87163be2d4da27136869eb6cb62a55a136509278d4d2e0cafe7de9e3bad86357

Analysis

max time kernel
202s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Size

91KB
MD5

b20ac9b156a2f114cf70a67d15438c59
SHA1

0d157e4a00a473671568bc27347e70fb1f2e5023
SHA256

87163be2d4da27136869eb6cb62a55a136509278d4d2e0cafe7de9e3bad86357
SHA512

17ca1a5ee721b6c8cf1f8d3c3dd7da309f5623d0a41a453883aeaa2d4b4d560358745eb3b8dca8f3acf36903987f3ccb1c987c9a574666dbfde2a687b2da6f2d
SSDEEP

1536:7Rc7u0+pzuSvKW0O6gsin76oNvHst+CTLP11NbC/6rsgxOUdFExK2mN2c:Eu00zT76gsin76oFMwCTHNeCrr0UdqKH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe

Executes dropped EXE 29 IoCs

pid	Process
3096	Khkdad32.exe
1604	Leoejh32.exe
4960	Lklnconj.exe
3080	Lhpnlclc.exe
1648	Ledoegkm.exe
1360	Lolcnman.exe
4788	Lcjldk32.exe
676	Mlbpma32.exe
4176	Mhiabbdi.exe
4292	Mociol32.exe
5056	Mcabej32.exe
4580	Mhpgca32.exe
3988	Mdghhb32.exe
2668	Nakhaf32.exe
4936	Noaeqjpe.exe
436	Nconfh32.exe
2928	Nlgbon32.exe
4532	Odbgdp32.exe
3752	Obfhmd32.exe
5084	Odedipge.exe
4980	Ookhfigk.exe
2292	Oomelheh.exe
4316	Ocknbglo.exe
3076	Ocmjhfjl.exe
3404	Pehjfm32.exe
2888	Qifbll32.exe
2660	Qelcamcj.exe
3264	Aijlgkjq.exe
4588	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mhpgca32.exe	Mcabej32.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Odbgdp32.exe	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Odbgdp32.exe	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Obfhmd32.exe	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Mhiabbdi.exe	Mlbpma32.exe
File opened for modification	C:\Windows\SysWOW64\Mhiabbdi.exe	Mlbpma32.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mcabej32.exe
File opened for modification	C:\Windows\SysWOW64\Ocknbglo.exe	Oomelheh.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Oomelheh.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Qelcamcj.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Leoejh32.exe	Khkdad32.exe
File created	C:\Windows\SysWOW64\Jmgdeb32.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Dfidek32.dll	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qifbll32.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Ichnpf32.dll	Khkdad32.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Leoejh32.exe
File created	C:\Windows\SysWOW64\Lhpnlclc.exe	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Odbgdp32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Ookhfigk.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Lcjldk32.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Jbjabqbh.dll	Mcabej32.exe
File opened for modification	C:\Windows\SysWOW64\Nlgbon32.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Ookhfigk.exe
File opened for modification	C:\Windows\SysWOW64\Mcabej32.exe	Mociol32.exe
File created	C:\Windows\SysWOW64\Nakhaf32.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Noaeqjpe.exe
File created	C:\Windows\SysWOW64\Iagpbgig.dll	Mociol32.exe
File created	C:\Windows\SysWOW64\Kjejmalo.dll	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Leoejh32.exe
File created	C:\Windows\SysWOW64\Lcjldk32.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Ookhfigk.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Ocknbglo.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Ocmjhfjl.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mhpgca32.exe
File opened for modification	C:\Windows\SysWOW64\Noaeqjpe.exe	Nakhaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ookhfigk.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Khkdad32.exe	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
File created	C:\Windows\SysWOW64\Jjfaml32.dll	Mlbpma32.exe
File created	C:\Windows\SysWOW64\Mociol32.exe	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Mociol32.exe	Mhiabbdi.exe
File opened for modification	C:\Windows\SysWOW64\Pehjfm32.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Khkdad32.exe	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Mlbpma32.exe	Lcjldk32.exe
File opened for modification	C:\Windows\SysWOW64\Nconfh32.exe	Noaeqjpe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdeb32.dll"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfidek32.dll"	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfaml32.dll"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhegp32.dll"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngkpgkbd.dll"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmmnbnl.dll"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagpbgig.dll"	Mociol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbpbd32.dll"	Odedipge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leoejh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalpn32.dll"	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll"	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Leoejh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 3096	4644	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe	88
PID 4644 wrote to memory of 3096	4644	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe	88
PID 4644 wrote to memory of 3096	4644	NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe	88
PID 3096 wrote to memory of 1604	3096	Khkdad32.exe	89
PID 3096 wrote to memory of 1604	3096	Khkdad32.exe	89
PID 3096 wrote to memory of 1604	3096	Khkdad32.exe	89
PID 1604 wrote to memory of 4960	1604	Leoejh32.exe	90
PID 1604 wrote to memory of 4960	1604	Leoejh32.exe	90
PID 1604 wrote to memory of 4960	1604	Leoejh32.exe	90
PID 4960 wrote to memory of 3080	4960	Lklnconj.exe	91
PID 4960 wrote to memory of 3080	4960	Lklnconj.exe	91
PID 4960 wrote to memory of 3080	4960	Lklnconj.exe	91
PID 3080 wrote to memory of 1648	3080	Lhpnlclc.exe	92
PID 3080 wrote to memory of 1648	3080	Lhpnlclc.exe	92
PID 3080 wrote to memory of 1648	3080	Lhpnlclc.exe	92
PID 1648 wrote to memory of 1360	1648	Ledoegkm.exe	93
PID 1648 wrote to memory of 1360	1648	Ledoegkm.exe	93
PID 1648 wrote to memory of 1360	1648	Ledoegkm.exe	93
PID 1360 wrote to memory of 4788	1360	Lolcnman.exe	94
PID 1360 wrote to memory of 4788	1360	Lolcnman.exe	94
PID 1360 wrote to memory of 4788	1360	Lolcnman.exe	94
PID 4788 wrote to memory of 676	4788	Lcjldk32.exe	95
PID 4788 wrote to memory of 676	4788	Lcjldk32.exe	95
PID 4788 wrote to memory of 676	4788	Lcjldk32.exe	95
PID 676 wrote to memory of 4176	676	Mlbpma32.exe	96
PID 676 wrote to memory of 4176	676	Mlbpma32.exe	96
PID 676 wrote to memory of 4176	676	Mlbpma32.exe	96
PID 4176 wrote to memory of 4292	4176	Mhiabbdi.exe	97
PID 4176 wrote to memory of 4292	4176	Mhiabbdi.exe	97
PID 4176 wrote to memory of 4292	4176	Mhiabbdi.exe	97
PID 4292 wrote to memory of 5056	4292	Mociol32.exe	98
PID 4292 wrote to memory of 5056	4292	Mociol32.exe	98
PID 4292 wrote to memory of 5056	4292	Mociol32.exe	98
PID 5056 wrote to memory of 4580	5056	Mcabej32.exe	99
PID 5056 wrote to memory of 4580	5056	Mcabej32.exe	99
PID 5056 wrote to memory of 4580	5056	Mcabej32.exe	99
PID 4580 wrote to memory of 3988	4580	Mhpgca32.exe	100
PID 4580 wrote to memory of 3988	4580	Mhpgca32.exe	100
PID 4580 wrote to memory of 3988	4580	Mhpgca32.exe	100
PID 3988 wrote to memory of 2668	3988	Mdghhb32.exe	101
PID 3988 wrote to memory of 2668	3988	Mdghhb32.exe	101
PID 3988 wrote to memory of 2668	3988	Mdghhb32.exe	101
PID 2668 wrote to memory of 4936	2668	Nakhaf32.exe	103
PID 2668 wrote to memory of 4936	2668	Nakhaf32.exe	103
PID 2668 wrote to memory of 4936	2668	Nakhaf32.exe	103
PID 4936 wrote to memory of 436	4936	Noaeqjpe.exe	104
PID 4936 wrote to memory of 436	4936	Noaeqjpe.exe	104
PID 4936 wrote to memory of 436	4936	Noaeqjpe.exe	104
PID 436 wrote to memory of 2928	436	Nconfh32.exe	105
PID 436 wrote to memory of 2928	436	Nconfh32.exe	105
PID 436 wrote to memory of 2928	436	Nconfh32.exe	105
PID 2928 wrote to memory of 4532	2928	Nlgbon32.exe	106
PID 2928 wrote to memory of 4532	2928	Nlgbon32.exe	106
PID 2928 wrote to memory of 4532	2928	Nlgbon32.exe	106
PID 4532 wrote to memory of 3752	4532	Odbgdp32.exe	107
PID 4532 wrote to memory of 3752	4532	Odbgdp32.exe	107
PID 4532 wrote to memory of 3752	4532	Odbgdp32.exe	107
PID 3752 wrote to memory of 5084	3752	Obfhmd32.exe	108
PID 3752 wrote to memory of 5084	3752	Obfhmd32.exe	108
PID 3752 wrote to memory of 5084	3752	Obfhmd32.exe	108
PID 5084 wrote to memory of 4980	5084	Odedipge.exe	109
PID 5084 wrote to memory of 4980	5084	Odedipge.exe	109
PID 5084 wrote to memory of 4980	5084	Odedipge.exe	109
PID 4980 wrote to memory of 2292	4980	Ookhfigk.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b20ac9b156a2f114cf70a67d15438c59_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\Khkdad32.exe
  C:\Windows\system32\Khkdad32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\Leoejh32.exe
    C:\Windows\system32\Leoejh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\Lklnconj.exe
      C:\Windows\system32\Lklnconj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        30⤵
        Executes dropped EXE
        
        PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
91KB

MD5
c35f8edeac1aa49989560f972bf90d97

SHA1
9f862e43d6a52f9acec8d6790247499f6a40a646

SHA256
8c11b9b64b6c4366b8742e8ab626ac3283c5229b9c75da57406b7487cbfae42e

SHA512
2195a76c951fe308f8cc0dbc0a141a07ab1c2a966621fb28a50716542ee47e378500d531c0aea094ec2e8c04874acdbf087ec30dce0c3f0ef7b04a0da8981eba

Download Submit
C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
91KB

MD5
c35f8edeac1aa49989560f972bf90d97

SHA1
9f862e43d6a52f9acec8d6790247499f6a40a646

SHA256
8c11b9b64b6c4366b8742e8ab626ac3283c5229b9c75da57406b7487cbfae42e

SHA512
2195a76c951fe308f8cc0dbc0a141a07ab1c2a966621fb28a50716542ee47e378500d531c0aea094ec2e8c04874acdbf087ec30dce0c3f0ef7b04a0da8981eba

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
91KB

MD5
ea95726b6ebec8bfa9de14fe7ba8d860

SHA1
a858dc666caf93f98434b7bfec4fd5d3012d5388

SHA256
1809420b3aff6dca9eaa7486ccdb0b21749cf6e13a60933ab352f568ec7b4f2b

SHA512
8bee8d41fba741f2ccb0810d808368e32ea4ffbc2305740bcbc3e7e353524d48faa6619eea123ce0e85b16b4efbf58c37226f8bf606df1b29272ad26248201c1

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
91KB

MD5
ea95726b6ebec8bfa9de14fe7ba8d860

SHA1
a858dc666caf93f98434b7bfec4fd5d3012d5388

SHA256
1809420b3aff6dca9eaa7486ccdb0b21749cf6e13a60933ab352f568ec7b4f2b

SHA512
8bee8d41fba741f2ccb0810d808368e32ea4ffbc2305740bcbc3e7e353524d48faa6619eea123ce0e85b16b4efbf58c37226f8bf606df1b29272ad26248201c1

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
91KB

MD5
99fca886a3dd967edb4611de00be6b82

SHA1
9b62acaa17318310254a2721f7c76dcf2c0a862e

SHA256
b74bf60b732dde4b08b096402032534083614ca3d4c589f1b595a88bcf2cb3d0

SHA512
d2e9ac29170b431ba142d57b8631082b60b2fd46bd0bcc920c45250171a11ad2da34d9fac8bf9b9cfbc9dc3c44b9cf03395c605a354746ecc9c1b936f6029744

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
91KB

MD5
99fca886a3dd967edb4611de00be6b82

SHA1
9b62acaa17318310254a2721f7c76dcf2c0a862e

SHA256
b74bf60b732dde4b08b096402032534083614ca3d4c589f1b595a88bcf2cb3d0

SHA512
d2e9ac29170b431ba142d57b8631082b60b2fd46bd0bcc920c45250171a11ad2da34d9fac8bf9b9cfbc9dc3c44b9cf03395c605a354746ecc9c1b936f6029744

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
91KB

MD5
3525fcb8bce69faa9614b6839c1adc0f

SHA1
4222c06e230a9f0912f449caaec16b95d95180ba

SHA256
de14ea35a3c113e77fc157317cf8f1c649875cd47dc818cf6c1e276a456e2520

SHA512
b448621f24e05f67989eb69b81b689f5d4769a8afb2d28ea81112b77011f0662e80cdfa52e235b60f2dc47b60a7c09dcf92f11e5305803d30678f392f7e73eac

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
91KB

MD5
3525fcb8bce69faa9614b6839c1adc0f

SHA1
4222c06e230a9f0912f449caaec16b95d95180ba

SHA256
de14ea35a3c113e77fc157317cf8f1c649875cd47dc818cf6c1e276a456e2520

SHA512
b448621f24e05f67989eb69b81b689f5d4769a8afb2d28ea81112b77011f0662e80cdfa52e235b60f2dc47b60a7c09dcf92f11e5305803d30678f392f7e73eac

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
91KB

MD5
e2bc9f7e9045eb011f033e02e32d0f2b

SHA1
1f38d128af8a049be83be3fbddc80bb477e6e172

SHA256
4722f89a4b38f658d48f030befb2dc3e705a729dbbac8f8a7fa81d89dd5a29d9

SHA512
8c78ce3ed396187ae037d39ba0e4e416371cc927d7949500f6d6ce85398c5cfcd1212bcc7da14a14f264eeeac455cba6a08c9e7847ab4c401a704d30130de90c

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
91KB

MD5
e2bc9f7e9045eb011f033e02e32d0f2b

SHA1
1f38d128af8a049be83be3fbddc80bb477e6e172

SHA256
4722f89a4b38f658d48f030befb2dc3e705a729dbbac8f8a7fa81d89dd5a29d9

SHA512
8c78ce3ed396187ae037d39ba0e4e416371cc927d7949500f6d6ce85398c5cfcd1212bcc7da14a14f264eeeac455cba6a08c9e7847ab4c401a704d30130de90c

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
91KB

MD5
6fbb0762aaf89241f44447431f01222a

SHA1
6b1cdf8bac9ea4b690a3f8a65301eaa23a948fc4

SHA256
3bff3a146d6e7f24dcb70540f9fa9bc91a6cda8a7ae58a9bc495fea14d04b4f2

SHA512
48a08d3f8634740f2f3128666f59a073c9254a98fa890b3c7592421cebddf53271b62c6df507dd43e471f33dbc7502de1bbc4839e261b841327b475c1ea886e7

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
91KB

MD5
6fbb0762aaf89241f44447431f01222a

SHA1
6b1cdf8bac9ea4b690a3f8a65301eaa23a948fc4

SHA256
3bff3a146d6e7f24dcb70540f9fa9bc91a6cda8a7ae58a9bc495fea14d04b4f2

SHA512
48a08d3f8634740f2f3128666f59a073c9254a98fa890b3c7592421cebddf53271b62c6df507dd43e471f33dbc7502de1bbc4839e261b841327b475c1ea886e7

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
91KB

MD5
a1676ff0e041555c4e51271b870e94d0

SHA1
fff2fc4b4643caeb57f13d817963fbb976289f96

SHA256
73b2f3f3edd290c2c82fda778831dd653e93453fe2b674ed3e3b2235ba1920d6

SHA512
a372f137ba2ac0e99bf06b4ccbf1f7f94176cacfc63fafea7bb7c358070bdc7512df02e2bf5923e565593c971355fe318160a09e13279045d8eb325368431bf4

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
91KB

MD5
a1676ff0e041555c4e51271b870e94d0

SHA1
fff2fc4b4643caeb57f13d817963fbb976289f96

SHA256
73b2f3f3edd290c2c82fda778831dd653e93453fe2b674ed3e3b2235ba1920d6

SHA512
a372f137ba2ac0e99bf06b4ccbf1f7f94176cacfc63fafea7bb7c358070bdc7512df02e2bf5923e565593c971355fe318160a09e13279045d8eb325368431bf4

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
91KB

MD5
7e9cfd9ed980b957096123d465c55805

SHA1
87a6800f809ae50aa71b0b00232b0dae95b15813

SHA256
9202f1e163c62c4c2b695a0a3c705db3d98b2af07ee7f01e222255343a2a805a

SHA512
33d1e4042860bdf29e67f1d95698fa4055ef78a390e84d531a056971a52324ce27fc314800f69be6670e5263599b27d07fdf7a254ea6d6d974a4374bbd572363

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
91KB

MD5
7e9cfd9ed980b957096123d465c55805

SHA1
87a6800f809ae50aa71b0b00232b0dae95b15813

SHA256
9202f1e163c62c4c2b695a0a3c705db3d98b2af07ee7f01e222255343a2a805a

SHA512
33d1e4042860bdf29e67f1d95698fa4055ef78a390e84d531a056971a52324ce27fc314800f69be6670e5263599b27d07fdf7a254ea6d6d974a4374bbd572363

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
91KB

MD5
755c52d30a808fb22e5442fae7d6ca13

SHA1
17dba38171eb513812e9aa718d3e3ce30bde6e12

SHA256
08ed6eebf830e50c72d7f3ed06bc83ebfda9a1ea8511bcf31b11b3e30b2f389a

SHA512
1a420f96a46a132c6c65be4f8b71a67bc36efdee08db5d3a4118f1044adc57c24a036655dca56d6860652459116076ec4be2bf6761aa33c1e68886bd66c3df5c

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
91KB

MD5
755c52d30a808fb22e5442fae7d6ca13

SHA1
17dba38171eb513812e9aa718d3e3ce30bde6e12

SHA256
08ed6eebf830e50c72d7f3ed06bc83ebfda9a1ea8511bcf31b11b3e30b2f389a

SHA512
1a420f96a46a132c6c65be4f8b71a67bc36efdee08db5d3a4118f1044adc57c24a036655dca56d6860652459116076ec4be2bf6761aa33c1e68886bd66c3df5c

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
91KB

MD5
6fb81441bd99293fc16d7bcac9bd614e

SHA1
cd7dcc650e5767c80f5732b334969141bd45a13b

SHA256
f5a5daff2bd272a2fe0195f5afb44581bdd936d147893eaef1fc1d3490d524aa

SHA512
554ecdc6b2f0c76b3a18c6e07a5d905f7ae9d146af15d2992d63c05e80f2dc7f97cfc2a8050f1974985b6a1e38d95f1e25b6c660869363096e5a793d4c11b34d

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
91KB

MD5
6fb81441bd99293fc16d7bcac9bd614e

SHA1
cd7dcc650e5767c80f5732b334969141bd45a13b

SHA256
f5a5daff2bd272a2fe0195f5afb44581bdd936d147893eaef1fc1d3490d524aa

SHA512
554ecdc6b2f0c76b3a18c6e07a5d905f7ae9d146af15d2992d63c05e80f2dc7f97cfc2a8050f1974985b6a1e38d95f1e25b6c660869363096e5a793d4c11b34d

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
91KB

MD5
ef964bc54144bb0d2255d845e5a4f51f

SHA1
b459b8fe5f983f29525ec37c065188f2b05f61d2

SHA256
6718344e04012c6e5aa7894019085070d49fddfc562bdf147e8caf66a034c95c

SHA512
768895f9749dfe27bd44755c5c189f7bd66683641cd6f37bbb4336e93254047c33f4abd6793dda782b25a357db3cf73af7d8594d5bd525605112178195e7615d

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
91KB

MD5
ef964bc54144bb0d2255d845e5a4f51f

SHA1
b459b8fe5f983f29525ec37c065188f2b05f61d2

SHA256
6718344e04012c6e5aa7894019085070d49fddfc562bdf147e8caf66a034c95c

SHA512
768895f9749dfe27bd44755c5c189f7bd66683641cd6f37bbb4336e93254047c33f4abd6793dda782b25a357db3cf73af7d8594d5bd525605112178195e7615d

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
91KB

MD5
1f5f84b2eb374bc47adea6bfa27a80c6

SHA1
69e7b6fdefc6134001d957dcc50f41e72f91a1b8

SHA256
f04c47d17e140e58d2b2d163b145086bf5266dfa2a188ffec510756ae439d55d

SHA512
f75ebd4566bdd529b4c7fd5bfda85894bb34a9f3690816eb3f835fe58397d6b04e06480d61e93273de84a728179a32b923a56a1640b1c6bfe497bd47ab284b59

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
91KB

MD5
1f5f84b2eb374bc47adea6bfa27a80c6

SHA1
69e7b6fdefc6134001d957dcc50f41e72f91a1b8

SHA256
f04c47d17e140e58d2b2d163b145086bf5266dfa2a188ffec510756ae439d55d

SHA512
f75ebd4566bdd529b4c7fd5bfda85894bb34a9f3690816eb3f835fe58397d6b04e06480d61e93273de84a728179a32b923a56a1640b1c6bfe497bd47ab284b59

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
91KB

MD5
0d39cf93f690aed4f56777611e1ea024

SHA1
7bbfce7d7d3ce3feeb344633533d04c084877a36

SHA256
ee6c2f6807bf1605cb3f5d2c1140be0220f8d8d184cee0d69f04a42b3e402513

SHA512
317cdf8556f1f9491a2c6c2c675560a56b3ff3b1de33278961fe24b53f504cfde9aef3736a42504fdfe39da10aa93b43f96fb69bd05ad3a751c0b2ebd332da8c

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
91KB

MD5
0d39cf93f690aed4f56777611e1ea024

SHA1
7bbfce7d7d3ce3feeb344633533d04c084877a36

SHA256
ee6c2f6807bf1605cb3f5d2c1140be0220f8d8d184cee0d69f04a42b3e402513

SHA512
317cdf8556f1f9491a2c6c2c675560a56b3ff3b1de33278961fe24b53f504cfde9aef3736a42504fdfe39da10aa93b43f96fb69bd05ad3a751c0b2ebd332da8c

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
91KB

MD5
ddf4c4fc175146f976074f4750018e9b

SHA1
405da054e2ad2a4b8f9a7d7f4fcb9c8adcbe1e0f

SHA256
cbaccb572f907f773778ec778a8d74744960fcac59d1b39855dbbd27f2bb5c92

SHA512
3b9f1630cba6e23f69b9b72f85e19b6af52f1db4f209137d2ccec331cc9aaf2021f38a1bb8b10643db682ec9e96101af6d4fe9fd16e45018e158181e247260f0

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
91KB

MD5
ddf4c4fc175146f976074f4750018e9b

SHA1
405da054e2ad2a4b8f9a7d7f4fcb9c8adcbe1e0f

SHA256
cbaccb572f907f773778ec778a8d74744960fcac59d1b39855dbbd27f2bb5c92

SHA512
3b9f1630cba6e23f69b9b72f85e19b6af52f1db4f209137d2ccec331cc9aaf2021f38a1bb8b10643db682ec9e96101af6d4fe9fd16e45018e158181e247260f0

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
91KB

MD5
ea7761a4cc8bb3e0f2616d1bea5e547c

SHA1
becb41b091059eac31ddbc9cceff30f33a892d5a

SHA256
32fa2867514f291ea5bdc6a124db3234a00d5a11c99d8e2cdda20213c383f861

SHA512
58eda6a55041e785a44050797ee476f8e0e49cfff73629c957a3c8d6d938e5200aa289562ee111c5eef5c1b81f490990f33f11d0bd4846f39f536ec8e1f70dce

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
91KB

MD5
ea7761a4cc8bb3e0f2616d1bea5e547c

SHA1
becb41b091059eac31ddbc9cceff30f33a892d5a

SHA256
32fa2867514f291ea5bdc6a124db3234a00d5a11c99d8e2cdda20213c383f861

SHA512
58eda6a55041e785a44050797ee476f8e0e49cfff73629c957a3c8d6d938e5200aa289562ee111c5eef5c1b81f490990f33f11d0bd4846f39f536ec8e1f70dce

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
91KB

MD5
a5c91f7bc8193f8bebd7e76c6792f35a

SHA1
75013b96bef1e13252aa52f79e6b4f594bf96ffe

SHA256
1c12b6e8be901b4d989f32df2690573e8fe8ff111aac182b02480b7feb140406

SHA512
80768bde8655aac023159593024412f2efe2dcf4422535639af14326573b7ed11c1ceeec7058b89445f4c75e39f7f1009945eab326d28999d288922db210368e

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
91KB

MD5
a5c91f7bc8193f8bebd7e76c6792f35a

SHA1
75013b96bef1e13252aa52f79e6b4f594bf96ffe

SHA256
1c12b6e8be901b4d989f32df2690573e8fe8ff111aac182b02480b7feb140406

SHA512
80768bde8655aac023159593024412f2efe2dcf4422535639af14326573b7ed11c1ceeec7058b89445f4c75e39f7f1009945eab326d28999d288922db210368e

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
91KB

MD5
a6952024b9d37598000742bd1c50bace

SHA1
5541b2e68d3f3194ba20d4b09ffa0dda3f825b50

SHA256
ba9588c3867d4574d4c67f1fffc89ff38f22e83da99ecf0a8c84a848ca581c18

SHA512
a80595d1ade262a5d485ab2dcbf9cc0c0556b4392ff78d7cd1284b0880e7c38a224c4d652873e99a54394abdcd3a0f1fc2f6b75eab0fc9a567c1bbd92d5dbac1

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
91KB

MD5
a6952024b9d37598000742bd1c50bace

SHA1
5541b2e68d3f3194ba20d4b09ffa0dda3f825b50

SHA256
ba9588c3867d4574d4c67f1fffc89ff38f22e83da99ecf0a8c84a848ca581c18

SHA512
a80595d1ade262a5d485ab2dcbf9cc0c0556b4392ff78d7cd1284b0880e7c38a224c4d652873e99a54394abdcd3a0f1fc2f6b75eab0fc9a567c1bbd92d5dbac1

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
91KB

MD5
7a275fa8cad6689c9c41d9622bf047a9

SHA1
781a05d84d8eda6131a31d766167025db82fa5d3

SHA256
adf60975f406a4ee5fb1b3e7938d2a1bd59d43d50bf4638678133e5d21b14ceb

SHA512
01ccce1393155abf9fca62454ad5110060fbd5567db1e09c5f88c557df870e70b8ee73d10593c5ba130d7a65187b981fc0e68b0acaf30c18f34b11ef8cd6aa1f

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
91KB

MD5
7a275fa8cad6689c9c41d9622bf047a9

SHA1
781a05d84d8eda6131a31d766167025db82fa5d3

SHA256
adf60975f406a4ee5fb1b3e7938d2a1bd59d43d50bf4638678133e5d21b14ceb

SHA512
01ccce1393155abf9fca62454ad5110060fbd5567db1e09c5f88c557df870e70b8ee73d10593c5ba130d7a65187b981fc0e68b0acaf30c18f34b11ef8cd6aa1f

Download Submit
C:\Windows\SysWOW64\Noaeqjpe.exe

Filesize
91KB

MD5
e861b3913db51fd88251404dc38a7a4a

SHA1
434f38f2b65a09e0881ffa485e8f4b22ce5f5528

SHA256
4d4a2b35a46105a4207ef7210e21aa26af7805e2a01ab90b8a6a81490083d15b

SHA512
cd1b7960c75a9d776b6c12d8b49e5bbd5569d3d4749666f4641aa7766504b0d2bb3a57145a22104e1f69c4af4b39f56eb2c0cedd4eb0b168cf9ac20815e499af

Download Submit
C:\Windows\SysWOW64\Noaeqjpe.exe

Filesize
91KB

MD5
e861b3913db51fd88251404dc38a7a4a

SHA1
434f38f2b65a09e0881ffa485e8f4b22ce5f5528

SHA256
4d4a2b35a46105a4207ef7210e21aa26af7805e2a01ab90b8a6a81490083d15b

SHA512
cd1b7960c75a9d776b6c12d8b49e5bbd5569d3d4749666f4641aa7766504b0d2bb3a57145a22104e1f69c4af4b39f56eb2c0cedd4eb0b168cf9ac20815e499af

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
91KB

MD5
30e1fb719d71ab47f0a3f948e2458ba3

SHA1
adb1a63f1e437f09227476f5767bface7dd0d77a

SHA256
465455770d4cbdebf4eced40300ba5a47578fd220b0ce1fc2bef2aced8713951

SHA512
5e6d5a8981549873bfd86ca53cf257d62361ec7699d6081f2e2586724ee15ccb79d5f5083260955055700eadbf992c94fe110010e4a0214800eac10371a6f1b3

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
91KB

MD5
30e1fb719d71ab47f0a3f948e2458ba3

SHA1
adb1a63f1e437f09227476f5767bface7dd0d77a

SHA256
465455770d4cbdebf4eced40300ba5a47578fd220b0ce1fc2bef2aced8713951

SHA512
5e6d5a8981549873bfd86ca53cf257d62361ec7699d6081f2e2586724ee15ccb79d5f5083260955055700eadbf992c94fe110010e4a0214800eac10371a6f1b3

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
91KB

MD5
35acfa0ce40a35e34bb636c20426193e

SHA1
97fb3da2eb0829862cc86b5b86418c9a933c1726

SHA256
9ab3c8a01522b1a11a27300d3f22d7fdec250fac0f0e287990efa206f697520e

SHA512
a49ddc860746f48a39574f870cd188d844e3d65d0b7299e08873ad521b97ea5dc76c2fafcf108bc05c71f2f1b281883fa936ddbea101790adc422bc2d61bb948

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
91KB

MD5
35acfa0ce40a35e34bb636c20426193e

SHA1
97fb3da2eb0829862cc86b5b86418c9a933c1726

SHA256
9ab3c8a01522b1a11a27300d3f22d7fdec250fac0f0e287990efa206f697520e

SHA512
a49ddc860746f48a39574f870cd188d844e3d65d0b7299e08873ad521b97ea5dc76c2fafcf108bc05c71f2f1b281883fa936ddbea101790adc422bc2d61bb948

Download Submit
C:\Windows\SysWOW64\Ocmjhfjl.exe

Filesize
91KB

MD5
bf4de5bd2521ccaff829f65033cda88d

SHA1
dc663f2c89d1f96dfc954f2f350697f0fc71bd98

SHA256
548383ac22f3d40c58d32620016e90c4e74272ee53426f23baf01ef471c6bf17

SHA512
7e4bad6d125b993c5d4fc385b2a71e196288b913a25ef208b796c7e5706469d85990cdeffb1fa2713812b361d8998fe698056f68f1e487c6345249855689307c

Download Submit
C:\Windows\SysWOW64\Ocmjhfjl.exe

Filesize
91KB

MD5
bf4de5bd2521ccaff829f65033cda88d

SHA1
dc663f2c89d1f96dfc954f2f350697f0fc71bd98

SHA256
548383ac22f3d40c58d32620016e90c4e74272ee53426f23baf01ef471c6bf17

SHA512
7e4bad6d125b993c5d4fc385b2a71e196288b913a25ef208b796c7e5706469d85990cdeffb1fa2713812b361d8998fe698056f68f1e487c6345249855689307c

Download Submit
C:\Windows\SysWOW64\Odbgdp32.exe

Filesize
91KB

MD5
721c522ab3538a9f51d261eff43f9e9a

SHA1
ca6c5b4cf98d821ddbd9a42fb1bbf6e3da007cc7

SHA256
dcdd09d6b9fe067553229828291385e4c5c1c008c22074a7f1e7594ac76a7aac

SHA512
3b64389bf5360dc0d5d79ad163bf0b98b1ad467b1c78b31b77733a9ca33910ffec411bbe3c28d870887da6b74503d1d95f1246b1767dcbb74894d47b8787f458

Download Submit
C:\Windows\SysWOW64\Odbgdp32.exe

Filesize
91KB

MD5
721c522ab3538a9f51d261eff43f9e9a

SHA1
ca6c5b4cf98d821ddbd9a42fb1bbf6e3da007cc7

SHA256
dcdd09d6b9fe067553229828291385e4c5c1c008c22074a7f1e7594ac76a7aac

SHA512
3b64389bf5360dc0d5d79ad163bf0b98b1ad467b1c78b31b77733a9ca33910ffec411bbe3c28d870887da6b74503d1d95f1246b1767dcbb74894d47b8787f458

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
91KB

MD5
bd9fe39bff844e05d83ca5e3b6282113

SHA1
a3598e4fac90a0a8090ef185383272f9f1074550

SHA256
289b7e2eefcbe88d9a62dc0b969fc9edf5edb24f88293f2efbf29cf1ba213471

SHA512
d141942eff62b949cd8df41245201a2710ac37dee8c08c9ccb6755ddf5500ddb35cb403b034b43c3e07f6ff4b55c7dee7f044a9a9a9818ab6fe40332277dfb36

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
91KB

MD5
bd9fe39bff844e05d83ca5e3b6282113

SHA1
a3598e4fac90a0a8090ef185383272f9f1074550

SHA256
289b7e2eefcbe88d9a62dc0b969fc9edf5edb24f88293f2efbf29cf1ba213471

SHA512
d141942eff62b949cd8df41245201a2710ac37dee8c08c9ccb6755ddf5500ddb35cb403b034b43c3e07f6ff4b55c7dee7f044a9a9a9818ab6fe40332277dfb36

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
91KB

MD5
afe0bfefd58a5aa39b0204734ddf33d4

SHA1
d89b38f3f5e1695154fa988b449258169d2eecd0

SHA256
66e9d64d453a6f462ce9939eb2754058e8759f5566670ae944f0fdf26e201264

SHA512
25e83877e8b5bbc73fe6d9fa3a2bec5aaf411500647923f7ab7105ef2d1098d06234ce86005f033f94c28f56e1da572050a0dab1aee099364dfd85787d0ff6e6

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
91KB

MD5
afe0bfefd58a5aa39b0204734ddf33d4

SHA1
d89b38f3f5e1695154fa988b449258169d2eecd0

SHA256
66e9d64d453a6f462ce9939eb2754058e8759f5566670ae944f0fdf26e201264

SHA512
25e83877e8b5bbc73fe6d9fa3a2bec5aaf411500647923f7ab7105ef2d1098d06234ce86005f033f94c28f56e1da572050a0dab1aee099364dfd85787d0ff6e6

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
91KB

MD5
afe0bfefd58a5aa39b0204734ddf33d4

SHA1
d89b38f3f5e1695154fa988b449258169d2eecd0

SHA256
66e9d64d453a6f462ce9939eb2754058e8759f5566670ae944f0fdf26e201264

SHA512
25e83877e8b5bbc73fe6d9fa3a2bec5aaf411500647923f7ab7105ef2d1098d06234ce86005f033f94c28f56e1da572050a0dab1aee099364dfd85787d0ff6e6

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
91KB

MD5
a427faa2162653accb99bc7ed2354a73

SHA1
6db8a737fd3619839107f965c06554dbc3fc5e48

SHA256
2de6efe655bafcfb7e400a2a4a8e0c17f1960ce298232a235d514eb2d0965d11

SHA512
e8ca06ae44292bfb8b441163286d52b853c805676d775cb1e0c6f628f035edbee66672b13e0083153ae7b14cff6d13a3f2573155fa81ccc92e65bde3aba18ff5

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
91KB

MD5
a427faa2162653accb99bc7ed2354a73

SHA1
6db8a737fd3619839107f965c06554dbc3fc5e48

SHA256
2de6efe655bafcfb7e400a2a4a8e0c17f1960ce298232a235d514eb2d0965d11

SHA512
e8ca06ae44292bfb8b441163286d52b853c805676d775cb1e0c6f628f035edbee66672b13e0083153ae7b14cff6d13a3f2573155fa81ccc92e65bde3aba18ff5

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
91KB

MD5
4f686f0eb0b581a52d399185ab241fc5

SHA1
507c1ebf9214d359de70b4f9464c9a98fbf46cf1

SHA256
4914240ac1b4be907132eddeb7b5371119c4584241621a48912342e28cef8f2d

SHA512
5243e0c2cd4831ebbe44759829114b28efd1c547a1eb2b6106161835364dcc977681b283f0163ee5bd48b4f2e8569c89cb0dd74593819a013b5df047e6a30a37

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
91KB

MD5
4f686f0eb0b581a52d399185ab241fc5

SHA1
507c1ebf9214d359de70b4f9464c9a98fbf46cf1

SHA256
4914240ac1b4be907132eddeb7b5371119c4584241621a48912342e28cef8f2d

SHA512
5243e0c2cd4831ebbe44759829114b28efd1c547a1eb2b6106161835364dcc977681b283f0163ee5bd48b4f2e8569c89cb0dd74593819a013b5df047e6a30a37

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
91KB

MD5
c985b4f96fa1d4183d6d1ffc500415a3

SHA1
d8a657382db2f65a220cc2afbdaaac5a8464852b

SHA256
c11fdf92b8f7f27e7b09df883657d373e93d5e4ebd8c685ce713ff9170f8408a

SHA512
a07ab3e33095a1b7e62cdc2f5abf033434405c586fc4d247ca201febdb8ba9648a23e597ef4f6895a4d76dc8e629d8353a04ed4b576b84f622c780fb4758e844

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
91KB

MD5
c985b4f96fa1d4183d6d1ffc500415a3

SHA1
d8a657382db2f65a220cc2afbdaaac5a8464852b

SHA256
c11fdf92b8f7f27e7b09df883657d373e93d5e4ebd8c685ce713ff9170f8408a

SHA512
a07ab3e33095a1b7e62cdc2f5abf033434405c586fc4d247ca201febdb8ba9648a23e597ef4f6895a4d76dc8e629d8353a04ed4b576b84f622c780fb4758e844

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
91KB

MD5
0c605ce8c91f472f8a91af5d03af1c0b

SHA1
c9ff432493a8bbe20532c56c5de555fef15c6eaa

SHA256
e3f0632a9eece3f95b825472566ebdd1bdd01ffa0cc0ba3d8f83b4afe02527a1

SHA512
8c22058d6f859a29c6c15b1defc3c293a2ac78508a1fa8a67f57fa0488f26d48e750c5d641316c6f8886c19506182ffa1a07f0df9ed7dbc4fc6bc540bfd17a7b

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
91KB

MD5
0c605ce8c91f472f8a91af5d03af1c0b

SHA1
c9ff432493a8bbe20532c56c5de555fef15c6eaa

SHA256
e3f0632a9eece3f95b825472566ebdd1bdd01ffa0cc0ba3d8f83b4afe02527a1

SHA512
8c22058d6f859a29c6c15b1defc3c293a2ac78508a1fa8a67f57fa0488f26d48e750c5d641316c6f8886c19506182ffa1a07f0df9ed7dbc4fc6bc540bfd17a7b

Download Submit
memory/436-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/676-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/676-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4644-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4644-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads