542e413b452dcb4d55eafec917e6e54481f4b6778b729636e45990f42d8755bc

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Size

64KB
MD5

cd3e089c5bcf80239cb44283acdd7d90
SHA1

366154cf927b2a7a3ced977564f07c38af92a83e
SHA256

542e413b452dcb4d55eafec917e6e54481f4b6778b729636e45990f42d8755bc
SHA512

9a11b433b93fd5aca4f122472ff35ec810d2ea6d3b92f7fe199b53081f4546afc8843325e7b648cb5c109f0d8feb40417a3bcb1d27c48e84dce0a6df6dfd4b3f
SSDEEP

1536:+6iPPfvZUfEZFPpUkF9cq459knql2LXrDWBi:tinZUfEjPPib9i/X2Bi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe

Executes dropped EXE 19 IoCs

pid	Process
4748	Ppolhcnm.exe
3540	Qdoacabq.exe
1768	Ahmjjoig.exe
3444	Adcjop32.exe
544	Ahaceo32.exe
1028	Apmhiq32.exe
4336	Aaoaic32.exe
1468	Baannc32.exe
4932	Bphgeo32.exe
3296	Bnlhncgi.exe
4448	Bkphhgfc.exe
3068	Chdialdl.exe
4964	Cammjakm.exe
3916	Coqncejg.exe
4104	Caageq32.exe
2624	Cnhgjaml.exe
3184	Cgqlcg32.exe
3812	Dhphmj32.exe
1752	Dkqaoe32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Aaoaic32.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
File created	C:\Windows\SysWOW64\Ahmjjoig.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Aaoaic32.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Coqncejg.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Bnlhncgi.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
File opened for modification	C:\Windows\SysWOW64\Coqncejg.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Chdialdl.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Adcjop32.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Dnkdmlfj.dll	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Hgncclck.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Coqncejg.exe
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Caageq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
640	1752	WerFault.exe	109

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cnhgjaml.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 4748	548	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe	91
PID 548 wrote to memory of 4748	548	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe	91
PID 548 wrote to memory of 4748	548	NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe	91
PID 4748 wrote to memory of 3540	4748	Ppolhcnm.exe	92
PID 4748 wrote to memory of 3540	4748	Ppolhcnm.exe	92
PID 4748 wrote to memory of 3540	4748	Ppolhcnm.exe	92
PID 3540 wrote to memory of 1768	3540	Qdoacabq.exe	93
PID 3540 wrote to memory of 1768	3540	Qdoacabq.exe	93
PID 3540 wrote to memory of 1768	3540	Qdoacabq.exe	93
PID 1768 wrote to memory of 3444	1768	Ahmjjoig.exe	94
PID 1768 wrote to memory of 3444	1768	Ahmjjoig.exe	94
PID 1768 wrote to memory of 3444	1768	Ahmjjoig.exe	94
PID 3444 wrote to memory of 544	3444	Adcjop32.exe	95
PID 3444 wrote to memory of 544	3444	Adcjop32.exe	95
PID 3444 wrote to memory of 544	3444	Adcjop32.exe	95
PID 544 wrote to memory of 1028	544	Ahaceo32.exe	96
PID 544 wrote to memory of 1028	544	Ahaceo32.exe	96
PID 544 wrote to memory of 1028	544	Ahaceo32.exe	96
PID 1028 wrote to memory of 4336	1028	Apmhiq32.exe	97
PID 1028 wrote to memory of 4336	1028	Apmhiq32.exe	97
PID 1028 wrote to memory of 4336	1028	Apmhiq32.exe	97
PID 4336 wrote to memory of 1468	4336	Aaoaic32.exe	98
PID 4336 wrote to memory of 1468	4336	Aaoaic32.exe	98
PID 4336 wrote to memory of 1468	4336	Aaoaic32.exe	98
PID 1468 wrote to memory of 4932	1468	Baannc32.exe	99
PID 1468 wrote to memory of 4932	1468	Baannc32.exe	99
PID 1468 wrote to memory of 4932	1468	Baannc32.exe	99
PID 4932 wrote to memory of 3296	4932	Bphgeo32.exe	100
PID 4932 wrote to memory of 3296	4932	Bphgeo32.exe	100
PID 4932 wrote to memory of 3296	4932	Bphgeo32.exe	100
PID 3296 wrote to memory of 4448	3296	Bnlhncgi.exe	101
PID 3296 wrote to memory of 4448	3296	Bnlhncgi.exe	101
PID 3296 wrote to memory of 4448	3296	Bnlhncgi.exe	101
PID 4448 wrote to memory of 3068	4448	Bkphhgfc.exe	102
PID 4448 wrote to memory of 3068	4448	Bkphhgfc.exe	102
PID 4448 wrote to memory of 3068	4448	Bkphhgfc.exe	102
PID 3068 wrote to memory of 4964	3068	Chdialdl.exe	103
PID 3068 wrote to memory of 4964	3068	Chdialdl.exe	103
PID 3068 wrote to memory of 4964	3068	Chdialdl.exe	103
PID 4964 wrote to memory of 3916	4964	Cammjakm.exe	104
PID 4964 wrote to memory of 3916	4964	Cammjakm.exe	104
PID 4964 wrote to memory of 3916	4964	Cammjakm.exe	104
PID 3916 wrote to memory of 4104	3916	Coqncejg.exe	105
PID 3916 wrote to memory of 4104	3916	Coqncejg.exe	105
PID 3916 wrote to memory of 4104	3916	Coqncejg.exe	105
PID 4104 wrote to memory of 2624	4104	Caageq32.exe	106
PID 4104 wrote to memory of 2624	4104	Caageq32.exe	106
PID 4104 wrote to memory of 2624	4104	Caageq32.exe	106
PID 2624 wrote to memory of 3184	2624	Cnhgjaml.exe	107
PID 2624 wrote to memory of 3184	2624	Cnhgjaml.exe	107
PID 2624 wrote to memory of 3184	2624	Cnhgjaml.exe	107
PID 3184 wrote to memory of 3812	3184	Cgqlcg32.exe	108
PID 3184 wrote to memory of 3812	3184	Cgqlcg32.exe	108
PID 3184 wrote to memory of 3812	3184	Cgqlcg32.exe	108
PID 3812 wrote to memory of 1752	3812	Dhphmj32.exe	109
PID 3812 wrote to memory of 1752	3812	Dhphmj32.exe	109
PID 3812 wrote to memory of 1752	3812	Dhphmj32.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cd3e089c5bcf80239cb44283acdd7d90.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\Ppolhcnm.exe
  C:\Windows\system32\Ppolhcnm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\Qdoacabq.exe
    C:\Windows\system32\Qdoacabq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Ahmjjoig.exe
      C:\Windows\system32\Ahmjjoig.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
      - C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        20⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 400
        21⤵
        Program crash
        
        PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1752 -ip 1752
1⤵
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
64KB

MD5
52c81dbfeb12a5ba89ddcb0f33606c61

SHA1
611ae88eaad8a957935ce152e3f3297b5b3f555f

SHA256
cc3dde43f7a14f264d5d9779d2c977e2f6f3b081b4f65863d3184fbecaadd036

SHA512
90055864dbf90d32e232fef4a7ff41a402cbea7e3f047d7518c9f589ee8bb3a981bf1b05b256f4ffabe8f7501a8a9432dcf3fc67024074fa2ab24177c46b94ca

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
64KB

MD5
52c81dbfeb12a5ba89ddcb0f33606c61

SHA1
611ae88eaad8a957935ce152e3f3297b5b3f555f

SHA256
cc3dde43f7a14f264d5d9779d2c977e2f6f3b081b4f65863d3184fbecaadd036

SHA512
90055864dbf90d32e232fef4a7ff41a402cbea7e3f047d7518c9f589ee8bb3a981bf1b05b256f4ffabe8f7501a8a9432dcf3fc67024074fa2ab24177c46b94ca

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
64KB

MD5
c2b224a200d7a8fc3f2de9b232ca9921

SHA1
2aa98d98f62d4e24227f9eeae0d531ca791279a9

SHA256
9f83afa3a90bf46a58c942d618cb93cc297c10afbcf3541bef7d95c64f4b9762

SHA512
2a417428d53535148027e343fd8d0c647d805672a7f9f67106a5cf3c673f0c483d0bc482007c42692db7a0d8915273eb904b8694adcc8fc93f83db7c88ff6ba1

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
64KB

MD5
c2b224a200d7a8fc3f2de9b232ca9921

SHA1
2aa98d98f62d4e24227f9eeae0d531ca791279a9

SHA256
9f83afa3a90bf46a58c942d618cb93cc297c10afbcf3541bef7d95c64f4b9762

SHA512
2a417428d53535148027e343fd8d0c647d805672a7f9f67106a5cf3c673f0c483d0bc482007c42692db7a0d8915273eb904b8694adcc8fc93f83db7c88ff6ba1

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
64KB

MD5
1ad04705c91838677331ebd254ab1a3d

SHA1
bb58028930ca7a6b792e12504b9df764376cc83a

SHA256
f2953c4bc28982f95c25415fb5683f9c6c2281381d1e7e20ec25d626fec57cdb

SHA512
40d6c45faa857c94132cfd6fa852613aa4ec54f50ff94c3eafa75f75e33a1cb3bdac7e1136f35ea6f065290334e3d4294481e08d25fcb1cd18ad01af495ad2f4

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
64KB

MD5
1ad04705c91838677331ebd254ab1a3d

SHA1
bb58028930ca7a6b792e12504b9df764376cc83a

SHA256
f2953c4bc28982f95c25415fb5683f9c6c2281381d1e7e20ec25d626fec57cdb

SHA512
40d6c45faa857c94132cfd6fa852613aa4ec54f50ff94c3eafa75f75e33a1cb3bdac7e1136f35ea6f065290334e3d4294481e08d25fcb1cd18ad01af495ad2f4

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
64KB

MD5
078063d57ca4134853ca87fa7bfe7731

SHA1
22f05beffc502bc00b41e43bf3e9e91ae8bb7ca3

SHA256
f2c699493eaa275f4800bf9f2aa0fbd8cfb5afb5e5c727e792c1f4b1c0c99d44

SHA512
0cdc12cb45d8036a65d3ac64872f1593c628387bfe862381673dbd4d12af039bb9e757847aa19e050f8ce8eabf17e10e7ab4f2f8e985256c13ac528f9b5d364a

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
64KB

MD5
bc12ec3ded4a93b4b7709a90299b9dde

SHA1
9fa936e4ba9d5be7f2e19a0a19ae2a3443a09466

SHA256
3b0e2dc2de501a4ce2b211cbc5ef25607248049b38505fc38f627fe0ccf3c045

SHA512
fa3aca61e5af5a8a8b286c1d77588661c529ee7cc1c27539f5111f442eeb32cc92e2b7d068780ddc9a6ee1c406369e3d77e1161e5718e5961d3fffcb101edbdc

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
64KB

MD5
bc12ec3ded4a93b4b7709a90299b9dde

SHA1
9fa936e4ba9d5be7f2e19a0a19ae2a3443a09466

SHA256
3b0e2dc2de501a4ce2b211cbc5ef25607248049b38505fc38f627fe0ccf3c045

SHA512
fa3aca61e5af5a8a8b286c1d77588661c529ee7cc1c27539f5111f442eeb32cc92e2b7d068780ddc9a6ee1c406369e3d77e1161e5718e5961d3fffcb101edbdc

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
64KB

MD5
e98f6791255728a31760aab9e35c1b94

SHA1
2ba02cc0906683a95527390f9e736bc9d7b95ffd

SHA256
a931ffffb91383cae6d97a62484b3c97bb76367263fe9e193e3ed3b6d9c243f6

SHA512
ff0d91b111b7d1f65c0858c89e52a355c7c9575e5295be5ca1a1667dd23a52ebe1e92ed4ed5f52f07214d82f2d138da8156df0a103318db464ec58583d1a294a

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
64KB

MD5
e98f6791255728a31760aab9e35c1b94

SHA1
2ba02cc0906683a95527390f9e736bc9d7b95ffd

SHA256
a931ffffb91383cae6d97a62484b3c97bb76367263fe9e193e3ed3b6d9c243f6

SHA512
ff0d91b111b7d1f65c0858c89e52a355c7c9575e5295be5ca1a1667dd23a52ebe1e92ed4ed5f52f07214d82f2d138da8156df0a103318db464ec58583d1a294a

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
64KB

MD5
a48dcc829b32875f8c1d99eb365d9c56

SHA1
cc5c8cd84375ebe0a4beaba2328ca232f667177d

SHA256
38049dcc0d964b589ed173b261b3d3d5e69e8970bc5523a18d73be89a3c96889

SHA512
cfd4853ffa168b742062987611661a7875229adaf788422e3e3bd8584321998c81ca85c7973396fd79d1f12c7412df1dce10d315c7885ec7595c6335adc284d7

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
64KB

MD5
a48dcc829b32875f8c1d99eb365d9c56

SHA1
cc5c8cd84375ebe0a4beaba2328ca232f667177d

SHA256
38049dcc0d964b589ed173b261b3d3d5e69e8970bc5523a18d73be89a3c96889

SHA512
cfd4853ffa168b742062987611661a7875229adaf788422e3e3bd8584321998c81ca85c7973396fd79d1f12c7412df1dce10d315c7885ec7595c6335adc284d7

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
64KB

MD5
bb8b431fc684619f3c935d16220af7a7

SHA1
28f91af58182de1ac98f60981246c623f5e1d0b7

SHA256
fd442fe2ad7c34bba1afdd1f9cc360c282d51a2aaa38defbc266a92f55c21703

SHA512
fa30ac182e0cc8e577c0b8055cdb4d7a13d072cf271ee860d2851b7c49869d74aaa16cb8be86cd203c0a74532249be8c601913c3cdba3f5ea8b2b8b98370d8d7

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
64KB

MD5
bb8b431fc684619f3c935d16220af7a7

SHA1
28f91af58182de1ac98f60981246c623f5e1d0b7

SHA256
fd442fe2ad7c34bba1afdd1f9cc360c282d51a2aaa38defbc266a92f55c21703

SHA512
fa30ac182e0cc8e577c0b8055cdb4d7a13d072cf271ee860d2851b7c49869d74aaa16cb8be86cd203c0a74532249be8c601913c3cdba3f5ea8b2b8b98370d8d7

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
64KB

MD5
277b177484d8673bccd5502c92342485

SHA1
850320e2ceb4f38f5b9e8e2792eb4eae851620a8

SHA256
2d856d1e1ceb625fd10f8f2d4402124ca9c14e5cd8f4cb91992a6cdc31fae021

SHA512
890b0e19b8ab65947f0192edad93aae6a2db0b5e9c8ee72192f1ec5b2746b20729c085281c2bbb6e5a0b5acff8a839b35a189ec6f5ac82e093dd0072f6506e19

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
64KB

MD5
277b177484d8673bccd5502c92342485

SHA1
850320e2ceb4f38f5b9e8e2792eb4eae851620a8

SHA256
2d856d1e1ceb625fd10f8f2d4402124ca9c14e5cd8f4cb91992a6cdc31fae021

SHA512
890b0e19b8ab65947f0192edad93aae6a2db0b5e9c8ee72192f1ec5b2746b20729c085281c2bbb6e5a0b5acff8a839b35a189ec6f5ac82e093dd0072f6506e19

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
64KB

MD5
d1c53eaa9e490feb8a6922d0c4936f5f

SHA1
0db8ede0e0e403fd1b42f64bbb601407fba46baa

SHA256
0126d04d3d5855f87f85fd8bd6009c70c5297ad88b8d6d543e66c2d683b615e7

SHA512
227daec37dca493f4ff0b753f18fe9fcb1561130605be3d47157fb5f395ee68ccd56c20e735bc3c513afa58828e0f4c0db408b634451c679f2a949b935acaa77

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
64KB

MD5
d1c53eaa9e490feb8a6922d0c4936f5f

SHA1
0db8ede0e0e403fd1b42f64bbb601407fba46baa

SHA256
0126d04d3d5855f87f85fd8bd6009c70c5297ad88b8d6d543e66c2d683b615e7

SHA512
227daec37dca493f4ff0b753f18fe9fcb1561130605be3d47157fb5f395ee68ccd56c20e735bc3c513afa58828e0f4c0db408b634451c679f2a949b935acaa77

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
64KB

MD5
619873e7f368a0705ef5974f1dfdc303

SHA1
93f52cc95b201cb692d0cf95cd9cd73635ad7cd6

SHA256
1aff2ef13b53d70b282ec72839bf1167b07ae612cbdbdd49355fcc86647dd12d

SHA512
8d60334e9005c67bb915ff9f84ac9b28e86d44ca48778b7ceaf35be18c2516217541c5f2b3184640ce7f70d72fb299fafef0cab545f71962f54fd92c146c5e89

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
64KB

MD5
619873e7f368a0705ef5974f1dfdc303

SHA1
93f52cc95b201cb692d0cf95cd9cd73635ad7cd6

SHA256
1aff2ef13b53d70b282ec72839bf1167b07ae612cbdbdd49355fcc86647dd12d

SHA512
8d60334e9005c67bb915ff9f84ac9b28e86d44ca48778b7ceaf35be18c2516217541c5f2b3184640ce7f70d72fb299fafef0cab545f71962f54fd92c146c5e89

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
64KB

MD5
619873e7f368a0705ef5974f1dfdc303

SHA1
93f52cc95b201cb692d0cf95cd9cd73635ad7cd6

SHA256
1aff2ef13b53d70b282ec72839bf1167b07ae612cbdbdd49355fcc86647dd12d

SHA512
8d60334e9005c67bb915ff9f84ac9b28e86d44ca48778b7ceaf35be18c2516217541c5f2b3184640ce7f70d72fb299fafef0cab545f71962f54fd92c146c5e89

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
64KB

MD5
b47a68794d33b460a4ca1f5388c80d3e

SHA1
b1106b922206785816137fb9e318273c9caf703e

SHA256
9dd1b66e02851c739f67f8960bfb8d63c6f152bd34d4de5c4dd4b51efd44a49a

SHA512
9d770cb50c8e0d1eac823e7be5f2ce4fb96f3caae93df1f1e9ad31f4c82c10bd44b81dba1c9c97b8321a398fca29247ed455d06207e0c5b4df4fb4971065c4b7

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
64KB

MD5
b47a68794d33b460a4ca1f5388c80d3e

SHA1
b1106b922206785816137fb9e318273c9caf703e

SHA256
9dd1b66e02851c739f67f8960bfb8d63c6f152bd34d4de5c4dd4b51efd44a49a

SHA512
9d770cb50c8e0d1eac823e7be5f2ce4fb96f3caae93df1f1e9ad31f4c82c10bd44b81dba1c9c97b8321a398fca29247ed455d06207e0c5b4df4fb4971065c4b7

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
64KB

MD5
dc929330a2d755b5f0ccf93556aedd79

SHA1
5a0682719e230ddef45d4e45f6ab8c60a9db7860

SHA256
fb48d57b1e7a1feda5738df2da295c45632988a1e9040916204397d61afe45e9

SHA512
060da817730221ed54656464aa549392fbcb9774d7baeb6bf8ddc1d24737c0232709b04cc3a23e6dada2144077bf1c0d6894253d6ce79342ac0d1fa181e2f2c5

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
64KB

MD5
dc929330a2d755b5f0ccf93556aedd79

SHA1
5a0682719e230ddef45d4e45f6ab8c60a9db7860

SHA256
fb48d57b1e7a1feda5738df2da295c45632988a1e9040916204397d61afe45e9

SHA512
060da817730221ed54656464aa549392fbcb9774d7baeb6bf8ddc1d24737c0232709b04cc3a23e6dada2144077bf1c0d6894253d6ce79342ac0d1fa181e2f2c5

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
64KB

MD5
2ad1ee3265af43fe22dc6a75313125fd

SHA1
4b19a9041f0feb7309b28db017463470e0083e21

SHA256
ed5e781f35823a87ae8415d5c4eb2a21465f7a75b9927c8d10331884c0a75d68

SHA512
770dbbba86e380577c78f073a510dc26de4386b7974261cc0512888a03137e9bd2c54c6d8eeb9464e50c37edc43afeef15a7034689c2ab256414743fdafd9e9f

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
64KB

MD5
2ad1ee3265af43fe22dc6a75313125fd

SHA1
4b19a9041f0feb7309b28db017463470e0083e21

SHA256
ed5e781f35823a87ae8415d5c4eb2a21465f7a75b9927c8d10331884c0a75d68

SHA512
770dbbba86e380577c78f073a510dc26de4386b7974261cc0512888a03137e9bd2c54c6d8eeb9464e50c37edc43afeef15a7034689c2ab256414743fdafd9e9f

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
64KB

MD5
657475717ee83b64d3ba2f3fa928d895

SHA1
e67d61a5c1d4aab03775f39860e9201e73ec4fd2

SHA256
e273ba2a53023d1e9c50b455eac81a6a535fbc33a25bf9df81b8ed1105f8721b

SHA512
c11e316691c3e1ef8e16b89a1167de7e86632e90cea433ebf7644593cf090e021b2bb5b42d2a2e125f4f914c0be604aa3a86e531abfa11c2918ec2003b05c5fb

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
64KB

MD5
657475717ee83b64d3ba2f3fa928d895

SHA1
e67d61a5c1d4aab03775f39860e9201e73ec4fd2

SHA256
e273ba2a53023d1e9c50b455eac81a6a535fbc33a25bf9df81b8ed1105f8721b

SHA512
c11e316691c3e1ef8e16b89a1167de7e86632e90cea433ebf7644593cf090e021b2bb5b42d2a2e125f4f914c0be604aa3a86e531abfa11c2918ec2003b05c5fb

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
64KB

MD5
febab87a509d2fcce0237ccd4886be5d

SHA1
71cd78d51d016470dae0f8a1317699fa004f515f

SHA256
6b1588534ef78ec7f1318d31562ad91f3b65582ff405e1627b5c02ed88a27980

SHA512
405b8c108bdb9f5f38e576f5a5d6b481290353f5101a437e2551a05be6db380c68fd0f87baacc3e1bcd563d06136b7dec9030615580e88a98b7c75e3abffce75

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
64KB

MD5
febab87a509d2fcce0237ccd4886be5d

SHA1
71cd78d51d016470dae0f8a1317699fa004f515f

SHA256
6b1588534ef78ec7f1318d31562ad91f3b65582ff405e1627b5c02ed88a27980

SHA512
405b8c108bdb9f5f38e576f5a5d6b481290353f5101a437e2551a05be6db380c68fd0f87baacc3e1bcd563d06136b7dec9030615580e88a98b7c75e3abffce75

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
64KB

MD5
88be4d2417af713fef1d8942f977d1cb

SHA1
23e71ad80a393a30cc1b64c1e3a9e75f427c78c7

SHA256
c98bd85cc9ab098fcf4aac13987f13e84541abfa847ea780f005ef04c01677aa

SHA512
2b48cff113f76c4d631da2c6758833c9e8216cd50cecfc1c2f8ece7f4fb1e152384f2c67539a97104ea55995c54b8757162d203ccbe9b84f9945172cbd40df0e

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
64KB

MD5
88be4d2417af713fef1d8942f977d1cb

SHA1
23e71ad80a393a30cc1b64c1e3a9e75f427c78c7

SHA256
c98bd85cc9ab098fcf4aac13987f13e84541abfa847ea780f005ef04c01677aa

SHA512
2b48cff113f76c4d631da2c6758833c9e8216cd50cecfc1c2f8ece7f4fb1e152384f2c67539a97104ea55995c54b8757162d203ccbe9b84f9945172cbd40df0e

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
64KB

MD5
cb2273bc472f233779d7988675e435b2

SHA1
5ad55e47d4e6dd2bd7e1e457ca41f7fd334961a9

SHA256
12ba7c57aa1dc7d9620ef59822ae5d4586324f573fb7d5ec94591a8f119d6b8c

SHA512
f77a509e2c85e5dcb748fe5702f0b3dc1ce0349c52423aafa0ecdfa11c0c37fac1dd86b18051166996a7f37b62ecd6398064632ed35e010cf318dc39a9586129

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
64KB

MD5
cb2273bc472f233779d7988675e435b2

SHA1
5ad55e47d4e6dd2bd7e1e457ca41f7fd334961a9

SHA256
12ba7c57aa1dc7d9620ef59822ae5d4586324f573fb7d5ec94591a8f119d6b8c

SHA512
f77a509e2c85e5dcb748fe5702f0b3dc1ce0349c52423aafa0ecdfa11c0c37fac1dd86b18051166996a7f37b62ecd6398064632ed35e010cf318dc39a9586129

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
64KB

MD5
cae572217fea906a2322f1542e4a7b17

SHA1
09ce0087636a29739750cbe344cc9a41b6cd94da

SHA256
9e17e589ffaed0f1f59b2233a5a7a92a586f610a62622e46b762d7d23f1f78e8

SHA512
c63f915538f0a2b77d9091bd92598b16b1dc01e05d8fbae79095dabbb44bed702d5374cb446d0cf58a4696dde6156eef579484bd9497aececb2494a2d0396adc

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
64KB

MD5
cae572217fea906a2322f1542e4a7b17

SHA1
09ce0087636a29739750cbe344cc9a41b6cd94da

SHA256
9e17e589ffaed0f1f59b2233a5a7a92a586f610a62622e46b762d7d23f1f78e8

SHA512
c63f915538f0a2b77d9091bd92598b16b1dc01e05d8fbae79095dabbb44bed702d5374cb446d0cf58a4696dde6156eef579484bd9497aececb2494a2d0396adc

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
64KB

MD5
078063d57ca4134853ca87fa7bfe7731

SHA1
22f05beffc502bc00b41e43bf3e9e91ae8bb7ca3

SHA256
f2c699493eaa275f4800bf9f2aa0fbd8cfb5afb5e5c727e792c1f4b1c0c99d44

SHA512
0cdc12cb45d8036a65d3ac64872f1593c628387bfe862381673dbd4d12af039bb9e757847aa19e050f8ce8eabf17e10e7ab4f2f8e985256c13ac528f9b5d364a

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
64KB

MD5
078063d57ca4134853ca87fa7bfe7731

SHA1
22f05beffc502bc00b41e43bf3e9e91ae8bb7ca3

SHA256
f2c699493eaa275f4800bf9f2aa0fbd8cfb5afb5e5c727e792c1f4b1c0c99d44

SHA512
0cdc12cb45d8036a65d3ac64872f1593c628387bfe862381673dbd4d12af039bb9e757847aa19e050f8ce8eabf17e10e7ab4f2f8e985256c13ac528f9b5d364a

Download Submit
memory/544-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads