141f95275e1d465085a380238def40dc551c8aa3c19a3798629ed10ccfb84bbf

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe
Size

71KB
MD5

ce3bdac3b61c6b0baba2abe722f25a70
SHA1

1156ff206111a240467de3a356709ba1ea205f87
SHA256

141f95275e1d465085a380238def40dc551c8aa3c19a3798629ed10ccfb84bbf
SHA512

71b5028627fa842a76dd45f763d464a67af9b23ddcbc7fa12bcf10edbbf2c1ad4cf386bbbe93025e8a56b542e95a7761d1fdf0b71ba682f6733108ae340a6491
SSDEEP

1536:vDztvL+M/j77ZNW2kuy6D1WKFERUs+ARQqDbEyRCRRRoR4Rk:v5L+gjXjVkP6D1WK2RUs+AeEEy032ya

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledepn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebifmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajjokd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abhqefpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jblmgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nodiqp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampaho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jahqiaeb.exe

Executes dropped EXE 62 IoCs

pid	Process
1972	Amcehdod.exe
1996	Bacjdbch.exe
3120	Bddcenpi.exe
4784	Cdimqm32.exe
5000	Dolmodpi.exe
3380	Dndgfpbo.exe
3420	Eqdpgk32.exe
1968	Enkmfolf.exe
4304	Ebifmm32.exe
3520	Ekcgkb32.exe
5072	Fnkfmm32.exe
1568	Gnblnlhl.exe
2220	Geoapenf.exe
748	Hpfbcn32.exe
2392	Hnlodjpa.exe
1976	Hlblcn32.exe
4352	Hldiinke.exe
2908	Ipkdek32.exe
2060	Jblmgf32.exe
4668	Jbagbebm.exe
884	Jpegkj32.exe
3152	Jahqiaeb.exe
2024	Kefiopki.exe
660	Klbnajqc.exe
2160	Khiofk32.exe
1420	Klggli32.exe
2032	Lebijnak.exe
3088	Ledepn32.exe
5012	Ljbnfleo.exe
1872	Lcmodajm.exe
4672	Mlhqcgnk.exe
3828	Mhoahh32.exe
3616	Mcfbkpab.exe
1748	Mqjbddpl.exe
2248	Noppeaed.exe
4952	Ncmhko32.exe
2404	Nodiqp32.exe
2784	Nimmifgo.exe
1084	Nbebbk32.exe
2744	Ommceclc.exe
2084	Omopjcjp.exe
4888	Oophlo32.exe
4056	Oflmnh32.exe
1708	Pfojdh32.exe
3868	Pbekii32.exe
4292	Pfccogfc.exe
4576	Pcgdhkem.exe
4536	Pblajhje.exe
2688	Qpbnhl32.exe
1812	Ajjokd32.exe
1992	Abhqefpg.exe
4572	Ampaho32.exe
2196	Banjnm32.exe
896	Biklho32.exe
4448	Bmidnm32.exe
2344	Bdeiqgkj.exe
2112	Cajjjk32.exe
2892	Cienon32.exe
2240	Ccppmc32.exe
3788	Cmgqpkip.exe
4552	Dphiaffa.exe
2304	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kjmejc32.dll	Dolmodpi.exe
File created	C:\Windows\SysWOW64\Ipkdek32.exe	Hldiinke.exe
File created	C:\Windows\SysWOW64\Jblmgf32.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Kpmmljnd.dll	Jblmgf32.exe
File opened for modification	C:\Windows\SysWOW64\Klggli32.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Knnele32.dll	Khiofk32.exe
File opened for modification	C:\Windows\SysWOW64\Mhoahh32.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Cepjip32.dll	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcgdhkem.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Lodabb32.dll	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Nodiqp32.exe	Ncmhko32.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Pblajhje.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Ekcgkb32.exe	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Hpfbcn32.exe	Geoapenf.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Chjjqebm.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Banjnm32.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Biklho32.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Lebijnak.exe	Klggli32.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Ekcgkb32.exe	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Ommceclc.exe
File created	C:\Windows\SysWOW64\Mpiedk32.dll	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Hpfbcn32.exe	Geoapenf.exe
File created	C:\Windows\SysWOW64\Goniok32.dll	Hldiinke.exe
File opened for modification	C:\Windows\SysWOW64\Oflmnh32.exe	Oophlo32.exe
File created	C:\Windows\SysWOW64\Geoapenf.exe	Gnblnlhl.exe
File created	C:\Windows\SysWOW64\Ncmhko32.exe	Noppeaed.exe
File created	C:\Windows\SysWOW64\Omopjcjp.exe	Ommceclc.exe
File created	C:\Windows\SysWOW64\Anlkecaj.dll	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pblajhje.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Mhoahh32.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Nbjnhape.dll	Hlblcn32.exe
File created	C:\Windows\SysWOW64\Klbnajqc.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Mcfbkpab.exe	Mhoahh32.exe
File opened for modification	C:\Windows\SysWOW64\Mcfbkpab.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Mqjbddpl.exe	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Libmeq32.dll	Fnkfmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hlblcn32.exe	Hnlodjpa.exe
File created	C:\Windows\SysWOW64\Faoiogei.dll	Lcmodajm.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Gnblnlhl.exe	Fnkfmm32.exe
File opened for modification	C:\Windows\SysWOW64\Dndgfpbo.exe	Dolmodpi.exe
File created	C:\Windows\SysWOW64\Flinad32.dll	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Imqpnq32.dll	Mcfbkpab.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Nbebbk32.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Ommceclc.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Amcehdod.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	2304	WerFault.exe	152

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abhqefpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll"	Ledepn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oophlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajjokd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebifmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojpmiij.dll"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kefiopki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll"	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll"	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiedk32.dll"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hldiinke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jblmgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll"	Kefiopki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqgnfcmm.dll"	Enkmfolf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1972	4028	ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe	91
PID 4028 wrote to memory of 1972	4028	ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe	91
PID 4028 wrote to memory of 1972	4028	ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe	91
PID 1972 wrote to memory of 1996	1972	Amcehdod.exe	92
PID 1972 wrote to memory of 1996	1972	Amcehdod.exe	92
PID 1972 wrote to memory of 1996	1972	Amcehdod.exe	92
PID 1996 wrote to memory of 3120	1996	Bacjdbch.exe	93
PID 1996 wrote to memory of 3120	1996	Bacjdbch.exe	93
PID 1996 wrote to memory of 3120	1996	Bacjdbch.exe	93
PID 3120 wrote to memory of 4784	3120	Bddcenpi.exe	94
PID 3120 wrote to memory of 4784	3120	Bddcenpi.exe	94
PID 3120 wrote to memory of 4784	3120	Bddcenpi.exe	94
PID 4784 wrote to memory of 5000	4784	Cdimqm32.exe	95
PID 4784 wrote to memory of 5000	4784	Cdimqm32.exe	95
PID 4784 wrote to memory of 5000	4784	Cdimqm32.exe	95
PID 5000 wrote to memory of 3380	5000	Dolmodpi.exe	96
PID 5000 wrote to memory of 3380	5000	Dolmodpi.exe	96
PID 5000 wrote to memory of 3380	5000	Dolmodpi.exe	96
PID 3380 wrote to memory of 3420	3380	Dndgfpbo.exe	97
PID 3380 wrote to memory of 3420	3380	Dndgfpbo.exe	97
PID 3380 wrote to memory of 3420	3380	Dndgfpbo.exe	97
PID 3420 wrote to memory of 1968	3420	Eqdpgk32.exe	98
PID 3420 wrote to memory of 1968	3420	Eqdpgk32.exe	98
PID 3420 wrote to memory of 1968	3420	Eqdpgk32.exe	98
PID 1968 wrote to memory of 4304	1968	Enkmfolf.exe	99
PID 1968 wrote to memory of 4304	1968	Enkmfolf.exe	99
PID 1968 wrote to memory of 4304	1968	Enkmfolf.exe	99
PID 4304 wrote to memory of 3520	4304	Ebifmm32.exe	100
PID 4304 wrote to memory of 3520	4304	Ebifmm32.exe	100
PID 4304 wrote to memory of 3520	4304	Ebifmm32.exe	100
PID 3520 wrote to memory of 5072	3520	Ekcgkb32.exe	101
PID 3520 wrote to memory of 5072	3520	Ekcgkb32.exe	101
PID 3520 wrote to memory of 5072	3520	Ekcgkb32.exe	101
PID 5072 wrote to memory of 1568	5072	Fnkfmm32.exe	102
PID 5072 wrote to memory of 1568	5072	Fnkfmm32.exe	102
PID 5072 wrote to memory of 1568	5072	Fnkfmm32.exe	102
PID 1568 wrote to memory of 2220	1568	Gnblnlhl.exe	103
PID 1568 wrote to memory of 2220	1568	Gnblnlhl.exe	103
PID 1568 wrote to memory of 2220	1568	Gnblnlhl.exe	103
PID 2220 wrote to memory of 748	2220	Geoapenf.exe	104
PID 2220 wrote to memory of 748	2220	Geoapenf.exe	104
PID 2220 wrote to memory of 748	2220	Geoapenf.exe	104
PID 748 wrote to memory of 2392	748	Hpfbcn32.exe	105
PID 748 wrote to memory of 2392	748	Hpfbcn32.exe	105
PID 748 wrote to memory of 2392	748	Hpfbcn32.exe	105
PID 2392 wrote to memory of 1976	2392	Hnlodjpa.exe	106
PID 2392 wrote to memory of 1976	2392	Hnlodjpa.exe	106
PID 2392 wrote to memory of 1976	2392	Hnlodjpa.exe	106
PID 1976 wrote to memory of 4352	1976	Hlblcn32.exe	107
PID 1976 wrote to memory of 4352	1976	Hlblcn32.exe	107
PID 1976 wrote to memory of 4352	1976	Hlblcn32.exe	107
PID 4352 wrote to memory of 2908	4352	Hldiinke.exe	108
PID 4352 wrote to memory of 2908	4352	Hldiinke.exe	108
PID 4352 wrote to memory of 2908	4352	Hldiinke.exe	108
PID 2908 wrote to memory of 2060	2908	Ipkdek32.exe	109
PID 2908 wrote to memory of 2060	2908	Ipkdek32.exe	109
PID 2908 wrote to memory of 2060	2908	Ipkdek32.exe	109
PID 2060 wrote to memory of 4668	2060	Jblmgf32.exe	110
PID 2060 wrote to memory of 4668	2060	Jblmgf32.exe	110
PID 2060 wrote to memory of 4668	2060	Jblmgf32.exe	110
PID 4668 wrote to memory of 884	4668	Jbagbebm.exe	111
PID 4668 wrote to memory of 884	4668	Jbagbebm.exe	111
PID 4668 wrote to memory of 884	4668	Jbagbebm.exe	111
PID 884 wrote to memory of 3152	884	Jpegkj32.exe	112

C:\Users\Admin\AppData\Local\Temp\ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ce3bdac3b61c6b0baba2abe722f25a70_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\Amcehdod.exe
  C:\Windows\system32\Amcehdod.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\Bacjdbch.exe
    C:\Windows\system32\Bacjdbch.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\Bddcenpi.exe
      C:\Windows\system32\Bddcenpi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        49⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        63⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 412
        64⤵
        Program crash
        
        PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2304 -ip 2304
1⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amcehdod.exe

Filesize
71KB

MD5
3864eb7f0013d60b5374fbd358a57bae

SHA1
b245570d946b3cf83b194fa7a7cc3c043d8d9c08

SHA256
5f0288c97a2a1632e0f7079f80adf8a1ba2e29e21281c0e01987bf63666b3fe4

SHA512
e22dde02e5f713dad713a0fbea8e9148a1e2b4a6eaf8130fdb2a25c6d8410416effc832bb7049b07552780d6e2c5d472a8ac15204b664573ec435867997deb59

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
71KB

MD5
9644e27156eb1d7704e0c8eb3faa3f29

SHA1
2d074160868cd5b34914882a7412b629b6836297

SHA256
748fb29f85a3786613692ade0a60341eda747118546c702965bcff305dcaa288

SHA512
3efff224e34bed4c84750b10de3efc7808b6370cdbf30a738a8fc06a7f7b82b6a3af4548579bf077438dccaf0fb5fa905a7162a4eafd74b67b90099c36e8f090

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
71KB

MD5
7961c83f74c5b9c897651cc80434a33c

SHA1
8160db92d1ba4b0d1226c87f345db037d9bd91db

SHA256
233fa0e6920b594e1cd5c4e6e68584f9a2efe4717b1e365d77b1d4df27bbc9a4

SHA512
c71443e16e63bc3f23046a9da8c9c3ab0a23532db6c333d188c19bc4c4d8bcce1386839dfe9c52231c49c9b34510e311cf03ca302edf34a6903efab6e4304d4a

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
71KB

MD5
41a1e590e9457804f1296db79ab9eb84

SHA1
061312f8f44237b99ae1c306b40532ea1c6d513a

SHA256
1ea3c81766e789acbe6f3df843eac1c30b00db827eb05a89c127656a1213c629

SHA512
4423c0d250f82e4d422e7c2879bbb4d79f3510654832b20c7572697e43b2f10f5715ee4532cf1482b875d5f27217b6a3f54e6a8432bd7edaa8eb46d323b2f01e

Download Submit
C:\Windows\SysWOW64\Cepjip32.dll

Filesize
7KB

MD5
a0259e014e054167082b4f73b19bca39

SHA1
8f089a20202d0098bfd40f6bb71f8206a4fd38ea

SHA256
e0d58d30006494f503b1a204533ee21e86608ba96bbb26d9fc546fd3bdeac28d

SHA512
feb7e47bf5d877c772823d51fd8aa2348f1feb68695d6e9957dbdb7fd5686a19de7bef27b984c916a48df11fb6c922a2001b37a2138bbc4cb6e6fad73f9351e1

Download Submit
C:\Windows\SysWOW64\Dndgfpbo.exe

Filesize
71KB

MD5
6033fa81e53d0a0480570f13849f3fd8

SHA1
41d7cb1516adee72faa9beb2be8946212020496e

SHA256
119445bb2fa593993bf267e4d5b8536f896c1e14444442d026475dfe9270e314

SHA512
baadfa49b8ec6b68018678ad9130c4eba7b464d685ff7ad9f7e7b78c31a17b30011b5109724ad663609aa06d22ca42a38b7804c34aec0d4f3a2635715f683567

Download Submit
C:\Windows\SysWOW64\Dolmodpi.exe

Filesize
71KB

MD5
4b613bee699846c382f290c1e5116887

SHA1
ba9393e5607f5b62dcdc0ec01463b167e95649c7

SHA256
c90b03903cb16d58dccf11981d0bade554bc5077de7e6558e8aa7b3fd5625f7e

SHA512
dc77302f6e6e15df08dc05fde00c12abaeb0ee93683a5612da1eafa6a78dcc4dce0b92f28646f6a32af581bba25505cd266969d7ad7b9327f073de55e4def5e6

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
71KB

MD5
f965fe1b5da970de2471de4e33a0b8df

SHA1
7bb2caf92d2707a3899af589038c31011e5e82b2

SHA256
4862c1a5a9e2d6750bb156670ddbbaad7d30b13c4473ce517fedda8c705f8810

SHA512
83efc5316364f5c2cdd70b6cfbe52588a87871bb10003f845d57343b425dbc5ab13f4de56f6acc87cd6ae3bfb14c87115d6ad1cd2db753fd6bc8c21266327920

Download Submit
C:\Windows\SysWOW64\Ekcgkb32.exe

Filesize
71KB

MD5
99ac0f881f1d3d7f966f128dc8a570bc

SHA1
802dee22d4f008c365da6abfc41566f5737821d8

SHA256
f644450edcf4989f31fe7ef3689ab1c4d8ce0ead760c4d963a64203cfbc06819

SHA512
cf66b25a9d90ca9c2ab4a9f5054012a7407f2f73222fad38d9a2661e620858b641ea08a4015a780974c7be22d7d2a831e942c414e2864c8d00366f8274fa809d

Download Submit
C:\Windows\SysWOW64\Enkmfolf.exe

Filesize
71KB

MD5
a212b20965c766338e9612e7c16e20d5

SHA1
3ff2883ce3f039d4308bbc45f593c76839b03654

SHA256
88d3c532643c86503186b2ae15d796aa4e2bce16285cf903af1c7f88bc03bbe5

SHA512
e69691ff12d73605c34439d7dc7e5cef990e47546b7176e16a460da2e10db18919d3b9a5f6f79deac0ad8fd11f2d83dcc7fd6500deadb527a8ffc06fe8d947f0

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
71KB

MD5
f5696d6b98e85c9d077a17b87edcf78b

SHA1
690b5ba0bbd3820c56c7f99c76cfbe4316a07146

SHA256
c4d02ad82b6de9630b0fce6ca2278ed46372ac777cd887ad5b437df3bfd842e0

SHA512
1d75b244378c0fe495746a0ab3f58cb7bb39c44a360ad5d63e347fa8da9817e11bafbdc423df3cef44457d3e809821371303a84ee597469bcb988259df6a2e01

Download Submit
C:\Windows\SysWOW64\Fnkfmm32.exe

Filesize
71KB

MD5
1a936157ff12cc519aa4e0b634e7602a

SHA1
03864c18000483876d39edf9214727390b2e5620

SHA256
134736c131da24398d677b1823d269dabc81246dcf443028e2bbd9428cf0c108

SHA512
bc9664cac7fe14a8c0c5c3d804f7bd42a59f02d74f6445be3cb66dac90f9bc045192c18ee86f7f314b4555c3d1a433a3b1fd5cdf39d00626600aec6445e4c072

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
71KB

MD5
4987b0f81b438c510f20d3eefa13e0d1

SHA1
79b616710ae0c283322ecd0cce9aaae447240c8d

SHA256
51656a707b2bd917565db1cd6ce232d5341e26f741298f81118ed467adc34c59

SHA512
397d6aa5beb54d2f65e629ab8505e1fefc7b05ac56a7fbea28ae6b85f9a7c3fb7d81b8a98fb25de60999e32902625375278b67a3218a31dd18993257e355dd11

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe

Filesize
71KB

MD5
613ebc836d6931829e43bb25d2167a6e

SHA1
0b62694455367b3a5291f7179befa446af06af6e

SHA256
829d02b626e367bc8aa8e1c5024b4f2e6ec0ec5810dc240ac0e4d31b4cabfa39

SHA512
b8c04da13e69641b9d3ecdf9da8cff3c983ab78c6ac8419036a9a2891e828817d174a52f800d4184eabc2409f0cc63f53f5e7ec0ed5ce7ad0f1960d6e81b49ac

Download Submit
C:\Windows\SysWOW64\Hlblcn32.exe

Filesize
71KB

MD5
57f49a6cc4b711e7f12c58832cf8bff1

SHA1
55bc9822411ffa91ce45d2625db2fdd9efa38601

SHA256
5f3b75565b77c870d97888f48e681dbadbee12675852cda2c0fbc6c022aa657a

SHA512
df5abbdb20aec0a54a81d10cc7aaaf5569f84ca2bfedde288f824c5fa7a9d4d39e273d1902ddfaa4ded3dc47bc36eb4f1f3708b2751be5a95b5f95ab21faa742

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
71KB

MD5
7a70a443965e9e263560e4d323162a9b

SHA1
3a9a1e4f2b0b820d2a5c892f9597e263c2114139

SHA256
55c9358b4f498d9fa6fda5647a1ac49dcaab86cbdc1875b223a9e6c099dab41b

SHA512
5f5150c0b1e50772d73aa147b5e01ad395d4e144ebcc74a1323e133e6fe454459d71443088f1cd937b3e580b54f0cd79f6518252879586c8404b9d6f36a6c228

Download Submit
C:\Windows\SysWOW64\Hnlodjpa.exe

Filesize
71KB

MD5
f8997b66d5763e8f6887c2220e21848c

SHA1
5ae7629b33969a8207669617162a03c3db127f30

SHA256
17bd8f86647eed3eb4cb11d913e72c2cda9ccc6bc4a4ed26d4370b2eee347d98

SHA512
7168af8d3b308823c250398b96f2c7516bab1db9f41dee75270335fd2d67e1b909ec0ce322a09593d460ea4c48a08189094268fde0933b92d8477a74a531835c

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
71KB

MD5
4b76642c53630aa4ac5b32b9d77fd7ac

SHA1
2e1350efe03ce02490c7f77cb72cc242552a4010

SHA256
475d4ca7292dfea639007d0d02515f57dcd73032000c885b7db3686099a81b38

SHA512
99d0b5b739f36bac97bd7b008b507cb05d3d654ec323a4a0509c687f8d99c9f66eb70cf45362daf4d73f0da6882ef9d3fa73420f95a3777f382ec09d30176582

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
71KB

MD5
279f12346a12e5cbf805c3ea99433de5

SHA1
99b77a6b226c4f04a6c1817bb14456f0dc2e8f9e

SHA256
09380579767729ecaba39ba5391501af3b9325323d5ec64bb24830f7ca5c587b

SHA512
62a2daf22a6f9ab9bd0e09b4f38e6de290db1c5901747b8ba6109a3d6b8c84934871f3de351e2c66e612b331b1dc488e2e8c51faddcb17420581f5e12d27a80d

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
71KB

MD5
83cd5cf27a9643fbd5038d3d043b2ba8

SHA1
b33e9082a472169c157b18933f4e550ed2c55a72

SHA256
f8debcc6db198fe8d719c3ec06129de613f5282255954cba7d9828248b67b6d4

SHA512
8e980833f7e64d0796221c90ecb7f12b66a41853bb10ca4216527515870c810ec2da85ec3b167a0e887babf1cda7ec320225346d2bca2e9cff79d6100887e93f

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
71KB

MD5
9ebd0c030582c7de1e9d4e749220634e

SHA1
c38c0dbd857667b39090a87a461dd7620fc8481c

SHA256
a30c837b9626c42838baf620bff035209ade1d38a65096f3be3dfd2214204921

SHA512
7d283c778c5d927710d9343b537be28fbeaaa8ad5f838d4407471646667ed812ed61b9a217e44a6f07be1ac0b54fcb09691751d21f72565b827de5563bfed3ca

Download Submit
C:\Windows\SysWOW64\Jblmgf32.exe

Filesize
71KB

MD5
1f065db6f06a9de440d4650a20b32c78

SHA1
2f7a5d98865d0be351f7cdfcb86e08437b5649ed

SHA256
1ce53c5900c59a8a303f804ec0c842fbf0d353f9a0a2eee28de615876c7de44a

SHA512
62d559e6e24cf2a4f162dde2d82448bed9346b5489be24be6e4629c9d3f704afc2048f7c14297275b783438197145a6ffcc79297ada86ec54e16bd157af1906a

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
71KB

MD5
a0b940088c6beebedc40fdd91960039f

SHA1
c3227ad6a818871bb848019d8de66810bc9af4e2

SHA256
c1b3008e048b782bce459c88c9408d02e4fef7b602249975dd4fdab48e14bbfe

SHA512
92a17709d99abf9172c783bf5671e0f7d85aa4551d6402b69643b9a64fbc19d38d9f4142d587d30da85ca07f4be36adc7cc2dcb535771f55b9fd80ccd32a1b64

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
71KB

MD5
53d30cc23e6beb4d164ab1686f162beb

SHA1
2fc2393a0590e925c4e819a3a0670877fc85e965

SHA256
938e85371a5863a749ed055952418f8a102a370b5158f008d6e3d91c3f1a613f

SHA512
56f729d1cf33affb630efdc5b953126f9e10edbac9ad770d2653c4898d70500e720c3bd709480da7b6e58fb643d5f6ad1997227fa1321f35cb250c936bf2c885

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
71KB

MD5
82b9f6f12d1bfeb62ab2877c2393be49

SHA1
92fe644a4a7347404fb3bacf589b5b5d64dcee8c

SHA256
bdde48128ef735cbd844aaa66657d54cdf64384d8ad57f9a7534e72f5d9a7dcc

SHA512
c15e1461e3371274e6682fdd2c6678cbc3e821493b3ef5caaef4b29b4a13b29ce3698864c6200380f34700102fd2f1e6e3c063628e41d287eb45f727325e3893

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
71KB

MD5
17a05e2b5dd4f42bd6c0cd17b8c6131a

SHA1
cc1b627ebad69835487de7ef08b522bde4b2005d

SHA256
5ce7d23ae67cf907246b5357108f521d62399d4dc7ecff4bac3a7c4b5a93deac

SHA512
c9258f2099a0eb99267979270f6a53c058b7e85ed2e307e3fe2ed8eb89e17cd67eff1ee59afc8f64fdcc3b7408f1aa645570dcd172913639eb68834f84ee3398

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
71KB

MD5
80070ae0e598109b83811c61b9d45346

SHA1
17e7180c842dd1ed53cdaaaaab3ce1e86820ade1

SHA256
fdab724812f9828064e657cfa303b094df63c798f4a8ae500bcaa8bc161de586

SHA512
aea4afb7c413238da9a782e187010ccc05dab890c588c3e1dd1d89ba4d32b9ae5c7034f713a117306f83fefce5553ced69883628c92c5567ec3ecc0fbbd519cf

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
71KB

MD5
8fdb7865151a97b9f7498e626ac0423b

SHA1
2b38ab5851f091205a5348faf278cd136c9d7334

SHA256
00aad39b2ff203c21cf3dfb750b37f1dbbdf0dd5e401e26c2220dc91072b0228

SHA512
279a0064b4fc30b8f9eb95b532d490d06fd14cd9e684b131eef9578b24c9d451ffd1bca06e21464ebd2ad49286c622dd3757e37ac5adca0b836195c1fd5b2d3b

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
71KB

MD5
629f22f33a2b8c98b137b020d51dfb61

SHA1
f12c1f0c814d9f9dbd439151d0b322d1beb5aeb6

SHA256
b2e7563eccfaf7e42d3b352bc8ca3168163c5397fad3b8d811842e0463fc49d6

SHA512
ee71613c91b195778dc4e5ac8da9778ab8aef883439359f4e279389424a7b934e23143f6c880aad454d28ba97e98165e7e0929d4530b9681f9cba51b4a45eff1

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
71KB

MD5
d9b863360ce89190b21a547038375cfd

SHA1
c9ee975b87c7f05e7c091ea656327223a11af9cd

SHA256
8ec5eb6d6e3d75a644e0bf425e71b94802908e1af7ddcd10d9dfe2cbed559680

SHA512
54d1035415f577fa9cb8a5422d74cc372491cdfb3be7852f0c3bc6f8bb5eb25b80808682b0ba019e28fbc5d894b5681f38674ad02a6129301ebccf3b47a2461b

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
71KB

MD5
7972f66cbee62c56549ac46e199cd978

SHA1
e694b89ddb07cb92221081a973cf9ae6d12441a5

SHA256
46671fd3821af93e34ad6b27cfd532912f399e6492b25b1bb5a1f9f0e3ae1925

SHA512
584e9582033a44060ad19bc7d4bfa8f09ce48b7fc718b7b505fb689d9c0495e29b2dce48669c4ae1639170c7733de186d8128ddb1acfb3875222a55ec2202142

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
71KB

MD5
55049ae699c838ddb882445f4ae97831

SHA1
5eee5e9a62eff5be18a0537336b80c33881cbf29

SHA256
2bfba825e1ed134cc51ddf10b2b73df530829db5883adc5143cac09d14aa0b1d

SHA512
582b3815e8076d1f9b6ab7d29e304c9ec90c42beed3a4a96852853521006b72ca8cb0f03c4eb482d51b7b1a62baf1b4a748b310ed2fb69a865a42fcfdb5083ab

Download Submit
C:\Windows\SysWOW64\Mlhqcgnk.exe

Filesize
71KB

MD5
b2b579f222a475c20d5cb7822c3135ea

SHA1
4fcb260da09dd4c0afefcb8ae472d9d9cbdb6c4b

SHA256
9e0dd37ea21fdbf4ca4471170abf0a6e3f01945096c5c6f48105ff6ed9a6345e

SHA512
6498ea537020fd4e10353a6d061f87aba03c3deb0a9d61416704da1e2af93f5453ea6a789a08ce20ced7115cee9389a81ba2471f56c431e3c341f1fff4b7f139

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
71KB

MD5
127a2341d5ce7d08d89165ebe9c37661

SHA1
084a0b3765cd682a6ed066a8f0691eb29db9b913

SHA256
5cbebd28c816c21b0effe08f57380dcc4f5f9580e763dae8de56906ddd38a446

SHA512
bd742449bea6d11a6e8ab996036244e81fcf89230f632bb5df46462227245ab3c984ec4b5a3d54126cd5cfea1bcc4b9251b230856b90559a821b0b5fee82466f

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
71KB

MD5
55f16ac271ce84e8a3ea7e50e0600922

SHA1
caa063e06813abe9c9bebbf4f95020e65d061d62

SHA256
365f3fe73cc1a358654a323ad4a85324d306539062a3f849fb54783272893dc0

SHA512
6c87a773e5778493491e292da562164aa7f0cdef2d363890c2071c8bbb3e232e719c4ee6e1258e3a0d6da6d80784b6a974e356fe5d8cf7383a2aa2747b325fe0

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
71KB

MD5
867207e8ea7a911b07573e2cd43b4879

SHA1
afff44488ca118c972fba3d195d9c12aa5a9c1f5

SHA256
2ab0c0f8c7c1b6ac72c965edaedcb8542da6eeabe9f57ce0564337592b536f8a

SHA512
5a65d33a88bf8de54e781879c8ed813c6a0936d1ac2dbaedcd85013aa9f530a62a6de20b72e1d5519ba7e46f3198add9d7dc7907037f2f0de2ebea1d6d5fe27a

Download Submit
C:\Windows\SysWOW64\Pfccogfc.exe

Filesize
71KB

MD5
e38139a861cc55d5d6958ac689bd7d3f

SHA1
b85807b421cb3f81525576f79b102cae8c543959

SHA256
9fcd6ace3d7f9279394d40bf9cc5afbb35c3e088fdd978810566191e762379f6

SHA512
90a86785bacb784db6ca3d9483b03bd6beb0b01ea0e265bf1e08adcb1248848e75238f283611a5f026329c258271dd3aace880dda70dab45a8d7eab5134b08f7

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
71KB

MD5
8b6e73c50485d6541af23791b2d9a057

SHA1
23b86e6427d88100810e14d67f2ec6f8f5287962

SHA256
04bdbd9648873e02ccd6971e573a33be58f30612ab724ef4586ee5025a437eaf

SHA512
4c8658ece23912471c09b8505937e9a7cef5bce6528264bdd1b97ea312c46d16c9dfb54939d8ca014591aea7554469f983551efa6530b1cd3d8f13e6c2f9f8f4

Download Submit
memory/660-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/748-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-391-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-443-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1420-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-453-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1748-463-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1748-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1812-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1812-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1872-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1872-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1968-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1976-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1992-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1992-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1996-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2024-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2060-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-456-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2196-445-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2196-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2240-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2240-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-462-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-437-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2344-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2344-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2392-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-460-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2744-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2744-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2784-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2784-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2892-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-469-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3120-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3152-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3380-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3420-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3520-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3828-465-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3828-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3868-452-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3868-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4028-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-451-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4304-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4448-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4448-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4536-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4536-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4552-435-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4572-444-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4572-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4576-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4576-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4668-159-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4672-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4672-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4784-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4888-455-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4888-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4952-461-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4952-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5000-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5012-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5012-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5072-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads