670c206bb9ae30252a43154ad5fd60ed5a15620b439718b6a38173b74acd4645

Analysis

max time kernel
133s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Size

275KB
MD5

1b3e1fd72ba875f61006684cf01a03c0
SHA1

3ec6c10b3e5b719fd5bcf059f1c8b221990efb8f
SHA256

670c206bb9ae30252a43154ad5fd60ed5a15620b439718b6a38173b74acd4645
SHA512

2dc0cf57a695f99430a09e8dd63c9b0c65e876f5addcfc3718c2ed9ba520c6cc3b6134e6ee2be431c51fe62c331dacf16e649801ba14bbc0ea2c45584e15e894
SSDEEP

6144:BLeaqKgzL2V4cpC0L4AY7YWT63cpC0L4f:BLAL2/p9i7drp9S

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eafbmgad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe

Executes dropped EXE 14 IoCs

pid	Process
2520	Nfqnbjfi.exe
5092	Pplhhm32.exe
1888	Acqgojmb.exe
4400	Banjnm32.exe
1716	Cancekeo.exe
3336	Ddfbgelh.exe
1352	Dcphdqmj.exe
2052	Ecbeip32.exe
492	Eafbmgad.exe
3768	Egegjn32.exe
3476	Fnalmh32.exe
3952	Fcpakn32.exe
3340	Fqdbdbna.exe
548	Gddgpqbe.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddfbgelh.exe	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Jjjfeo32.dll	Ddfbgelh.exe
File opened for modification	C:\Windows\SysWOW64\Eafbmgad.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fnalmh32.exe
File created	C:\Windows\SysWOW64\Apmpkall.dll	Acqgojmb.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Nfqnbjfi.exe	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Egegjn32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Dcphdqmj.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Ecbeip32.exe	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Aolphl32.dll	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Pplhhm32.exe	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Acqgojmb.exe	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Jhhnfh32.dll	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Acqgojmb.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Banjnm32.exe	Acqgojmb.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Nfqnbjfi.exe	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Banjnm32.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Eafbmgad.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Egegjn32.exe
File opened for modification	C:\Windows\SysWOW64\Fnalmh32.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Njogfipp.dll	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Banjnm32.exe	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Egegjn32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Pplhhm32.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Aanpie32.dll	Pplhhm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	548	WerFault.exe	105

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eafbmgad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egegjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjfeo32.dll"	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njogfipp.dll"	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2520	3000	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe	91
PID 3000 wrote to memory of 2520	3000	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe	91
PID 3000 wrote to memory of 2520	3000	NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe	91
PID 2520 wrote to memory of 5092	2520	Nfqnbjfi.exe	93
PID 2520 wrote to memory of 5092	2520	Nfqnbjfi.exe	93
PID 2520 wrote to memory of 5092	2520	Nfqnbjfi.exe	93
PID 5092 wrote to memory of 1888	5092	Pplhhm32.exe	94
PID 5092 wrote to memory of 1888	5092	Pplhhm32.exe	94
PID 5092 wrote to memory of 1888	5092	Pplhhm32.exe	94
PID 1888 wrote to memory of 4400	1888	Acqgojmb.exe	95
PID 1888 wrote to memory of 4400	1888	Acqgojmb.exe	95
PID 1888 wrote to memory of 4400	1888	Acqgojmb.exe	95
PID 4400 wrote to memory of 1716	4400	Banjnm32.exe	96
PID 4400 wrote to memory of 1716	4400	Banjnm32.exe	96
PID 4400 wrote to memory of 1716	4400	Banjnm32.exe	96
PID 1716 wrote to memory of 3336	1716	Cancekeo.exe	97
PID 1716 wrote to memory of 3336	1716	Cancekeo.exe	97
PID 1716 wrote to memory of 3336	1716	Cancekeo.exe	97
PID 3336 wrote to memory of 1352	3336	Ddfbgelh.exe	98
PID 3336 wrote to memory of 1352	3336	Ddfbgelh.exe	98
PID 3336 wrote to memory of 1352	3336	Ddfbgelh.exe	98
PID 1352 wrote to memory of 2052	1352	Dcphdqmj.exe	99
PID 1352 wrote to memory of 2052	1352	Dcphdqmj.exe	99
PID 1352 wrote to memory of 2052	1352	Dcphdqmj.exe	99
PID 2052 wrote to memory of 492	2052	Ecbeip32.exe	100
PID 2052 wrote to memory of 492	2052	Ecbeip32.exe	100
PID 2052 wrote to memory of 492	2052	Ecbeip32.exe	100
PID 492 wrote to memory of 3768	492	Eafbmgad.exe	101
PID 492 wrote to memory of 3768	492	Eafbmgad.exe	101
PID 492 wrote to memory of 3768	492	Eafbmgad.exe	101
PID 3768 wrote to memory of 3476	3768	Egegjn32.exe	102
PID 3768 wrote to memory of 3476	3768	Egegjn32.exe	102
PID 3768 wrote to memory of 3476	3768	Egegjn32.exe	102
PID 3476 wrote to memory of 3952	3476	Fnalmh32.exe	103
PID 3476 wrote to memory of 3952	3476	Fnalmh32.exe	103
PID 3476 wrote to memory of 3952	3476	Fnalmh32.exe	103
PID 3952 wrote to memory of 3340	3952	Fcpakn32.exe	104
PID 3952 wrote to memory of 3340	3952	Fcpakn32.exe	104
PID 3952 wrote to memory of 3340	3952	Fcpakn32.exe	104
PID 3340 wrote to memory of 548	3340	Fqdbdbna.exe	105
PID 3340 wrote to memory of 548	3340	Fqdbdbna.exe	105
PID 3340 wrote to memory of 548	3340	Fqdbdbna.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1b3e1fd72ba875f61006684cf01a03c0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\Nfqnbjfi.exe
  C:\Windows\system32\Nfqnbjfi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\Pplhhm32.exe
    C:\Windows\system32\Pplhhm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\SysWOW64\Acqgojmb.exe
      C:\Windows\system32\Acqgojmb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        15⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 400
        16⤵
        Program crash
        
        PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 548 -ip 548
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
275KB

MD5
e6ea42abaaf3f52a5476229879e5c019

SHA1
87c77145015b6e2db9bf47df9ce370132de1af12

SHA256
b12097e4e9d1ea901f251364e893ad4fff2c7ff395a7fe4ac088143fecf901a5

SHA512
bcfdbc33d4118d68704584ef1523e325770676c4c199fab7565d760c15f95f0e52adb264c94945bab50318c4e805206534998607b8397f4926abd86c73177e4f

Download Submit
C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
275KB

MD5
e6ea42abaaf3f52a5476229879e5c019

SHA1
87c77145015b6e2db9bf47df9ce370132de1af12

SHA256
b12097e4e9d1ea901f251364e893ad4fff2c7ff395a7fe4ac088143fecf901a5

SHA512
bcfdbc33d4118d68704584ef1523e325770676c4c199fab7565d760c15f95f0e52adb264c94945bab50318c4e805206534998607b8397f4926abd86c73177e4f

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
275KB

MD5
b6879299f56fe08719bf180950c0b0ca

SHA1
8cdb4bd4cbfdc03a77c491b3a78f5e4f589be26f

SHA256
c3db1f809ccdebfb25dc30a54a2de772e1644ca2e60004d610395148b0f9382e

SHA512
8d4f3370e2bb8aca2e1750af46ba7013b602db2e3d907a4a79b753c3d31ceefbf0683d7342ee93ec431e6b96fdf34bc49ad4b8352d730064bd3496bcfd35f17c

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
275KB

MD5
b6879299f56fe08719bf180950c0b0ca

SHA1
8cdb4bd4cbfdc03a77c491b3a78f5e4f589be26f

SHA256
c3db1f809ccdebfb25dc30a54a2de772e1644ca2e60004d610395148b0f9382e

SHA512
8d4f3370e2bb8aca2e1750af46ba7013b602db2e3d907a4a79b753c3d31ceefbf0683d7342ee93ec431e6b96fdf34bc49ad4b8352d730064bd3496bcfd35f17c

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
275KB

MD5
cec47250db60280288c1447026547385

SHA1
4118d3ba03140b42a14726195f9451ce6a7620c9

SHA256
7853976dcde3429c5d00292e188f8f6fb2f0122ee3ac4defe4892fe9d01aa28b

SHA512
39ae50c43ba1c0eeb49c28ccfd237f395adb440777cdfb98381c2c082245a0699d90c468842a76334c41f9d348fd4610c0ed36348f3a87254b789f2daad88582

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
275KB

MD5
cec47250db60280288c1447026547385

SHA1
4118d3ba03140b42a14726195f9451ce6a7620c9

SHA256
7853976dcde3429c5d00292e188f8f6fb2f0122ee3ac4defe4892fe9d01aa28b

SHA512
39ae50c43ba1c0eeb49c28ccfd237f395adb440777cdfb98381c2c082245a0699d90c468842a76334c41f9d348fd4610c0ed36348f3a87254b789f2daad88582

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
275KB

MD5
2bc27e7451bf55bc7ded1605240ac0a2

SHA1
2d5790b05b76100e566c85015b0baac36b9df4cf

SHA256
a3148283257ca988099fa597358acb0003a042947e35e2b0511df75bcd092ec6

SHA512
3aef79cb57fbed01bc086a98653fccacc05c0dfc31d4dedee6641704d24389aca7b73cc4790b6c8adaab4c6fc5b51921d1ab81cb3a86da02128c0191cdb26839

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
275KB

MD5
2bc27e7451bf55bc7ded1605240ac0a2

SHA1
2d5790b05b76100e566c85015b0baac36b9df4cf

SHA256
a3148283257ca988099fa597358acb0003a042947e35e2b0511df75bcd092ec6

SHA512
3aef79cb57fbed01bc086a98653fccacc05c0dfc31d4dedee6641704d24389aca7b73cc4790b6c8adaab4c6fc5b51921d1ab81cb3a86da02128c0191cdb26839

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
275KB

MD5
776b1e3f4cf1f2488820aa2e9171c2ec

SHA1
a48569f868cc9c14d0214fb763237dad012d4002

SHA256
f2b4b6131533050cadc0424d94b30c6a93416d9a1ffcd21270cb642c98d3c560

SHA512
648a5f9731b2a372f8e14a299d208ac9a003346cb502f2983206289fd2e25326eb7b5a99f4631c385bb98a68d0b287e8931b48a25c0d0cc088dbfd2e93b435a4

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
275KB

MD5
776b1e3f4cf1f2488820aa2e9171c2ec

SHA1
a48569f868cc9c14d0214fb763237dad012d4002

SHA256
f2b4b6131533050cadc0424d94b30c6a93416d9a1ffcd21270cb642c98d3c560

SHA512
648a5f9731b2a372f8e14a299d208ac9a003346cb502f2983206289fd2e25326eb7b5a99f4631c385bb98a68d0b287e8931b48a25c0d0cc088dbfd2e93b435a4

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
275KB

MD5
776b1e3f4cf1f2488820aa2e9171c2ec

SHA1
a48569f868cc9c14d0214fb763237dad012d4002

SHA256
f2b4b6131533050cadc0424d94b30c6a93416d9a1ffcd21270cb642c98d3c560

SHA512
648a5f9731b2a372f8e14a299d208ac9a003346cb502f2983206289fd2e25326eb7b5a99f4631c385bb98a68d0b287e8931b48a25c0d0cc088dbfd2e93b435a4

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
275KB

MD5
8130465f47e9cd1be12b45ec8f6e3a66

SHA1
ae6b1883e0e9a8544537c460885f572172642fe6

SHA256
bd5229b8e6a4a391be9659723624ea5935c4acfde358c4369f92e3ccf58d7f6b

SHA512
8f3ff3fc323469ceb8233a29fb2c11d9c2db9665f0fc7384c832a46e6afc2adea5a1a680f60fea33ced839b94e40fae105b1e0f937d6b6fc8186a66bbe751898

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
275KB

MD5
8130465f47e9cd1be12b45ec8f6e3a66

SHA1
ae6b1883e0e9a8544537c460885f572172642fe6

SHA256
bd5229b8e6a4a391be9659723624ea5935c4acfde358c4369f92e3ccf58d7f6b

SHA512
8f3ff3fc323469ceb8233a29fb2c11d9c2db9665f0fc7384c832a46e6afc2adea5a1a680f60fea33ced839b94e40fae105b1e0f937d6b6fc8186a66bbe751898

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
275KB

MD5
8130465f47e9cd1be12b45ec8f6e3a66

SHA1
ae6b1883e0e9a8544537c460885f572172642fe6

SHA256
bd5229b8e6a4a391be9659723624ea5935c4acfde358c4369f92e3ccf58d7f6b

SHA512
8f3ff3fc323469ceb8233a29fb2c11d9c2db9665f0fc7384c832a46e6afc2adea5a1a680f60fea33ced839b94e40fae105b1e0f937d6b6fc8186a66bbe751898

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
275KB

MD5
23093cc57081442cbe3a41c9dd808c44

SHA1
675b2ac9fc6cc9f564ed5685c0c45552f9886c42

SHA256
dae0428a21dbaede5e226a27acaa4a829483f855399c9724f853adf0d73e0c42

SHA512
ef2e2bab2c4abb86c45ac24731162b1360ce6c3f9d451522f8c7a82911b66de75a990203f64a86d13b7a731eb27fbbc5f87a7cead1dcd86e29dbcd99cc0f122f

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
275KB

MD5
23093cc57081442cbe3a41c9dd808c44

SHA1
675b2ac9fc6cc9f564ed5685c0c45552f9886c42

SHA256
dae0428a21dbaede5e226a27acaa4a829483f855399c9724f853adf0d73e0c42

SHA512
ef2e2bab2c4abb86c45ac24731162b1360ce6c3f9d451522f8c7a82911b66de75a990203f64a86d13b7a731eb27fbbc5f87a7cead1dcd86e29dbcd99cc0f122f

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
275KB

MD5
73e092b99afa1579b4ed187d0ca90f2c

SHA1
70df3b89264ea8dcef82f8b65572871648243dd8

SHA256
9742b413cff7f799e5bd3081622c35b79f5378fccf71c2e7b9d48c44b36e9922

SHA512
7beb388e7f3844003320d37a529938ee1457261154c8dfcf8f4a7b10b9bc937011d75a63363486561737785aa3c0110d3937aaeea214c2ecd37e2dc9867ac7f1

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
275KB

MD5
73e092b99afa1579b4ed187d0ca90f2c

SHA1
70df3b89264ea8dcef82f8b65572871648243dd8

SHA256
9742b413cff7f799e5bd3081622c35b79f5378fccf71c2e7b9d48c44b36e9922

SHA512
7beb388e7f3844003320d37a529938ee1457261154c8dfcf8f4a7b10b9bc937011d75a63363486561737785aa3c0110d3937aaeea214c2ecd37e2dc9867ac7f1

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
275KB

MD5
64b5061039b805b87438e1434be4602b

SHA1
8264015e78f19ee9a3d8187fe29525413066ab5f

SHA256
5cbd19613b95be6960bc1fcdd89e4b7f24c7ecc7e69c5286dc31e31c37dbf334

SHA512
9a47eb00ac1b49119bce7ca97b47e967f1b30355121d22e638d4eac918eba9158779ad595f48eac1fbf5af514757a0cb892aad92733710fd8aa721a844078f4e

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
275KB

MD5
64b5061039b805b87438e1434be4602b

SHA1
8264015e78f19ee9a3d8187fe29525413066ab5f

SHA256
5cbd19613b95be6960bc1fcdd89e4b7f24c7ecc7e69c5286dc31e31c37dbf334

SHA512
9a47eb00ac1b49119bce7ca97b47e967f1b30355121d22e638d4eac918eba9158779ad595f48eac1fbf5af514757a0cb892aad92733710fd8aa721a844078f4e

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
275KB

MD5
d79bd4e59a6f5f956285dfffa305426f

SHA1
b3931cac7f0be028d5a49ad99b239634d2ae8356

SHA256
979a8f4c78787a6d8fb51b11e59474e15e6887fbb572109e35ca4cf5ff00c3b7

SHA512
5c21b464486ec7155873bbcba76a0bb7d7bfb70d34bfff2ffd2bdf2dac03bdfedc02a0a355ad535ee0017d3c71b316be40ae66842558d4d382102fef559cd8a4

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
275KB

MD5
d79bd4e59a6f5f956285dfffa305426f

SHA1
b3931cac7f0be028d5a49ad99b239634d2ae8356

SHA256
979a8f4c78787a6d8fb51b11e59474e15e6887fbb572109e35ca4cf5ff00c3b7

SHA512
5c21b464486ec7155873bbcba76a0bb7d7bfb70d34bfff2ffd2bdf2dac03bdfedc02a0a355ad535ee0017d3c71b316be40ae66842558d4d382102fef559cd8a4

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
275KB

MD5
54862f2c86a9dcfe60b37589eb5b86cd

SHA1
d0201b62f87705d5072c661e9d5fa2f57aa127b8

SHA256
91c9a6a6aaca53d0b88f098801f4a1e48dba94563cf2de306dd63e6121d788ee

SHA512
02be1edc90348b6f35b3ac0339999612aa981973ebe01df8dd2259bf8d910875189fb54dbbe6ee1b912d035fa4b6efe09d33ceec8c6ba5c6d39f13d2de2a2eac

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
275KB

MD5
54862f2c86a9dcfe60b37589eb5b86cd

SHA1
d0201b62f87705d5072c661e9d5fa2f57aa127b8

SHA256
91c9a6a6aaca53d0b88f098801f4a1e48dba94563cf2de306dd63e6121d788ee

SHA512
02be1edc90348b6f35b3ac0339999612aa981973ebe01df8dd2259bf8d910875189fb54dbbe6ee1b912d035fa4b6efe09d33ceec8c6ba5c6d39f13d2de2a2eac

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
275KB

MD5
54862f2c86a9dcfe60b37589eb5b86cd

SHA1
d0201b62f87705d5072c661e9d5fa2f57aa127b8

SHA256
91c9a6a6aaca53d0b88f098801f4a1e48dba94563cf2de306dd63e6121d788ee

SHA512
02be1edc90348b6f35b3ac0339999612aa981973ebe01df8dd2259bf8d910875189fb54dbbe6ee1b912d035fa4b6efe09d33ceec8c6ba5c6d39f13d2de2a2eac

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
275KB

MD5
48148b1cf93978b2a4ef93c1fb66edaa

SHA1
8c01df9fb79f776ebe2e8e27d4d627e58127f17b

SHA256
27477c40ed38733527102eec74886983e895bbc7efd47e3d157d242c381deee5

SHA512
3d3d490506439f66f7eb04912dee021a8fc78e33e3015a45c98092a0427acb5ae2f331dad9c135df012999b7f6c857348ba08d6418d94cbd2b1ff798e6a8a70d

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
275KB

MD5
48148b1cf93978b2a4ef93c1fb66edaa

SHA1
8c01df9fb79f776ebe2e8e27d4d627e58127f17b

SHA256
27477c40ed38733527102eec74886983e895bbc7efd47e3d157d242c381deee5

SHA512
3d3d490506439f66f7eb04912dee021a8fc78e33e3015a45c98092a0427acb5ae2f331dad9c135df012999b7f6c857348ba08d6418d94cbd2b1ff798e6a8a70d

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
275KB

MD5
5fbcd14db77c693d7142cf906406bbd1

SHA1
d0be1f95ab665fbdb428aae58a428083119ed919

SHA256
8269a28ad9b4bbcfdd12eb56a0610f908289d4984ab5eba24728b6546c860c62

SHA512
c4e9716d113a381a9b7c0505e3f0a79872fee774982637f45464b12118ab7105b5d7b87c8a1e39458537c633db50dd98387fb4276293ba7f3bd1958694fcda97

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
275KB

MD5
5fbcd14db77c693d7142cf906406bbd1

SHA1
d0be1f95ab665fbdb428aae58a428083119ed919

SHA256
8269a28ad9b4bbcfdd12eb56a0610f908289d4984ab5eba24728b6546c860c62

SHA512
c4e9716d113a381a9b7c0505e3f0a79872fee774982637f45464b12118ab7105b5d7b87c8a1e39458537c633db50dd98387fb4276293ba7f3bd1958694fcda97

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
275KB

MD5
980912370d7a882465023ead30cfa266

SHA1
925d742d32b4831d929ebd3948cb251db0012a7d

SHA256
202d6f43344bdf82e262e02d3c4edae419dba4bd757cd6c36cf17aa6d1c067dd

SHA512
4f8391ef95132d45bb75d671664866aee0d25a533ee4561ca0496da62b93437b195842e40c91b6897a3ade8caa3e61c263cc007a02c6034e0f10ec50531ff3ad

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
275KB

MD5
980912370d7a882465023ead30cfa266

SHA1
925d742d32b4831d929ebd3948cb251db0012a7d

SHA256
202d6f43344bdf82e262e02d3c4edae419dba4bd757cd6c36cf17aa6d1c067dd

SHA512
4f8391ef95132d45bb75d671664866aee0d25a533ee4561ca0496da62b93437b195842e40c91b6897a3ade8caa3e61c263cc007a02c6034e0f10ec50531ff3ad

Download Submit
memory/492-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/492-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-50-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3952-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads