cdf03fb27614811c8839f07db3d20c8a706c05a509de97edaab1c69d177780cc

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Size

337KB
MD5

35f054dcd20f3fdf518084a101d7b9a0
SHA1

5abeabf409122f2f7edd9d389b41a2288d2e436d
SHA256

cdf03fb27614811c8839f07db3d20c8a706c05a509de97edaab1c69d177780cc
SHA512

d75a31a9c11710d3dec4c710d8ca2a180643a8679197d977e9f4290b5d26bb1256bb1f3bf380079c02792bb6c0a1f38794efa7295b51707334e2cbae801c62e7
SSDEEP

6144:RAX7OAwlrob1f2WZgYxYQoEl1YxXJ+jbC0+xYKo:eX7xpk8gYia6wPN+U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcadac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe

Executes dropped EXE 12 IoCs

pid	Process
2688	Cjdfmo32.exe
2944	Cldooj32.exe
2700	Djhphncm.exe
2708	Dcadac32.exe
2600	Dcenlceh.exe
1256	Dolnad32.exe
2860	Enakbp32.exe
3000	Egjpkffe.exe
296	Ejkima32.exe
2212	Efaibbij.exe
700	Echfaf32.exe
612	Fkckeh32.exe

Loads dropped DLL 28 IoCs

pid	Process
2628	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
2628	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
2688	Cjdfmo32.exe
2688	Cjdfmo32.exe
2944	Cldooj32.exe
2944	Cldooj32.exe
2700	Djhphncm.exe
2700	Djhphncm.exe
2708	Dcadac32.exe
2708	Dcadac32.exe
2600	Dcenlceh.exe
2600	Dcenlceh.exe
1256	Dolnad32.exe
1256	Dolnad32.exe
2860	Enakbp32.exe
2860	Enakbp32.exe
3000	Egjpkffe.exe
3000	Egjpkffe.exe
296	Ejkima32.exe
296	Ejkima32.exe
2212	Efaibbij.exe
2212	Efaibbij.exe
700	Echfaf32.exe
700	Echfaf32.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Mghohc32.dll	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	Cjdfmo32.exe
File opened for modification	C:\Windows\SysWOW64\Djhphncm.exe	Cldooj32.exe
File created	C:\Windows\SysWOW64\Dcenlceh.exe	Dcadac32.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	Ejkima32.exe
File created	C:\Windows\SysWOW64\Enakbp32.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Efaibbij.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Oehfcmhd.dll	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Dcadac32.exe	Djhphncm.exe
File opened for modification	C:\Windows\SysWOW64\Dcadac32.exe	Djhphncm.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Dcadac32.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Djhphncm.exe	Cldooj32.exe
File created	C:\Windows\SysWOW64\Egjpkffe.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Efaibbij.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Cjdfmo32.exe	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
File opened for modification	C:\Windows\SysWOW64\Enakbp32.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Lednakhd.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Egjpkffe.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Abkphdmd.dll	Enakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfmo32.exe	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Cldooj32.exe
File created	C:\Windows\SysWOW64\Eofjhkoj.dll	Djhphncm.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Mmjale32.dll	Egjpkffe.exe
File opened for modification	C:\Windows\SysWOW64\Cldooj32.exe	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	Dcenlceh.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Echfaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	612	WerFault.exe	39

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll"	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll"	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enakbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enakbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll"	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2688	2628	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe	28
PID 2628 wrote to memory of 2688	2628	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe	28
PID 2628 wrote to memory of 2688	2628	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe	28
PID 2628 wrote to memory of 2688	2628	NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe	28
PID 2688 wrote to memory of 2944	2688	Cjdfmo32.exe	30
PID 2688 wrote to memory of 2944	2688	Cjdfmo32.exe	30
PID 2688 wrote to memory of 2944	2688	Cjdfmo32.exe	30
PID 2688 wrote to memory of 2944	2688	Cjdfmo32.exe	30
PID 2944 wrote to memory of 2700	2944	Cldooj32.exe	29
PID 2944 wrote to memory of 2700	2944	Cldooj32.exe	29
PID 2944 wrote to memory of 2700	2944	Cldooj32.exe	29
PID 2944 wrote to memory of 2700	2944	Cldooj32.exe	29
PID 2700 wrote to memory of 2708	2700	Djhphncm.exe	31
PID 2700 wrote to memory of 2708	2700	Djhphncm.exe	31
PID 2700 wrote to memory of 2708	2700	Djhphncm.exe	31
PID 2700 wrote to memory of 2708	2700	Djhphncm.exe	31
PID 2708 wrote to memory of 2600	2708	Dcadac32.exe	32
PID 2708 wrote to memory of 2600	2708	Dcadac32.exe	32
PID 2708 wrote to memory of 2600	2708	Dcadac32.exe	32
PID 2708 wrote to memory of 2600	2708	Dcadac32.exe	32
PID 2600 wrote to memory of 1256	2600	Dcenlceh.exe	33
PID 2600 wrote to memory of 1256	2600	Dcenlceh.exe	33
PID 2600 wrote to memory of 1256	2600	Dcenlceh.exe	33
PID 2600 wrote to memory of 1256	2600	Dcenlceh.exe	33
PID 1256 wrote to memory of 2860	1256	Dolnad32.exe	34
PID 1256 wrote to memory of 2860	1256	Dolnad32.exe	34
PID 1256 wrote to memory of 2860	1256	Dolnad32.exe	34
PID 1256 wrote to memory of 2860	1256	Dolnad32.exe	34
PID 2860 wrote to memory of 3000	2860	Enakbp32.exe	35
PID 2860 wrote to memory of 3000	2860	Enakbp32.exe	35
PID 2860 wrote to memory of 3000	2860	Enakbp32.exe	35
PID 2860 wrote to memory of 3000	2860	Enakbp32.exe	35
PID 3000 wrote to memory of 296	3000	Egjpkffe.exe	36
PID 3000 wrote to memory of 296	3000	Egjpkffe.exe	36
PID 3000 wrote to memory of 296	3000	Egjpkffe.exe	36
PID 3000 wrote to memory of 296	3000	Egjpkffe.exe	36
PID 296 wrote to memory of 2212	296	Ejkima32.exe	37
PID 296 wrote to memory of 2212	296	Ejkima32.exe	37
PID 296 wrote to memory of 2212	296	Ejkima32.exe	37
PID 296 wrote to memory of 2212	296	Ejkima32.exe	37
PID 2212 wrote to memory of 700	2212	Efaibbij.exe	38
PID 2212 wrote to memory of 700	2212	Efaibbij.exe	38
PID 2212 wrote to memory of 700	2212	Efaibbij.exe	38
PID 2212 wrote to memory of 700	2212	Efaibbij.exe	38
PID 700 wrote to memory of 612	700	Echfaf32.exe	39
PID 700 wrote to memory of 612	700	Echfaf32.exe	39
PID 700 wrote to memory of 612	700	Echfaf32.exe	39
PID 700 wrote to memory of 612	700	Echfaf32.exe	39
PID 612 wrote to memory of 2852	612	Fkckeh32.exe	40
PID 612 wrote to memory of 2852	612	Fkckeh32.exe	40
PID 612 wrote to memory of 2852	612	Fkckeh32.exe	40
PID 612 wrote to memory of 2852	612	Fkckeh32.exe	40

C:\Users\Admin\AppData\Local\Temp\NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\Cjdfmo32.exe
  C:\Windows\system32\Cjdfmo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Cldooj32.exe
    C:\Windows\system32\Cldooj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944

C:\Windows\SysWOW64\Djhphncm.exe
C:\Windows\system32\Djhphncm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\Dcadac32.exe
  C:\Windows\system32\Dcadac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Dcenlceh.exe
    C:\Windows\system32\Dcenlceh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\Dolnad32.exe
      C:\Windows\system32\Dolnad32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\Enakbp32.exe
        
        C:\Windows\system32\Enakbp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\Egjpkffe.exe
        
        C:\Windows\system32\Egjpkffe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cjdfmo32.exe

Filesize
337KB

MD5
8b01a363f14e546608bbc8e0268abae7

SHA1
dcd9ab722fd7b1361abc337280217fd3a56d9d59

SHA256
7c332e714b0e694b4ab92f6e035401ea600199317ecdb340f104d5c0c01fa409

SHA512
768a28169d1f8ec5afae01bf14b25d8884aa5d2505629d9e48386407b35a456bf0b5916d9ce416df3ee099e1df688dd5a56a6b52605bd1c28c49a674d2018524

Download Submit
C:\Windows\SysWOW64\Cjdfmo32.exe

Filesize
337KB

MD5
8b01a363f14e546608bbc8e0268abae7

SHA1
dcd9ab722fd7b1361abc337280217fd3a56d9d59

SHA256
7c332e714b0e694b4ab92f6e035401ea600199317ecdb340f104d5c0c01fa409

SHA512
768a28169d1f8ec5afae01bf14b25d8884aa5d2505629d9e48386407b35a456bf0b5916d9ce416df3ee099e1df688dd5a56a6b52605bd1c28c49a674d2018524

Download Submit
C:\Windows\SysWOW64\Cjdfmo32.exe

Filesize
337KB

MD5
8b01a363f14e546608bbc8e0268abae7

SHA1
dcd9ab722fd7b1361abc337280217fd3a56d9d59

SHA256
7c332e714b0e694b4ab92f6e035401ea600199317ecdb340f104d5c0c01fa409

SHA512
768a28169d1f8ec5afae01bf14b25d8884aa5d2505629d9e48386407b35a456bf0b5916d9ce416df3ee099e1df688dd5a56a6b52605bd1c28c49a674d2018524

Download Submit
C:\Windows\SysWOW64\Cldooj32.exe

Filesize
337KB

MD5
d86d631b4e765f12e710e36d63eb84e3

SHA1
690562755d4d0b30121b2d06402512f1d30a1b11

SHA256
680ef900724b45f0ecf7f3a4ea73cc69f33816c4a5504cdea8adfd7cb004747e

SHA512
d96ffeac1b81ff93a5781bbe819091c0bd8230f62ba3abb91967c25f2ddff101d3105c531061326461d070cf7f6d1aa15857c4305e64025ae578245e2bec7232

Download Submit
C:\Windows\SysWOW64\Cldooj32.exe

Filesize
337KB

MD5
d86d631b4e765f12e710e36d63eb84e3

SHA1
690562755d4d0b30121b2d06402512f1d30a1b11

SHA256
680ef900724b45f0ecf7f3a4ea73cc69f33816c4a5504cdea8adfd7cb004747e

SHA512
d96ffeac1b81ff93a5781bbe819091c0bd8230f62ba3abb91967c25f2ddff101d3105c531061326461d070cf7f6d1aa15857c4305e64025ae578245e2bec7232

Download Submit
C:\Windows\SysWOW64\Cldooj32.exe

Filesize
337KB

MD5
d86d631b4e765f12e710e36d63eb84e3

SHA1
690562755d4d0b30121b2d06402512f1d30a1b11

SHA256
680ef900724b45f0ecf7f3a4ea73cc69f33816c4a5504cdea8adfd7cb004747e

SHA512
d96ffeac1b81ff93a5781bbe819091c0bd8230f62ba3abb91967c25f2ddff101d3105c531061326461d070cf7f6d1aa15857c4305e64025ae578245e2bec7232

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
337KB

MD5
f553d81675c90010901460fc098c42fd

SHA1
d260c09b051e1fec24c15ec160d4df9a8bdcfba5

SHA256
aaa18fc842475e8c990b3f726cec0a60d9b224fe6ba6273e2e8a1ab02db256fd

SHA512
b7b043ab851486e3a1f2d5c53fe8091254692bda4b8aba1ecbe1fe49519cce2ea2db2aa0f7bbc7c10285ad766849e9953e74c6a40d8d4efa191e6bccb73176b6

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
337KB

MD5
f553d81675c90010901460fc098c42fd

SHA1
d260c09b051e1fec24c15ec160d4df9a8bdcfba5

SHA256
aaa18fc842475e8c990b3f726cec0a60d9b224fe6ba6273e2e8a1ab02db256fd

SHA512
b7b043ab851486e3a1f2d5c53fe8091254692bda4b8aba1ecbe1fe49519cce2ea2db2aa0f7bbc7c10285ad766849e9953e74c6a40d8d4efa191e6bccb73176b6

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
337KB

MD5
f553d81675c90010901460fc098c42fd

SHA1
d260c09b051e1fec24c15ec160d4df9a8bdcfba5

SHA256
aaa18fc842475e8c990b3f726cec0a60d9b224fe6ba6273e2e8a1ab02db256fd

SHA512
b7b043ab851486e3a1f2d5c53fe8091254692bda4b8aba1ecbe1fe49519cce2ea2db2aa0f7bbc7c10285ad766849e9953e74c6a40d8d4efa191e6bccb73176b6

Download Submit
C:\Windows\SysWOW64\Dcenlceh.exe

Filesize
337KB

MD5
03158b3cd7871aa8393a9d3a2b22fe08

SHA1
5d85579c9f380c55bf8b9aef0f7943e5a95f85d6

SHA256
9b6ab4613a1e82db2e2263eb8726ec85873c02ef4be2b45c6dec8686b22f0036

SHA512
e988eeca0f8baa0131b08b72f13e32d7f81f565afafa6ac6ee60344b0981c14fcf1a932bb8cdacbface47370f827d47094d468f0a478db95d222e41e875b1caa

Download Submit
C:\Windows\SysWOW64\Dcenlceh.exe

Filesize
337KB

MD5
03158b3cd7871aa8393a9d3a2b22fe08

SHA1
5d85579c9f380c55bf8b9aef0f7943e5a95f85d6

SHA256
9b6ab4613a1e82db2e2263eb8726ec85873c02ef4be2b45c6dec8686b22f0036

SHA512
e988eeca0f8baa0131b08b72f13e32d7f81f565afafa6ac6ee60344b0981c14fcf1a932bb8cdacbface47370f827d47094d468f0a478db95d222e41e875b1caa

Download Submit
C:\Windows\SysWOW64\Dcenlceh.exe

Filesize
337KB

MD5
03158b3cd7871aa8393a9d3a2b22fe08

SHA1
5d85579c9f380c55bf8b9aef0f7943e5a95f85d6

SHA256
9b6ab4613a1e82db2e2263eb8726ec85873c02ef4be2b45c6dec8686b22f0036

SHA512
e988eeca0f8baa0131b08b72f13e32d7f81f565afafa6ac6ee60344b0981c14fcf1a932bb8cdacbface47370f827d47094d468f0a478db95d222e41e875b1caa

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
337KB

MD5
6c73583e138e9010be87709012d974ae

SHA1
354923deb7aa4ecdcc0e113a2be62d97d946e6db

SHA256
957ff78223eceb0191ceaefd124d19cba6343d18c7f8715242352d350932ad1e

SHA512
09124a82010c2054613fd11587bf1b1ae9229b9dbbdd1f51bea27cd896a2ea36efa30cb33f4f95e4cde06f197c37e488f5c2e1adac5bd8dec48e6d55f0a8fe97

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
337KB

MD5
6c73583e138e9010be87709012d974ae

SHA1
354923deb7aa4ecdcc0e113a2be62d97d946e6db

SHA256
957ff78223eceb0191ceaefd124d19cba6343d18c7f8715242352d350932ad1e

SHA512
09124a82010c2054613fd11587bf1b1ae9229b9dbbdd1f51bea27cd896a2ea36efa30cb33f4f95e4cde06f197c37e488f5c2e1adac5bd8dec48e6d55f0a8fe97

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
337KB

MD5
6c73583e138e9010be87709012d974ae

SHA1
354923deb7aa4ecdcc0e113a2be62d97d946e6db

SHA256
957ff78223eceb0191ceaefd124d19cba6343d18c7f8715242352d350932ad1e

SHA512
09124a82010c2054613fd11587bf1b1ae9229b9dbbdd1f51bea27cd896a2ea36efa30cb33f4f95e4cde06f197c37e488f5c2e1adac5bd8dec48e6d55f0a8fe97

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
337KB

MD5
9166bbff8d50ad88281ca72b04747a6f

SHA1
b0782f3adf0c5bae603b791862055094743926db

SHA256
7117835e607cc4a2b80a95eb0c0cb5c14775ffe77c76f584b3c2620e853c6c80

SHA512
4eb2280d702b2974ce5c35e3c55e73a160278a5c53b3c44fc14e69267d95cec44e351f41cf959f2bf7295e3ec04c587a5d8db15a4b1432e7d41b53231bedbee5

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
337KB

MD5
9166bbff8d50ad88281ca72b04747a6f

SHA1
b0782f3adf0c5bae603b791862055094743926db

SHA256
7117835e607cc4a2b80a95eb0c0cb5c14775ffe77c76f584b3c2620e853c6c80

SHA512
4eb2280d702b2974ce5c35e3c55e73a160278a5c53b3c44fc14e69267d95cec44e351f41cf959f2bf7295e3ec04c587a5d8db15a4b1432e7d41b53231bedbee5

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
337KB

MD5
9166bbff8d50ad88281ca72b04747a6f

SHA1
b0782f3adf0c5bae603b791862055094743926db

SHA256
7117835e607cc4a2b80a95eb0c0cb5c14775ffe77c76f584b3c2620e853c6c80

SHA512
4eb2280d702b2974ce5c35e3c55e73a160278a5c53b3c44fc14e69267d95cec44e351f41cf959f2bf7295e3ec04c587a5d8db15a4b1432e7d41b53231bedbee5

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
337KB

MD5
a01f4cfdc9fb26113440eb938dcf65b5

SHA1
0236b46789af0017d3161b7b03c86dbc54880bf0

SHA256
a7eebe853f823cebaf7801bc37b2df3b5de7bbadd6b185e1b7fc8bfccc97d601

SHA512
010ed323599e03671213199048df4939410d4c90b633c043cc57b8a9ed20dea41b791b9d01992b87b8aaf8065f70f61bca654e93f1222547ecc17b9a2faab9d6

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
337KB

MD5
a01f4cfdc9fb26113440eb938dcf65b5

SHA1
0236b46789af0017d3161b7b03c86dbc54880bf0

SHA256
a7eebe853f823cebaf7801bc37b2df3b5de7bbadd6b185e1b7fc8bfccc97d601

SHA512
010ed323599e03671213199048df4939410d4c90b633c043cc57b8a9ed20dea41b791b9d01992b87b8aaf8065f70f61bca654e93f1222547ecc17b9a2faab9d6

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
337KB

MD5
a01f4cfdc9fb26113440eb938dcf65b5

SHA1
0236b46789af0017d3161b7b03c86dbc54880bf0

SHA256
a7eebe853f823cebaf7801bc37b2df3b5de7bbadd6b185e1b7fc8bfccc97d601

SHA512
010ed323599e03671213199048df4939410d4c90b633c043cc57b8a9ed20dea41b791b9d01992b87b8aaf8065f70f61bca654e93f1222547ecc17b9a2faab9d6

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
337KB

MD5
f663d0bd78363c2ac675431a49d3664a

SHA1
c75e77a0d97a64727c3cb5bcb3f8237258295409

SHA256
e741a45843558e956dfc7c852f3b01909f87de8b4d51652e010204c166cf8ed5

SHA512
8c6e60f1b2e21daa72650b456ab84d48fc387d507549349de2c7b237692438a3b7cd05e1379187a5143ca28761ee9ef24f6181ec5784faf36bab12ea964a4b45

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
337KB

MD5
f663d0bd78363c2ac675431a49d3664a

SHA1
c75e77a0d97a64727c3cb5bcb3f8237258295409

SHA256
e741a45843558e956dfc7c852f3b01909f87de8b4d51652e010204c166cf8ed5

SHA512
8c6e60f1b2e21daa72650b456ab84d48fc387d507549349de2c7b237692438a3b7cd05e1379187a5143ca28761ee9ef24f6181ec5784faf36bab12ea964a4b45

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
337KB

MD5
f663d0bd78363c2ac675431a49d3664a

SHA1
c75e77a0d97a64727c3cb5bcb3f8237258295409

SHA256
e741a45843558e956dfc7c852f3b01909f87de8b4d51652e010204c166cf8ed5

SHA512
8c6e60f1b2e21daa72650b456ab84d48fc387d507549349de2c7b237692438a3b7cd05e1379187a5143ca28761ee9ef24f6181ec5784faf36bab12ea964a4b45

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
337KB

MD5
9557420c0e41e171f862fbc79c8e8a41

SHA1
94d8570fc8aa331e30458c7a6b2cd349452c88e1

SHA256
6744a5c63f7687f2be4abccbfffe51d149d1858aba57173ce2a3c7cfb423e757

SHA512
99e09b7386073f936fd60a6e9beb0171e2f92a26ee12f16c264bc6cccc72118fd67e9fad2ca50eff21f5c7ab5041dc22de2e79a97da036c01868b085f94c083b

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
337KB

MD5
9557420c0e41e171f862fbc79c8e8a41

SHA1
94d8570fc8aa331e30458c7a6b2cd349452c88e1

SHA256
6744a5c63f7687f2be4abccbfffe51d149d1858aba57173ce2a3c7cfb423e757

SHA512
99e09b7386073f936fd60a6e9beb0171e2f92a26ee12f16c264bc6cccc72118fd67e9fad2ca50eff21f5c7ab5041dc22de2e79a97da036c01868b085f94c083b

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
337KB

MD5
9557420c0e41e171f862fbc79c8e8a41

SHA1
94d8570fc8aa331e30458c7a6b2cd349452c88e1

SHA256
6744a5c63f7687f2be4abccbfffe51d149d1858aba57173ce2a3c7cfb423e757

SHA512
99e09b7386073f936fd60a6e9beb0171e2f92a26ee12f16c264bc6cccc72118fd67e9fad2ca50eff21f5c7ab5041dc22de2e79a97da036c01868b085f94c083b

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
337KB

MD5
2ad4d7c20968f19dfbd929c32af37fce

SHA1
957ded56f87a390e9b1cb6c67b82c7e1b679d22f

SHA256
933baec29673c6b4e80ac5f2fb06cb3b4ef0a6e22ba87bb8cd7c4c96d3d8612f

SHA512
9a8df6e51ca9ea1a7f0f3097f2c3324437aa523acc37bdf308c3b53db94b06c7587dcb8c79bd27fc48d31735e3503545940ab688ae770a40cc7faccae9e1cd4d

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
337KB

MD5
2ad4d7c20968f19dfbd929c32af37fce

SHA1
957ded56f87a390e9b1cb6c67b82c7e1b679d22f

SHA256
933baec29673c6b4e80ac5f2fb06cb3b4ef0a6e22ba87bb8cd7c4c96d3d8612f

SHA512
9a8df6e51ca9ea1a7f0f3097f2c3324437aa523acc37bdf308c3b53db94b06c7587dcb8c79bd27fc48d31735e3503545940ab688ae770a40cc7faccae9e1cd4d

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
337KB

MD5
2ad4d7c20968f19dfbd929c32af37fce

SHA1
957ded56f87a390e9b1cb6c67b82c7e1b679d22f

SHA256
933baec29673c6b4e80ac5f2fb06cb3b4ef0a6e22ba87bb8cd7c4c96d3d8612f

SHA512
9a8df6e51ca9ea1a7f0f3097f2c3324437aa523acc37bdf308c3b53db94b06c7587dcb8c79bd27fc48d31735e3503545940ab688ae770a40cc7faccae9e1cd4d

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
337KB

MD5
ffcd4e364264811362bd619eda7b73ff

SHA1
d7312c54bcf0871cca3d2e97d614ecd8661200e2

SHA256
054d7ba1cf92f5d0723e70d1a0507d59526d9dfa26568e523ef947b92ca3f7bf

SHA512
06b71b3ecd4b01b8b737dbb45ac2b7ff76f2647a29cfae19767d75916ae300af560a0f5bbf2095bfe2a3df14e07d3fc47b83abd560c4486185c7b2e2dad8344a

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
337KB

MD5
ffcd4e364264811362bd619eda7b73ff

SHA1
d7312c54bcf0871cca3d2e97d614ecd8661200e2

SHA256
054d7ba1cf92f5d0723e70d1a0507d59526d9dfa26568e523ef947b92ca3f7bf

SHA512
06b71b3ecd4b01b8b737dbb45ac2b7ff76f2647a29cfae19767d75916ae300af560a0f5bbf2095bfe2a3df14e07d3fc47b83abd560c4486185c7b2e2dad8344a

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
337KB

MD5
ffcd4e364264811362bd619eda7b73ff

SHA1
d7312c54bcf0871cca3d2e97d614ecd8661200e2

SHA256
054d7ba1cf92f5d0723e70d1a0507d59526d9dfa26568e523ef947b92ca3f7bf

SHA512
06b71b3ecd4b01b8b737dbb45ac2b7ff76f2647a29cfae19767d75916ae300af560a0f5bbf2095bfe2a3df14e07d3fc47b83abd560c4486185c7b2e2dad8344a

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
\Windows\SysWOW64\Cjdfmo32.exe

Filesize
337KB

MD5
8b01a363f14e546608bbc8e0268abae7

SHA1
dcd9ab722fd7b1361abc337280217fd3a56d9d59

SHA256
7c332e714b0e694b4ab92f6e035401ea600199317ecdb340f104d5c0c01fa409

SHA512
768a28169d1f8ec5afae01bf14b25d8884aa5d2505629d9e48386407b35a456bf0b5916d9ce416df3ee099e1df688dd5a56a6b52605bd1c28c49a674d2018524

Download Submit
\Windows\SysWOW64\Cjdfmo32.exe

Filesize
337KB

MD5
8b01a363f14e546608bbc8e0268abae7

SHA1
dcd9ab722fd7b1361abc337280217fd3a56d9d59

SHA256
7c332e714b0e694b4ab92f6e035401ea600199317ecdb340f104d5c0c01fa409

SHA512
768a28169d1f8ec5afae01bf14b25d8884aa5d2505629d9e48386407b35a456bf0b5916d9ce416df3ee099e1df688dd5a56a6b52605bd1c28c49a674d2018524

Download Submit
\Windows\SysWOW64\Cldooj32.exe

Filesize
337KB

MD5
d86d631b4e765f12e710e36d63eb84e3

SHA1
690562755d4d0b30121b2d06402512f1d30a1b11

SHA256
680ef900724b45f0ecf7f3a4ea73cc69f33816c4a5504cdea8adfd7cb004747e

SHA512
d96ffeac1b81ff93a5781bbe819091c0bd8230f62ba3abb91967c25f2ddff101d3105c531061326461d070cf7f6d1aa15857c4305e64025ae578245e2bec7232

Download Submit
\Windows\SysWOW64\Cldooj32.exe

Filesize
337KB

MD5
d86d631b4e765f12e710e36d63eb84e3

SHA1
690562755d4d0b30121b2d06402512f1d30a1b11

SHA256
680ef900724b45f0ecf7f3a4ea73cc69f33816c4a5504cdea8adfd7cb004747e

SHA512
d96ffeac1b81ff93a5781bbe819091c0bd8230f62ba3abb91967c25f2ddff101d3105c531061326461d070cf7f6d1aa15857c4305e64025ae578245e2bec7232

Download Submit
\Windows\SysWOW64\Dcadac32.exe

Filesize
337KB

MD5
f553d81675c90010901460fc098c42fd

SHA1
d260c09b051e1fec24c15ec160d4df9a8bdcfba5

SHA256
aaa18fc842475e8c990b3f726cec0a60d9b224fe6ba6273e2e8a1ab02db256fd

SHA512
b7b043ab851486e3a1f2d5c53fe8091254692bda4b8aba1ecbe1fe49519cce2ea2db2aa0f7bbc7c10285ad766849e9953e74c6a40d8d4efa191e6bccb73176b6

Download Submit
\Windows\SysWOW64\Dcadac32.exe

Filesize
337KB

MD5
f553d81675c90010901460fc098c42fd

SHA1
d260c09b051e1fec24c15ec160d4df9a8bdcfba5

SHA256
aaa18fc842475e8c990b3f726cec0a60d9b224fe6ba6273e2e8a1ab02db256fd

SHA512
b7b043ab851486e3a1f2d5c53fe8091254692bda4b8aba1ecbe1fe49519cce2ea2db2aa0f7bbc7c10285ad766849e9953e74c6a40d8d4efa191e6bccb73176b6

Download Submit
\Windows\SysWOW64\Dcenlceh.exe

Filesize
337KB

MD5
03158b3cd7871aa8393a9d3a2b22fe08

SHA1
5d85579c9f380c55bf8b9aef0f7943e5a95f85d6

SHA256
9b6ab4613a1e82db2e2263eb8726ec85873c02ef4be2b45c6dec8686b22f0036

SHA512
e988eeca0f8baa0131b08b72f13e32d7f81f565afafa6ac6ee60344b0981c14fcf1a932bb8cdacbface47370f827d47094d468f0a478db95d222e41e875b1caa

Download Submit
\Windows\SysWOW64\Dcenlceh.exe

Filesize
337KB

MD5
03158b3cd7871aa8393a9d3a2b22fe08

SHA1
5d85579c9f380c55bf8b9aef0f7943e5a95f85d6

SHA256
9b6ab4613a1e82db2e2263eb8726ec85873c02ef4be2b45c6dec8686b22f0036

SHA512
e988eeca0f8baa0131b08b72f13e32d7f81f565afafa6ac6ee60344b0981c14fcf1a932bb8cdacbface47370f827d47094d468f0a478db95d222e41e875b1caa

Download Submit
\Windows\SysWOW64\Djhphncm.exe

Filesize
337KB

MD5
6c73583e138e9010be87709012d974ae

SHA1
354923deb7aa4ecdcc0e113a2be62d97d946e6db

SHA256
957ff78223eceb0191ceaefd124d19cba6343d18c7f8715242352d350932ad1e

SHA512
09124a82010c2054613fd11587bf1b1ae9229b9dbbdd1f51bea27cd896a2ea36efa30cb33f4f95e4cde06f197c37e488f5c2e1adac5bd8dec48e6d55f0a8fe97

Download Submit
\Windows\SysWOW64\Djhphncm.exe

Filesize
337KB

MD5
6c73583e138e9010be87709012d974ae

SHA1
354923deb7aa4ecdcc0e113a2be62d97d946e6db

SHA256
957ff78223eceb0191ceaefd124d19cba6343d18c7f8715242352d350932ad1e

SHA512
09124a82010c2054613fd11587bf1b1ae9229b9dbbdd1f51bea27cd896a2ea36efa30cb33f4f95e4cde06f197c37e488f5c2e1adac5bd8dec48e6d55f0a8fe97

Download Submit
\Windows\SysWOW64\Dolnad32.exe

Filesize
337KB

MD5
9166bbff8d50ad88281ca72b04747a6f

SHA1
b0782f3adf0c5bae603b791862055094743926db

SHA256
7117835e607cc4a2b80a95eb0c0cb5c14775ffe77c76f584b3c2620e853c6c80

SHA512
4eb2280d702b2974ce5c35e3c55e73a160278a5c53b3c44fc14e69267d95cec44e351f41cf959f2bf7295e3ec04c587a5d8db15a4b1432e7d41b53231bedbee5

Download Submit
\Windows\SysWOW64\Dolnad32.exe

Filesize
337KB

MD5
9166bbff8d50ad88281ca72b04747a6f

SHA1
b0782f3adf0c5bae603b791862055094743926db

SHA256
7117835e607cc4a2b80a95eb0c0cb5c14775ffe77c76f584b3c2620e853c6c80

SHA512
4eb2280d702b2974ce5c35e3c55e73a160278a5c53b3c44fc14e69267d95cec44e351f41cf959f2bf7295e3ec04c587a5d8db15a4b1432e7d41b53231bedbee5

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
337KB

MD5
a01f4cfdc9fb26113440eb938dcf65b5

SHA1
0236b46789af0017d3161b7b03c86dbc54880bf0

SHA256
a7eebe853f823cebaf7801bc37b2df3b5de7bbadd6b185e1b7fc8bfccc97d601

SHA512
010ed323599e03671213199048df4939410d4c90b633c043cc57b8a9ed20dea41b791b9d01992b87b8aaf8065f70f61bca654e93f1222547ecc17b9a2faab9d6

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
337KB

MD5
a01f4cfdc9fb26113440eb938dcf65b5

SHA1
0236b46789af0017d3161b7b03c86dbc54880bf0

SHA256
a7eebe853f823cebaf7801bc37b2df3b5de7bbadd6b185e1b7fc8bfccc97d601

SHA512
010ed323599e03671213199048df4939410d4c90b633c043cc57b8a9ed20dea41b791b9d01992b87b8aaf8065f70f61bca654e93f1222547ecc17b9a2faab9d6

Download Submit
\Windows\SysWOW64\Efaibbij.exe

Filesize
337KB

MD5
f663d0bd78363c2ac675431a49d3664a

SHA1
c75e77a0d97a64727c3cb5bcb3f8237258295409

SHA256
e741a45843558e956dfc7c852f3b01909f87de8b4d51652e010204c166cf8ed5

SHA512
8c6e60f1b2e21daa72650b456ab84d48fc387d507549349de2c7b237692438a3b7cd05e1379187a5143ca28761ee9ef24f6181ec5784faf36bab12ea964a4b45

Download Submit
\Windows\SysWOW64\Efaibbij.exe

Filesize
337KB

MD5
f663d0bd78363c2ac675431a49d3664a

SHA1
c75e77a0d97a64727c3cb5bcb3f8237258295409

SHA256
e741a45843558e956dfc7c852f3b01909f87de8b4d51652e010204c166cf8ed5

SHA512
8c6e60f1b2e21daa72650b456ab84d48fc387d507549349de2c7b237692438a3b7cd05e1379187a5143ca28761ee9ef24f6181ec5784faf36bab12ea964a4b45

Download Submit
\Windows\SysWOW64\Egjpkffe.exe

Filesize
337KB

MD5
9557420c0e41e171f862fbc79c8e8a41

SHA1
94d8570fc8aa331e30458c7a6b2cd349452c88e1

SHA256
6744a5c63f7687f2be4abccbfffe51d149d1858aba57173ce2a3c7cfb423e757

SHA512
99e09b7386073f936fd60a6e9beb0171e2f92a26ee12f16c264bc6cccc72118fd67e9fad2ca50eff21f5c7ab5041dc22de2e79a97da036c01868b085f94c083b

Download Submit
\Windows\SysWOW64\Egjpkffe.exe

Filesize
337KB

MD5
9557420c0e41e171f862fbc79c8e8a41

SHA1
94d8570fc8aa331e30458c7a6b2cd349452c88e1

SHA256
6744a5c63f7687f2be4abccbfffe51d149d1858aba57173ce2a3c7cfb423e757

SHA512
99e09b7386073f936fd60a6e9beb0171e2f92a26ee12f16c264bc6cccc72118fd67e9fad2ca50eff21f5c7ab5041dc22de2e79a97da036c01868b085f94c083b

Download Submit
\Windows\SysWOW64\Ejkima32.exe

Filesize
337KB

MD5
2ad4d7c20968f19dfbd929c32af37fce

SHA1
957ded56f87a390e9b1cb6c67b82c7e1b679d22f

SHA256
933baec29673c6b4e80ac5f2fb06cb3b4ef0a6e22ba87bb8cd7c4c96d3d8612f

SHA512
9a8df6e51ca9ea1a7f0f3097f2c3324437aa523acc37bdf308c3b53db94b06c7587dcb8c79bd27fc48d31735e3503545940ab688ae770a40cc7faccae9e1cd4d

Download Submit
\Windows\SysWOW64\Ejkima32.exe

Filesize
337KB

MD5
2ad4d7c20968f19dfbd929c32af37fce

SHA1
957ded56f87a390e9b1cb6c67b82c7e1b679d22f

SHA256
933baec29673c6b4e80ac5f2fb06cb3b4ef0a6e22ba87bb8cd7c4c96d3d8612f

SHA512
9a8df6e51ca9ea1a7f0f3097f2c3324437aa523acc37bdf308c3b53db94b06c7587dcb8c79bd27fc48d31735e3503545940ab688ae770a40cc7faccae9e1cd4d

Download Submit
\Windows\SysWOW64\Enakbp32.exe

Filesize
337KB

MD5
ffcd4e364264811362bd619eda7b73ff

SHA1
d7312c54bcf0871cca3d2e97d614ecd8661200e2

SHA256
054d7ba1cf92f5d0723e70d1a0507d59526d9dfa26568e523ef947b92ca3f7bf

SHA512
06b71b3ecd4b01b8b737dbb45ac2b7ff76f2647a29cfae19767d75916ae300af560a0f5bbf2095bfe2a3df14e07d3fc47b83abd560c4486185c7b2e2dad8344a

Download Submit
\Windows\SysWOW64\Enakbp32.exe

Filesize
337KB

MD5
ffcd4e364264811362bd619eda7b73ff

SHA1
d7312c54bcf0871cca3d2e97d614ecd8661200e2

SHA256
054d7ba1cf92f5d0723e70d1a0507d59526d9dfa26568e523ef947b92ca3f7bf

SHA512
06b71b3ecd4b01b8b737dbb45ac2b7ff76f2647a29cfae19767d75916ae300af560a0f5bbf2095bfe2a3df14e07d3fc47b83abd560c4486185c7b2e2dad8344a

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
337KB

MD5
3f5620351e68ebe87778b7063a2ec74d

SHA1
0128db5e72f0e4005e98e169333110c3c0e39cf2

SHA256
12513c3cb8d8361cdd266d1f85947849b86e37804a2f6f32eccd47d8add68754

SHA512
20301db684bcc18c62b5b7712e0074eb32c2424b349c8f458dad8eeb86ea89b99a2389dd6202a0a6b4501dbe971fc274aed45f87141c1f92a394d7676d5d6ff7

Download Submit
memory/296-129-0x0000000001C10000-0x0000000001C8F000-memory.dmp

Filesize
508KB

Download
memory/296-220-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/296-160-0x0000000001C10000-0x0000000001C8F000-memory.dmp

Filesize
508KB

Download
memory/296-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/700-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/700-224-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/700-158-0x0000000000220000-0x000000000029F000-memory.dmp

Filesize
508KB

Download
memory/1256-214-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-156-0x0000000000230000-0x00000000002AF000-memory.dmp

Filesize
508KB

Download
memory/2212-222-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-161-0x0000000000230000-0x00000000002AF000-memory.dmp

Filesize
508KB

Download
memory/2600-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-207-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2628-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2628-12-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2628-6-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2628-197-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-199-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2700-203-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2700-51-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/2700-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2708-205-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2860-216-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2860-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2860-98-0x00000000004F0000-0x000000000056F000-memory.dmp

Filesize
508KB

Download
memory/2944-201-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3000-218-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3000-117-0x0000000000220000-0x000000000029F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads