e33

SHA256
50c63444206a8221fa622b617840f419b3df118a7a5b13661881e2c9a5ff6919

SHA512
3d7792dd38a7480fa1f358df33ac5212fe4e7d8e7d945d32054a7ac82fed12068936a155560ecc4e0d3fb4a7192681455d6fa95e64f5bd07b262126b6a1d3fd4

Download Submit
C:\Windows\SysWOW64\Bfabmmhe.exe

Filesize
55KB

MD5
17dfa050378383c2a4d0aa99c321eceb

SHA1
ea667339c5595f1abb3f6e240f7c5aecc05a1e33

SHA256
50c63444206a8221fa622b617840f419b3df118a7a5b13661881e2c9a5ff6919

SHA512
3d7792dd38a7480fa1f358df33ac5212fe4e7d8e7d945d32054a7ac82fed12068936a155560ecc4e0d3fb4a7192681455d6fa95e64f5bd07b262126b6a1d3fd4

Download Submit
C:\Windows\SysWOW64\Bimach32.exe

Filesize
55KB

MD5
d9e215267b0152abaf727ce3a00ca9e1

SHA1
eeb8c9074a3f9e6f9c2962fbc53a120806759de0

SHA256
13ea0cadfd7e4217eec65567d13c04d3378424b43ea3c61b491a6007515f67d2

SHA512
0ef8974c01af1ba8a2a55cb366695fa8f35da01487890859ef0ad3324859c7faadafd6887fbc7ad02abf5bc665e499f89c034a115d548edfa34a98fe36ea10ea

Download Submit
C:\Windows\SysWOW64\Bimach32.exe

Filesize
55KB

MD5
d9e215267b0152abaf727ce3a00ca9e1

SHA1
eeb8c9074a3f9e6f9c2962fbc53a120806759de0

SHA256
13ea0cadfd7e4217eec65567d13c04d3378424b43ea3c61b491a6007515f67d2

SHA512
0ef8974c01af1ba8a2a55cb366695fa8f35da01487890859ef0ad3324859c7faadafd6887fbc7ad02abf5bc665e499f89c034a115d548edfa34a98fe36ea10ea

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
55KB

MD5
47fe39699bdd5c98a920f4da92de7049

SHA1
6949631343f1e75bba302000b62713c61158c8f9

SHA256
8ba5e634ca953f6c88f076b0c38aeeebf42429884f9fcc022853e7769b44718b

SHA512
3a870ba6b41363370e0667b77d4d08b8947386664d805b7b2049aeb7cc821499336a39a7a4318f2447055b1cf7b5389ecb8ce4b5e492da205cfd491055faef33

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
55KB

MD5
47fe39699bdd5c98a920f4da92de7049

SHA1
6949631343f1e75bba302000b62713c61158c8f9

SHA256
8ba5e634ca953f6c88f076b0c38aeeebf42429884f9fcc022853e7769b44718b

SHA512
3a870ba6b41363370e0667b77d4d08b8947386664d805b7b2049aeb7cc821499336a39a7a4318f2447055b1cf7b5389ecb8ce4b5e492da205cfd491055faef33

Download Submit
C:\Windows\SysWOW64\Cdjlap32.exe

Filesize
55KB

MD5
82143811b64c14c4348ac588b7e47aae

SHA1
88856f6f833ef31897350a05182eea43690a6411

SHA256
d96e06b955b99f382749b562b0dfbe3c019f0da2ea37f30b3af1a730b7941bbc

SHA512
41f6daf7f310a04434d4624775a0e62cfe6149ca4ba0a96245032fbb439a2833c0e12b338eaa166fa5bd6619c8ec3ffacb823b86f594aef40fd8b2d7261b7c1a

Download Submit
C:\Windows\SysWOW64\Cdjlap32.exe

Filesize
55KB

MD5
82143811b64c14c4348ac588b7e47aae

SHA1
88856f6f833ef31897350a05182eea43690a6411

SHA256
d96e06b955b99f382749b562b0dfbe3c019f0da2ea37f30b3af1a730b7941bbc

SHA512
41f6daf7f310a04434d4624775a0e62cfe6149ca4ba0a96245032fbb439a2833c0e12b338eaa166fa5bd6619c8ec3ffacb823b86f594aef40fd8b2d7261b7c1a

Download Submit
C:\Windows\SysWOW64\Cdnelpod.exe

Filesize
55KB

MD5
a70f42c5776e20c4b408c8c523e4fcb6

SHA1
a3b88ca677b0da5d15b2c92d35384a5a953efab1

SHA256
f7b05859d026f52cf141f7cada01ad26c9d19191a0c1e6e0058e4279592832d6

SHA512
a79aa777c6c95e9daa934b23014a421c59124f093d697ebace703ec28b577a3aa846debe28bfaaef26e174a5a24f1d63d8ef12f4371c0dfc72900ecc531889ad

Download Submit
C:\Windows\SysWOW64\Cdnelpod.exe

Filesize
55KB

MD5
a70f42c5776e20c4b408c8c523e4fcb6

SHA1
a3b88ca677b0da5d15b2c92d35384a5a953efab1

SHA256
f7b05859d026f52cf141f7cada01ad26c9d19191a0c1e6e0058e4279592832d6

SHA512
a79aa777c6c95e9daa934b23014a421c59124f093d697ebace703ec28b577a3aa846debe28bfaaef26e174a5a24f1d63d8ef12f4371c0dfc72900ecc531889ad

Download Submit
C:\Windows\SysWOW64\Cffkhl32.exe

Filesize
55KB

MD5
ecaf74714c864b716f27689abc2c1788

SHA1
e1c73e9e4c366a7479466037de04b42188f1e526

SHA256
46fe6f4dd172bbc94af06a860c279132f1286e56499307758b3b83050bb24334

SHA512
961bd5a7cc5ab6b9080164cbcf6f7892c70818ca3a1614cbdc834e41da02c768df1b9a8a49e0729602810e63d6daff042e65fe76a7f93368dfed3b83c8b9cd63

Download Submit
C:\Windows\SysWOW64\Cffkhl32.exe

Filesize
55KB

MD5
ecaf74714c864b716f27689abc2c1788

SHA1
e1c73e9e4c366a7479466037de04b42188f1e526

SHA256
46fe6f4dd172bbc94af06a860c279132f1286e56499307758b3b83050bb24334

SHA512
961bd5a7cc5ab6b9080164cbcf6f7892c70818ca3a1614cbdc834e41da02c768df1b9a8a49e0729602810e63d6daff042e65fe76a7f93368dfed3b83c8b9cd63

Download Submit
C:\Windows\SysWOW64\Cifdjg32.exe

Filesize
55KB

MD5
bec7c3df60fd26eef5e75e33eb9d0ed6

SHA1
ee7e17b403c4092465f5a0087b4cd75a493c8c1d

SHA256
68f871bd80f81004ff2c2dcb1de0f70ba31d1b543c8c5715ac40da4a47ae0762

SHA512
71b2514ad568f239617e9625bd5d0a30ecad18d1545fe89456ceb11f565a6a6830a12514ae217397e8560ee207eb6478dafac6b8b0c179b4aab1c0189892050c

Download Submit
C:\Windows\SysWOW64\Cifdjg32.exe

Filesize
55KB

MD5
bec7c3df60fd26eef5e75e33eb9d0ed6

SHA1
ee7e17b403c4092465f5a0087b4cd75a493c8c1d

SHA256
68f871bd80f81004ff2c2dcb1de0f70ba31d1b543c8c5715ac40da4a47ae0762

SHA512
71b2514ad568f239617e9625bd5d0a30ecad18d1545fe89456ceb11f565a6a6830a12514ae217397e8560ee207eb6478dafac6b8b0c179b4aab1c0189892050c

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
55KB

MD5
bf1499f6aed79961666d104fc3c6abc1

SHA1
ace6922171e60ffdff9702e4d22f36d69d3a7803

SHA256
e05a8774d7f94f24dd4cae2675e2cbec112e37c59f70e5366703ce91c3b1837c

SHA512
405c63176493af62f2a010fb9b84e263455ae6116992e1420641dfaed02d7badb5dd4c158799a3cca2dd65e5c522a7ac6c7de6364ab846ef865f7938378f38b5

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
55KB

MD5
bf1499f6aed79961666d104fc3c6abc1

SHA1
ace6922171e60ffdff9702e4d22f36d69d3a7803

SHA256
e05a8774d7f94f24dd4cae2675e2cbec112e37c59f70e5366703ce91c3b1837c

SHA512
405c63176493af62f2a010fb9b84e263455ae6116992e1420641dfaed02d7badb5dd4c158799a3cca2dd65e5c522a7ac6c7de6364ab846ef865f7938378f38b5

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
55KB

MD5
6ae832ef88c265b273dfcfb04638a08c

SHA1
9d76ebc5a6f6a1c8a24503346e2ec713228100a3

SHA256
eca7961af41757545aa54bdfe7cf682c55e09b5ee0e7fb62c442be193c1f7756

SHA512
30000ce58e8fe72d7fc85459291ea78734c69ff014b0c66380f73ca26da585c869e5fe46d0cd7d97ae6011274b12750bc4a44e1ea66981f01e604eb0c66bddb3

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
55KB

MD5
6ae832ef88c265b273dfcfb04638a08c

SHA1
9d76ebc5a6f6a1c8a24503346e2ec713228100a3

SHA256
eca7961af41757545aa54bdfe7cf682c55e09b5ee0e7fb62c442be193c1f7756

SHA512
30000ce58e8fe72d7fc85459291ea78734c69ff014b0c66380f73ca26da585c869e5fe46d0cd7d97ae6011274b12750bc4a44e1ea66981f01e604eb0c66bddb3

Download Submit
C:\Windows\SysWOW64\Cmmgof32.exe

Filesize
55KB

MD5
f1bfae045e6f0e8330642743bca47ccb

SHA1
9b00dd9cdbfd8e07545bf321b6ca00be466ca64d

SHA256
48ed3b3b266d9ed48ce331c4e7fe1c51805ef7ff1f5fe6275478fdbf99e66f92

SHA512
e2c21dff9a06334a77c883cb1a18eeee3e0e01194ad442db3cb172a2fa432d5e9810091a3acd00ee9f976547465b7ea75362b44c7072eb39fc195b90f18f949b

Download Submit
C:\Windows\SysWOW64\Cmmgof32.exe

Filesize
55KB

MD5
f1bfae045e6f0e8330642743bca47ccb

SHA1
9b00dd9cdbfd8e07545bf321b6ca00be466ca64d

SHA256
48ed3b3b266d9ed48ce331c4e7fe1c51805ef7ff1f5fe6275478fdbf99e66f92

SHA512
e2c21dff9a06334a77c883cb1a18eeee3e0e01194ad442db3cb172a2fa432d5e9810091a3acd00ee9f976547465b7ea75362b44c7072eb39fc195b90f18f949b

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
55KB

MD5
65d4be91a94e6eb4edea7e0080b26208

SHA1
eabdf01b3e6ff492c65a1cf32c45089bef6db3bb

SHA256
be086061b8c667e674dcf77800e4a7d4394beeca48d0f9dc77b7899a54fd02fb

SHA512
964046a83e3257846e3c50bf408f9152f8a456f67d714e7007969a34b3cba5d7fca76db49a6567dd5666d46c54a2212c8c996624c5e50114b7c9a92d14860a61

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
55KB

MD5
65d4be91a94e6eb4edea7e0080b26208

SHA1
eabdf01b3e6ff492c65a1cf32c45089bef6db3bb

SHA256
be086061b8c667e674dcf77800e4a7d4394beeca48d0f9dc77b7899a54fd02fb

SHA512
964046a83e3257846e3c50bf408f9152f8a456f67d714e7007969a34b3cba5d7fca76db49a6567dd5666d46c54a2212c8c996624c5e50114b7c9a92d14860a61

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
55KB

MD5
0e2e9d89079fae966550c56245b89b62

SHA1
00686e649e6a46a6384061389d7167466ea3dd8d

SHA256
e1d80623bb755ef85c6404364145d15b99f6eb63efdb72f77e4fc73ebce5ab0c

SHA512
02539639f9e887ecd1f24790cfca643385475630984b91bda513c3700fafbe6e6ad1ce24f4a1feb914e88c2c368cabcfe5786cc304fccb3b79dbb6ede6795bae

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
55KB

MD5
0e2e9d89079fae966550c56245b89b62

SHA1
00686e649e6a46a6384061389d7167466ea3dd8d

SHA256
e1d80623bb755ef85c6404364145d15b99f6eb63efdb72f77e4fc73ebce5ab0c

SHA512
02539639f9e887ecd1f24790cfca643385475630984b91bda513c3700fafbe6e6ad1ce24f4a1feb914e88c2c368cabcfe5786cc304fccb3b79dbb6ede6795bae

Download Submit
C:\Windows\SysWOW64\Ddekmo32.exe

Filesize
55KB

MD5
c74e1ed4411a15b05c8afa8925cfde72

SHA1
e51b94790ce9b59fdff8f6f78c7c256e4a73792c

SHA256
4d67dd0735b5204123b41e2ae943f704f877f52e0ed37131f4df05bdb8bf3a15

SHA512
c5a61ac7772d8c4e18e9a812d130140d75458419ffc38013df94c8dbc30eca985495e578b92c6b8fb087ea24073bc9f0185e7149b86719fc95103756e5f5d98d

Download Submit
C:\Windows\SysWOW64\Ddekmo32.exe

Filesize
55KB

MD5
c74e1ed4411a15b05c8afa8925cfde72

SHA1
e51b94790ce9b59fdff8f6f78c7c256e4a73792c

SHA256
4d67dd0735b5204123b41e2ae943f704f877f52e0ed37131f4df05bdb8bf3a15

SHA512
c5a61ac7772d8c4e18e9a812d130140d75458419ffc38013df94c8dbc30eca985495e578b92c6b8fb087ea24073bc9f0185e7149b86719fc95103756e5f5d98d

Download Submit
C:\Windows\SysWOW64\Defheg32.exe

Filesize
55KB

MD5
70e46d0b3d8a4ddd7c082db4436f0c23

SHA1
fe43b0ad933756b3348d4cddc51353ce0b4e1817

SHA256
36e9e3a8135fc06181bf9ca7228706470455953159a6252655d74fd9295e535a

SHA512
11ee16509c3028de378064b40e3aa11e58f99a28ecf47bbeabf116f6cfbc6dd873ed83811cd4bcba31402550b0df9b15e9f51cd198512004947928569cf3e7fe

Download Submit
C:\Windows\SysWOW64\Defheg32.exe

Filesize
55KB

MD5
70e46d0b3d8a4ddd7c082db4436f0c23

SHA1
fe43b0ad933756b3348d4cddc51353ce0b4e1817

SHA256
36e9e3a8135fc06181bf9ca7228706470455953159a6252655d74fd9295e535a

SHA512
11ee16509c3028de378064b40e3aa11e58f99a28ecf47bbeabf116f6cfbc6dd873ed83811cd4bcba31402550b0df9b15e9f51cd198512004947928569cf3e7fe

Download Submit
C:\Windows\SysWOW64\Dfakcj32.exe

Filesize
55KB

MD5
e9b941e52a12410688dcad51c9b7c8f4

SHA1
276879dbdba59d45c59c490f13d9dd5d0e0934b4

SHA256
45fb368c35dc031985c2a83f1c6f8df2b6bff89c45e645ca3a443b120215ec6d

SHA512
2e58978b0e015258de22ec24d83acebbe314feb7983f7e112d3fc8be3779bd4d9b0408041f606d8a7bf7ed5ba16d26aa95855e742db78f1b9faebdcf38a250d4

Download Submit
C:\Windows\SysWOW64\Dfakcj32.exe

Filesize
55KB

MD5
e9b941e52a12410688dcad51c9b7c8f4

SHA1
276879dbdba59d45c59c490f13d9dd5d0e0934b4

SHA256
45fb368c35dc031985c2a83f1c6f8df2b6bff89c45e645ca3a443b120215ec6d

SHA512
2e58978b0e015258de22ec24d83acebbe314feb7983f7e112d3fc8be3779bd4d9b0408041f606d8a7bf7ed5ba16d26aa95855e742db78f1b9faebdcf38a250d4

Download Submit
C:\Windows\SysWOW64\Dllffa32.exe

Filesize
55KB

MD5
4c16e423ff2782e50dd2835e994432cf

SHA1
74634092222c9953a0bca33fc0e4a1407159909b

SHA256
dabc6bbf930a097eef3d03abc108a1f044353e4eca1ce0cb4d45329173762b72

SHA512
6ffa9ffaf8ce9cce9cd8963c49ba4c3bd390fbe786e4e30b20881665e5560fb003b8848cc0a5ee84b56b0eeff82a80ffcd32befc629f8a8bcee8181aa444963f

Download Submit
C:\Windows\SysWOW64\Dllffa32.exe

Filesize
55KB

MD5
4c16e423ff2782e50dd2835e994432cf

SHA1
74634092222c9953a0bca33fc0e4a1407159909b

SHA256
dabc6bbf930a097eef3d03abc108a1f044353e4eca1ce0cb4d45329173762b72

SHA512
6ffa9ffaf8ce9cce9cd8963c49ba4c3bd390fbe786e4e30b20881665e5560fb003b8848cc0a5ee84b56b0eeff82a80ffcd32befc629f8a8bcee8181aa444963f

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
55KB

MD5
b419cb6b40c734f9ad49aedda3e6aace

SHA1
430f2a114f08d93ec379a260ac8243640e169d71

SHA256
cbfaf9dd7bff8fa560dd02ce4a0baf91a7fe3ccc7fe1fe4bafe50956299f3f21

SHA512
e94c80993c2cd3c487de9fc304b219c9498278d0c73de15b88bed00ade4c287dea0567a2585e53a3014da8ec926ae3c7d551acf7828eb9c7c9b1f93c2ae794ae

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
55KB

MD5
b419cb6b40c734f9ad49aedda3e6aace

SHA1
430f2a114f08d93ec379a260ac8243640e169d71

SHA256
cbfaf9dd7bff8fa560dd02ce4a0baf91a7fe3ccc7fe1fe4bafe50956299f3f21

SHA512
e94c80993c2cd3c487de9fc304b219c9498278d0c73de15b88bed00ade4c287dea0567a2585e53a3014da8ec926ae3c7d551acf7828eb9c7c9b1f93c2ae794ae

Download Submit
C:\Windows\SysWOW64\Qpbgnecp.exe

Filesize
55KB

MD5
c5ac935a331b111f34074bc18aa7ff6e

SHA1
78d9c72f47618d4cee7fd9160ef7ce468a011c03

SHA256
e57893b91462518bec9978d62020341d32d5a73552c4ec1cfbe5459a4c4c9342

SHA512
98e0d42c9d18731672bd067237399218eeb8cbec58f5f3453a77a3840931227496ca90f12f3286b16e2fa97c0bb4e0bb1a8a54fe640c8757389e35696c081f78

Download Submit
C:\Windows\SysWOW64\Qpbgnecp.exe

Filesize
55KB

MD5
c5ac935a331b111f34074bc18aa7ff6e

SHA1
78d9c72f47618d4cee7fd9160ef7ce468a011c03

SHA256
e57893b91462518bec9978d62020341d32d5a73552c4ec1cfbe5459a4c4c9342

SHA512
98e0d42c9d18731672bd067237399218eeb8cbec58f5f3453a77a3840931227496ca90f12f3286b16e2fa97c0bb4e0bb1a8a54fe640c8757389e35696c081f78

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
55KB

MD5
f4660f9d8e239d4476533e0e6e787993

SHA1
7eb0607981d916dcc947d795052da7a13ae84cb8

SHA256
d0beec21f3a50c58a02e85ceecdf561dada582fb129998a14ffadaca0ba3f428

SHA512
81a04f53f04cf426c8da844ab1f756fdbb6c1bfdefcaf75ab4059b03f00483705d966aecafc4060a4602639453fe9add7df17d3e041bbafcdcc169ef51e904ce

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
55KB

MD5
f4660f9d8e239d4476533e0e6e787993

SHA1
7eb0607981d916dcc947d795052da7a13ae84cb8

SHA256
d0beec21f3a50c58a02e85ceecdf561dada582fb129998a14ffadaca0ba3f428

SHA512
81a04f53f04cf426c8da844ab1f756fdbb6c1bfdefcaf75ab4059b03f00483705d966aecafc4060a4602639453fe9add7df17d3e041bbafcdcc169ef51e904ce

Download Submit
memory/208-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads