0347dee3209726b548a54042304f97a4d574d8f8731be9098b22dd4b965b4ee2

Analysis

max time kernel
185s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
Size

347KB
MD5

ad962cbcb06e9251af7a2c720e77e0f0
SHA1

50046b04250b3e80f52eb50c7df0a4f97d6712fc
SHA256

0347dee3209726b548a54042304f97a4d574d8f8731be9098b22dd4b965b4ee2
SHA512

68301fb0960757d9fd96bd0ef4d2a9bd0443b40490c5431b372fc39443c3e3e4eda3c48a831d0477cd94ae8f9281d3f2d8f4c4d021e1c9c95c9b8211121acc96
SSDEEP

6144:djSHE4LgK+5Nx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:wHtgKSx4brRGFB24lwR45FB24lEk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llqjbhdc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmphaaln.exe

Executes dropped EXE 27 IoCs

pid	Process
2964	Lcfidb32.exe
2628	Lhcali32.exe
4608	Lchfib32.exe
4444	Llqjbhdc.exe
2892	Lhgkgijg.exe
4988	Lcmodajm.exe
2620	Mhldbh32.exe
3416	Mhoahh32.exe
392	Mhanngbl.exe
4260	Mlofcf32.exe
2880	Nhegig32.exe
1240	Nmcpoedn.exe
1548	Njgqhicg.exe
1860	Nbbeml32.exe
3708	Ncbafoge.exe
4160	Oiagde32.exe
4552	Objkmkjj.exe
1536	Oqklkbbi.exe
696	Ofgdcipq.exe
4284	Ojemig32.exe
2468	Ojhiogdd.exe
528	Ppdbgncl.exe
456	Pmhbqbae.exe
4140	Pafkgphl.exe
3748	Paihlpfi.exe
1220	Pmphaaln.exe
4544	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Objkmkjj.exe	Oiagde32.exe
File created	C:\Windows\SysWOW64\Bepjbf32.dll	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Ncbafoge.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Ghaeocdd.dll	Oiagde32.exe
File created	C:\Windows\SysWOW64\Fknofqcc.dll	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Nmdkcj32.dll	Llqjbhdc.exe
File opened for modification	C:\Windows\SysWOW64\Oqklkbbi.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Ojhiogdd.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Diadam32.dll	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Mhoahh32.exe	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Ncbafoge.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Pafkgphl.exe
File opened for modification	C:\Windows\SysWOW64\Lcfidb32.exe	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Objkmkjj.exe	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Lhgkgijg.exe	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Lcmodajm.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Mhldbh32.exe	Lcmodajm.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Ojemig32.exe
File created	C:\Windows\SysWOW64\Ppdbgncl.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Cbqfhb32.dll	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Lhcali32.exe	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Gejimf32.dll	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Lchfib32.exe	Lhcali32.exe
File opened for modification	C:\Windows\SysWOW64\Oiagde32.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Objkmkjj.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Mlofcf32.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Odibfg32.dll	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Ipamlopb.dll	Lhcali32.exe
File created	C:\Windows\SysWOW64\Defbaa32.dll	Lchfib32.exe
File created	C:\Windows\SysWOW64\Jgbfjmkq.dll	Mhanngbl.exe
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Objkmkjj.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Lhcali32.exe
File created	C:\Windows\SysWOW64\Mhanngbl.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Mlofcf32.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Kebkgjkg.dll	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Pmhbqbae.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Mpagaf32.dll	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Lhgkgijg.exe	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Mlmadjhb.dll	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Jjgkan32.dll	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbgncl.exe	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Fegbnohh.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Nmcpoedn.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Ojemig32.exe	Ofgdcipq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4224	4544	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll"	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhcali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll"	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhcali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll"	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diadam32.dll"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbbeml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 2964	3872	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe	87
PID 3872 wrote to memory of 2964	3872	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe	87
PID 3872 wrote to memory of 2964	3872	NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe	87
PID 2964 wrote to memory of 2628	2964	Lcfidb32.exe	88
PID 2964 wrote to memory of 2628	2964	Lcfidb32.exe	88
PID 2964 wrote to memory of 2628	2964	Lcfidb32.exe	88
PID 2628 wrote to memory of 4608	2628	Lhcali32.exe	90
PID 2628 wrote to memory of 4608	2628	Lhcali32.exe	90
PID 2628 wrote to memory of 4608	2628	Lhcali32.exe	90
PID 4608 wrote to memory of 4444	4608	Lchfib32.exe	89
PID 4608 wrote to memory of 4444	4608	Lchfib32.exe	89
PID 4608 wrote to memory of 4444	4608	Lchfib32.exe	89
PID 4444 wrote to memory of 2892	4444	Llqjbhdc.exe	92
PID 4444 wrote to memory of 2892	4444	Llqjbhdc.exe	92
PID 4444 wrote to memory of 2892	4444	Llqjbhdc.exe	92
PID 2892 wrote to memory of 4988	2892	Lhgkgijg.exe	91
PID 2892 wrote to memory of 4988	2892	Lhgkgijg.exe	91
PID 2892 wrote to memory of 4988	2892	Lhgkgijg.exe	91
PID 4988 wrote to memory of 2620	4988	Lcmodajm.exe	93
PID 4988 wrote to memory of 2620	4988	Lcmodajm.exe	93
PID 4988 wrote to memory of 2620	4988	Lcmodajm.exe	93
PID 2620 wrote to memory of 3416	2620	Mhldbh32.exe	94
PID 2620 wrote to memory of 3416	2620	Mhldbh32.exe	94
PID 2620 wrote to memory of 3416	2620	Mhldbh32.exe	94
PID 3416 wrote to memory of 392	3416	Mhoahh32.exe	95
PID 3416 wrote to memory of 392	3416	Mhoahh32.exe	95
PID 3416 wrote to memory of 392	3416	Mhoahh32.exe	95
PID 392 wrote to memory of 4260	392	Mhanngbl.exe	96
PID 392 wrote to memory of 4260	392	Mhanngbl.exe	96
PID 392 wrote to memory of 4260	392	Mhanngbl.exe	96
PID 4260 wrote to memory of 2880	4260	Mlofcf32.exe	97
PID 4260 wrote to memory of 2880	4260	Mlofcf32.exe	97
PID 4260 wrote to memory of 2880	4260	Mlofcf32.exe	97
PID 2880 wrote to memory of 1240	2880	Nhegig32.exe	98
PID 2880 wrote to memory of 1240	2880	Nhegig32.exe	98
PID 2880 wrote to memory of 1240	2880	Nhegig32.exe	98
PID 1240 wrote to memory of 1548	1240	Nmcpoedn.exe	99
PID 1240 wrote to memory of 1548	1240	Nmcpoedn.exe	99
PID 1240 wrote to memory of 1548	1240	Nmcpoedn.exe	99
PID 1548 wrote to memory of 1860	1548	Njgqhicg.exe	101
PID 1548 wrote to memory of 1860	1548	Njgqhicg.exe	101
PID 1548 wrote to memory of 1860	1548	Njgqhicg.exe	101
PID 1860 wrote to memory of 3708	1860	Nbbeml32.exe	102
PID 1860 wrote to memory of 3708	1860	Nbbeml32.exe	102
PID 1860 wrote to memory of 3708	1860	Nbbeml32.exe	102
PID 3708 wrote to memory of 4160	3708	Ncbafoge.exe	103
PID 3708 wrote to memory of 4160	3708	Ncbafoge.exe	103
PID 3708 wrote to memory of 4160	3708	Ncbafoge.exe	103
PID 4160 wrote to memory of 4552	4160	Oiagde32.exe	104
PID 4160 wrote to memory of 4552	4160	Oiagde32.exe	104
PID 4160 wrote to memory of 4552	4160	Oiagde32.exe	104
PID 4552 wrote to memory of 1536	4552	Objkmkjj.exe	105
PID 4552 wrote to memory of 1536	4552	Objkmkjj.exe	105
PID 4552 wrote to memory of 1536	4552	Objkmkjj.exe	105
PID 1536 wrote to memory of 696	1536	Oqklkbbi.exe	106
PID 1536 wrote to memory of 696	1536	Oqklkbbi.exe	106
PID 1536 wrote to memory of 696	1536	Oqklkbbi.exe	106
PID 696 wrote to memory of 4284	696	Ofgdcipq.exe	107
PID 696 wrote to memory of 4284	696	Ofgdcipq.exe	107
PID 696 wrote to memory of 4284	696	Ofgdcipq.exe	107
PID 4284 wrote to memory of 2468	4284	Ojemig32.exe	108
PID 4284 wrote to memory of 2468	4284	Ojemig32.exe	108
PID 4284 wrote to memory of 2468	4284	Ojemig32.exe	108
PID 2468 wrote to memory of 528	2468	Ojhiogdd.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ad962cbcb06e9251af7a2c720e77e0f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\SysWOW64\Lcfidb32.exe
  C:\Windows\system32\Lcfidb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\Lhcali32.exe
    C:\Windows\system32\Lhcali32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Lchfib32.exe
      C:\Windows\system32\Lchfib32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4608

C:\Windows\SysWOW64\Llqjbhdc.exe
C:\Windows\system32\Llqjbhdc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\Lhgkgijg.exe
  C:\Windows\system32\Lhgkgijg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2892

C:\Windows\SysWOW64\Lcmodajm.exe
C:\Windows\system32\Lcmodajm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\Mhldbh32.exe
  C:\Windows\system32\Mhldbh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\Mhoahh32.exe
    C:\Windows\system32\Mhoahh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\Mhanngbl.exe
      C:\Windows\system32\Mhanngbl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        22⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 412
        23⤵
        Program crash
        
        PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4544 -ip 4544
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcfidb32.exe

Filesize
347KB

MD5
4e8a83a65e27684de476a93ff9f31589

SHA1
8f7aea478743f94f59009964e048805252de01de

SHA256
2eca2d2410253a42e31fdef65649a33ef3bc1d001f74c1043564972472998779

SHA512
fd6c4a3d04207fdd48420c7aede52b0b811afad6671c6a263fb181b5fe460230b87bbca1729e2ccd7ebbb530eba2c1e0bc7c9cb5003d82f313cc2ab7b9eb77aa

Download Submit
C:\Windows\SysWOW64\Lcfidb32.exe

Filesize
347KB

MD5
4e8a83a65e27684de476a93ff9f31589

SHA1
8f7aea478743f94f59009964e048805252de01de

SHA256
2eca2d2410253a42e31fdef65649a33ef3bc1d001f74c1043564972472998779

SHA512
fd6c4a3d04207fdd48420c7aede52b0b811afad6671c6a263fb181b5fe460230b87bbca1729e2ccd7ebbb530eba2c1e0bc7c9cb5003d82f313cc2ab7b9eb77aa

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
347KB

MD5
ea568f39d075b6d2c4a383b8d32551b7

SHA1
66259bc251076831011b25763c2b1950f8544622

SHA256
4d8797cb47bf8ddb428a0ee3cfc5b50b655bf5d06946819100b63ddfc5e43470

SHA512
f23ae34cb1b7ef54f31d898471592b6a4d626869bb0c93cdd0f15a03063abeaefb871d703be8f65fd2679642719f95e328b739057af36e2c86aca46960eec817

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
347KB

MD5
ea568f39d075b6d2c4a383b8d32551b7

SHA1
66259bc251076831011b25763c2b1950f8544622

SHA256
4d8797cb47bf8ddb428a0ee3cfc5b50b655bf5d06946819100b63ddfc5e43470

SHA512
f23ae34cb1b7ef54f31d898471592b6a4d626869bb0c93cdd0f15a03063abeaefb871d703be8f65fd2679642719f95e328b739057af36e2c86aca46960eec817

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
347KB

MD5
76dc5edb756891a4aa1ada6837365660

SHA1
d43525028bbb2901986daff1e9849764fa5e3cee

SHA256
22c2c64497decc24005eeebcfc3f8df160c393ebac24ffc8eca94ba7ffb991bf

SHA512
d9de9fe9bbaa6215ba18bbef49344b0d0a7924b56c03e1e4e8139fa7b75c29b452dcd3db08714b2f99595beda4ce341a42cd587bea1a142de7b9ae7a8e2bba07

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
347KB

MD5
76dc5edb756891a4aa1ada6837365660

SHA1
d43525028bbb2901986daff1e9849764fa5e3cee

SHA256
22c2c64497decc24005eeebcfc3f8df160c393ebac24ffc8eca94ba7ffb991bf

SHA512
d9de9fe9bbaa6215ba18bbef49344b0d0a7924b56c03e1e4e8139fa7b75c29b452dcd3db08714b2f99595beda4ce341a42cd587bea1a142de7b9ae7a8e2bba07

Download Submit
C:\Windows\SysWOW64\Lhcali32.exe

Filesize
347KB

MD5
ebe51522a2fbf7ad7d15609161883797

SHA1
e1ea387133814e1a9ef8729b424c2863ac045ce6

SHA256
897b14d503065174319859c63370282f93c2b2288ddd4feaae1189ef07cd5366

SHA512
d194b22ce658ab749d6437dcdba3046940fb5b829643a878d28da90504c945fb4edc3575f09faf4721874e70663f9001b12d812b18ac4fc22402db84d4ace384

Download Submit
C:\Windows\SysWOW64\Lhcali32.exe

Filesize
347KB

MD5
ebe51522a2fbf7ad7d15609161883797

SHA1
e1ea387133814e1a9ef8729b424c2863ac045ce6

SHA256
897b14d503065174319859c63370282f93c2b2288ddd4feaae1189ef07cd5366

SHA512
d194b22ce658ab749d6437dcdba3046940fb5b829643a878d28da90504c945fb4edc3575f09faf4721874e70663f9001b12d812b18ac4fc22402db84d4ace384

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
347KB

MD5
9c207aefb779b7c985ae045cfec4de3a

SHA1
8f15aad66d799192c2adea429b26892035aec5d9

SHA256
7cb77b0c31291bd56b7ac1c82a3918ceebc2e8536f83314abce26edcf35cdc0d

SHA512
11c93681980704a4df7074f0ef154b433a263ea09dd71545126eaa2353a7dbb5a237755b977e2853ef6a6731189b3f6fbcf8460a4a4ab0b8b960f1e290a8d325

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
347KB

MD5
9c207aefb779b7c985ae045cfec4de3a

SHA1
8f15aad66d799192c2adea429b26892035aec5d9

SHA256
7cb77b0c31291bd56b7ac1c82a3918ceebc2e8536f83314abce26edcf35cdc0d

SHA512
11c93681980704a4df7074f0ef154b433a263ea09dd71545126eaa2353a7dbb5a237755b977e2853ef6a6731189b3f6fbcf8460a4a4ab0b8b960f1e290a8d325

Download Submit
C:\Windows\SysWOW64\Llqjbhdc.exe

Filesize
347KB

MD5
abe9c71f910189b9f81e0739425fa060

SHA1
f93862e22598bc7afab851d8e44125ac50487eb6

SHA256
93ab26607ae24d18d5993dd260d4d2c7a4f73d70f673849e54854dfe5eb60adc

SHA512
1035ec89bb817baabadde83033d034a0b470f4acddb4ffa890e89c72bb47ec28976ccce236e81cd1da86d15e478d087d459c0f90d0946fc5458bc0f733a9f7a8

Download Submit
C:\Windows\SysWOW64\Llqjbhdc.exe

Filesize
347KB

MD5
abe9c71f910189b9f81e0739425fa060

SHA1
f93862e22598bc7afab851d8e44125ac50487eb6

SHA256
93ab26607ae24d18d5993dd260d4d2c7a4f73d70f673849e54854dfe5eb60adc

SHA512
1035ec89bb817baabadde83033d034a0b470f4acddb4ffa890e89c72bb47ec28976ccce236e81cd1da86d15e478d087d459c0f90d0946fc5458bc0f733a9f7a8

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
347KB

MD5
45d0b249d5f9cf6e7ee2ce3a902f5e10

SHA1
8abc94350b98ce9485f865f016ee787bf994eab0

SHA256
c8e65a140250b24b6cbc43376009ae0c65dac9fd843127eaf478e7461324d930

SHA512
e1d3ee026f09e7c456bc7ac1b2dddd0b47945f41d6b56ced7a9bedf8c0a62eb9780cc135182b78bbdaf889b1be7626e38b79f88d59d9f8edeabf710458342bde

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
347KB

MD5
45d0b249d5f9cf6e7ee2ce3a902f5e10

SHA1
8abc94350b98ce9485f865f016ee787bf994eab0

SHA256
c8e65a140250b24b6cbc43376009ae0c65dac9fd843127eaf478e7461324d930

SHA512
e1d3ee026f09e7c456bc7ac1b2dddd0b47945f41d6b56ced7a9bedf8c0a62eb9780cc135182b78bbdaf889b1be7626e38b79f88d59d9f8edeabf710458342bde

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
347KB

MD5
45d0b249d5f9cf6e7ee2ce3a902f5e10

SHA1
8abc94350b98ce9485f865f016ee787bf994eab0

SHA256
c8e65a140250b24b6cbc43376009ae0c65dac9fd843127eaf478e7461324d930

SHA512
e1d3ee026f09e7c456bc7ac1b2dddd0b47945f41d6b56ced7a9bedf8c0a62eb9780cc135182b78bbdaf889b1be7626e38b79f88d59d9f8edeabf710458342bde

Download Submit
C:\Windows\SysWOW64\Mhldbh32.exe

Filesize
347KB

MD5
30d25f82f3255a7792f46934a5e82a6f

SHA1
db9b93163eb0bde70f1c30d82c277f356bba2289

SHA256
2b550cae5cb657459c28d8b6365d769a75746898111c985230d1d183c6086e9d

SHA512
74836be8d2eee5824dab07d15ad6b609518b953bf115b7fd68af28f434cee924635a42207bd213c762e06369ae2775a372fb8bb8f7a4b2f6c7d67ad33be2816a

Download Submit
C:\Windows\SysWOW64\Mhldbh32.exe

Filesize
347KB

MD5
30d25f82f3255a7792f46934a5e82a6f

SHA1
db9b93163eb0bde70f1c30d82c277f356bba2289

SHA256
2b550cae5cb657459c28d8b6365d769a75746898111c985230d1d183c6086e9d

SHA512
74836be8d2eee5824dab07d15ad6b609518b953bf115b7fd68af28f434cee924635a42207bd213c762e06369ae2775a372fb8bb8f7a4b2f6c7d67ad33be2816a

Download Submit
C:\Windows\SysWOW64\Mhldbh32.exe

Filesize
347KB

MD5
30d25f82f3255a7792f46934a5e82a6f

SHA1
db9b93163eb0bde70f1c30d82c277f356bba2289

SHA256
2b550cae5cb657459c28d8b6365d769a75746898111c985230d1d183c6086e9d

SHA512
74836be8d2eee5824dab07d15ad6b609518b953bf115b7fd68af28f434cee924635a42207bd213c762e06369ae2775a372fb8bb8f7a4b2f6c7d67ad33be2816a

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
347KB

MD5
9457b0f24d3af107ee8fab02ef160afe

SHA1
51f83abab9149836306ad61e7752d9e8c609dddf

SHA256
e2eb5cc34711e3938daeda1e5c9bb0e76e13d9ab04869d03162fb5b6f1196e32

SHA512
2f93d5d9a72abac6b1c41f75602f531cbebee4912217caa489116fb3819684bd3834548a9c79d226203f54e122e9503a5e09ff594894ec6719801aee0bc81ab7

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
347KB

MD5
9457b0f24d3af107ee8fab02ef160afe

SHA1
51f83abab9149836306ad61e7752d9e8c609dddf

SHA256
e2eb5cc34711e3938daeda1e5c9bb0e76e13d9ab04869d03162fb5b6f1196e32

SHA512
2f93d5d9a72abac6b1c41f75602f531cbebee4912217caa489116fb3819684bd3834548a9c79d226203f54e122e9503a5e09ff594894ec6719801aee0bc81ab7

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
347KB

MD5
54f17b47710d65c6ae673211356a8924

SHA1
d40bf683bdb68fc1bf932153ad0d455d2dcb3934

SHA256
39fcc8f2897e9cd1b40e3616b9ad614c5b993d61c026349fbbcd0b5693ce4b75

SHA512
aba62624acf733d182f427068a81862c11f10ca38c591d606d9fc1a0fcca30836f102d0c32400a88354f1a9af4f62a5341539443fb127d44d27b27ecea8cc7d4

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
347KB

MD5
54f17b47710d65c6ae673211356a8924

SHA1
d40bf683bdb68fc1bf932153ad0d455d2dcb3934

SHA256
39fcc8f2897e9cd1b40e3616b9ad614c5b993d61c026349fbbcd0b5693ce4b75

SHA512
aba62624acf733d182f427068a81862c11f10ca38c591d606d9fc1a0fcca30836f102d0c32400a88354f1a9af4f62a5341539443fb127d44d27b27ecea8cc7d4

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
347KB

MD5
a83dba695876c7d37316a01b1a75970a

SHA1
4690de943e0d1a42d36393d69b656ffb01954a69

SHA256
b5c0c6c2a5faada74fcdba4db3af2191c068e74772cde8594b5396a10c8b2dde

SHA512
bb445471249adc4bf430be5f8bb19b3919b34e05c1931fe7384ba9225cc29c9f66ac197e397ff2d49c6c55e4658eab9885e9652c760c6810de41ff3cae8fb8d1

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
347KB

MD5
a83dba695876c7d37316a01b1a75970a

SHA1
4690de943e0d1a42d36393d69b656ffb01954a69

SHA256
b5c0c6c2a5faada74fcdba4db3af2191c068e74772cde8594b5396a10c8b2dde

SHA512
bb445471249adc4bf430be5f8bb19b3919b34e05c1931fe7384ba9225cc29c9f66ac197e397ff2d49c6c55e4658eab9885e9652c760c6810de41ff3cae8fb8d1

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
347KB

MD5
1399f65f85ea60dbcbf377db7bed7922

SHA1
c492c1d99fdc7aafa6f111362ed80dcf38b999af

SHA256
72d5084bbed8db125b5570a76999c019c4c85a08291b21aadcd96b343705a18a

SHA512
24123f3aae916a3088d9f1dd476fcd515125de6e45dcdd5e6c3b5aed8b5c22f5b470d7d1ba124017e46a41488c4be0baf09c38445a7d50f06f1d5e86c70d2661

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
347KB

MD5
1399f65f85ea60dbcbf377db7bed7922

SHA1
c492c1d99fdc7aafa6f111362ed80dcf38b999af

SHA256
72d5084bbed8db125b5570a76999c019c4c85a08291b21aadcd96b343705a18a

SHA512
24123f3aae916a3088d9f1dd476fcd515125de6e45dcdd5e6c3b5aed8b5c22f5b470d7d1ba124017e46a41488c4be0baf09c38445a7d50f06f1d5e86c70d2661

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
347KB

MD5
5395dc1a4ff61ea7a9ec2fb0083a1cc8

SHA1
d115c1dae0a019a3d5034cbf831bbcf339fe6b6b

SHA256
6b968c7acd2408229b02d08543352af3946508ddb78d62f4196ac1f425c0ff77

SHA512
e8474f541b86ca3fc0222f04512506884b090f6e4cb090a58dfc9d4f4ca1f601bcd262a3148389ba31d15fd9c888b01c1032a8381abcf30041ebd8054e24dd3c

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
347KB

MD5
5395dc1a4ff61ea7a9ec2fb0083a1cc8

SHA1
d115c1dae0a019a3d5034cbf831bbcf339fe6b6b

SHA256
6b968c7acd2408229b02d08543352af3946508ddb78d62f4196ac1f425c0ff77

SHA512
e8474f541b86ca3fc0222f04512506884b090f6e4cb090a58dfc9d4f4ca1f601bcd262a3148389ba31d15fd9c888b01c1032a8381abcf30041ebd8054e24dd3c

Download Submit
C:\Windows\SysWOW64\Njgqhicg.exe

Filesize
347KB

MD5
3ee27b07fa1c5f5f40f248d8a4be8604

SHA1
60b16655b52745974cacd741f4b5b4552bdb31ee

SHA256
d71d2f86fb067fbfcf2eb9b2d091bb3d9a364e8c8cb6d93fbb56fe7cf5d93304

SHA512
3f101c4fd980e04e5678970e0fd3469bf90ef27a0fbcc6b2e046d16a80dcc07ac084cf8ea37c08d3f64afb28c6381e3485df64735d4dd99ba66f4aa8a47e4396

Download Submit
C:\Windows\SysWOW64\Njgqhicg.exe

Filesize
347KB

MD5
3ee27b07fa1c5f5f40f248d8a4be8604

SHA1
60b16655b52745974cacd741f4b5b4552bdb31ee

SHA256
d71d2f86fb067fbfcf2eb9b2d091bb3d9a364e8c8cb6d93fbb56fe7cf5d93304

SHA512
3f101c4fd980e04e5678970e0fd3469bf90ef27a0fbcc6b2e046d16a80dcc07ac084cf8ea37c08d3f64afb28c6381e3485df64735d4dd99ba66f4aa8a47e4396

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
347KB

MD5
a325f64b7dd346c903341f0b6d4fdb98

SHA1
84c96c4a22059f6c28fbe2d5a3fd11710ad5f609

SHA256
0b0fe1f8528bb38a69441719ddd2cbae72651eb1c9e074383a3f08eb1e264835

SHA512
63ddedfe4e412e6a4c0ccfeeaa51838197834f14a353172069572593fc5fe3e547cd788a8106b51283be2625d78304a32ad38ef5de6c719a06a70c96bdbd0a95

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
347KB

MD5
a325f64b7dd346c903341f0b6d4fdb98

SHA1
84c96c4a22059f6c28fbe2d5a3fd11710ad5f609

SHA256
0b0fe1f8528bb38a69441719ddd2cbae72651eb1c9e074383a3f08eb1e264835

SHA512
63ddedfe4e412e6a4c0ccfeeaa51838197834f14a353172069572593fc5fe3e547cd788a8106b51283be2625d78304a32ad38ef5de6c719a06a70c96bdbd0a95

Download Submit
C:\Windows\SysWOW64\Nmdkcj32.dll

Filesize
7KB

MD5
13cf4a193847cac52482be3ec046d890

SHA1
2a1a43b963c3e67897eb7032d50d20c647846975

SHA256
6e731774a781ec66f5edfdd027f9abdf6a1cd410d74eea98896227d7b2cb7a03

SHA512
431bb3fea917ba331da5346ae4c26f178d9dff40415379c7381a211dfc091ef112e46e9353abffc94787c7c248c992eb777953f25f190ed27a572878e0475b45

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
347KB

MD5
b71cf7ae859cc9129604bfa85e9eff0a

SHA1
4b54b08e6912efc9d1d2bae8cc0d04ec538c3043

SHA256
b879c3183fc31b350a3432d866416eb4018f74f1f702c694d4167f66cf6fa2b7

SHA512
1a3caccc6120b9fadedd7dc47dcf6df2bbfe48016dee95e9f0bd615c5e3919f2a63ca3ee10b4ed10a4e0f7ad564cef26faf32be9dfd82aa67819c43dbac28a4e

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
347KB

MD5
b71cf7ae859cc9129604bfa85e9eff0a

SHA1
4b54b08e6912efc9d1d2bae8cc0d04ec538c3043

SHA256
b879c3183fc31b350a3432d866416eb4018f74f1f702c694d4167f66cf6fa2b7

SHA512
1a3caccc6120b9fadedd7dc47dcf6df2bbfe48016dee95e9f0bd615c5e3919f2a63ca3ee10b4ed10a4e0f7ad564cef26faf32be9dfd82aa67819c43dbac28a4e

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
347KB

MD5
79a1e32efd82ba02d128d0b1a194f661

SHA1
0167cddddba8ad1504442dd97e5692a397c7fa16

SHA256
85f92b61ec5fc1077002a3d53ba85c44247c2de833c93713668c7a9f54870c5b

SHA512
c1290fdadb673b83867c6497e184ae140e11d9333ae9d9d87ad017a360895a7842448cb6ca25da7076dc48607a0c0c726fd61790170980285373e290f3b07e0c

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
347KB

MD5
79a1e32efd82ba02d128d0b1a194f661

SHA1
0167cddddba8ad1504442dd97e5692a397c7fa16

SHA256
85f92b61ec5fc1077002a3d53ba85c44247c2de833c93713668c7a9f54870c5b

SHA512
c1290fdadb673b83867c6497e184ae140e11d9333ae9d9d87ad017a360895a7842448cb6ca25da7076dc48607a0c0c726fd61790170980285373e290f3b07e0c

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
347KB

MD5
a3ed729540e0c6996177ae541f18ef97

SHA1
e2227bbfd24a8cc4ee96a2ed7f489b1a08d0bbc7

SHA256
c4f31f81dc26ec9c27548f58b0155c8a6ccf8c6eef6a733a453b965d28c385bc

SHA512
c400de730dcd3a18001e52137a3feb749ab63ceb266058a6b3f2a222a9b7c48e4313f2170cbfd19dfc0e69cd4c58b611a90b8aa45291436622267608b01b0f93

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
347KB

MD5
a3ed729540e0c6996177ae541f18ef97

SHA1
e2227bbfd24a8cc4ee96a2ed7f489b1a08d0bbc7

SHA256
c4f31f81dc26ec9c27548f58b0155c8a6ccf8c6eef6a733a453b965d28c385bc

SHA512
c400de730dcd3a18001e52137a3feb749ab63ceb266058a6b3f2a222a9b7c48e4313f2170cbfd19dfc0e69cd4c58b611a90b8aa45291436622267608b01b0f93

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
347KB

MD5
d5a5372fd145dc0ac158304488920b9e

SHA1
fbb55725d11d7cb73182cb794ae8b101090a3ba1

SHA256
d2eb0b5ffee5d40d24e9a1b0dcc8495bf83826b9457c9e8938890d6c331cf7b4

SHA512
14c1bc246c157b6c5aabd9e0b7930bc665cb3df047a5f743acbdb1b72463a5b484ce6ae713d338b50ba2d275207776a3ccc5104984b14581c05f9861256030fd

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
347KB

MD5
d5a5372fd145dc0ac158304488920b9e

SHA1
fbb55725d11d7cb73182cb794ae8b101090a3ba1

SHA256
d2eb0b5ffee5d40d24e9a1b0dcc8495bf83826b9457c9e8938890d6c331cf7b4

SHA512
14c1bc246c157b6c5aabd9e0b7930bc665cb3df047a5f743acbdb1b72463a5b484ce6ae713d338b50ba2d275207776a3ccc5104984b14581c05f9861256030fd

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
347KB

MD5
7422a37969ecc3898e3e0c420c4a135f

SHA1
f62f56d5fab4374c209219048f4a68dd9447e92f

SHA256
30b184bf447250d10c93c9a70ec5535588bc7588eed09e7f73beb44e2d11bc16

SHA512
db58f424a385bbd5c670c7b80c2b7d4edb235562e7a23a1f8cc0265f06994338a9e36182d324c00de8a235bf2f83113c5ac4b77b613110b6b317ed67cbbcef3d

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
347KB

MD5
7422a37969ecc3898e3e0c420c4a135f

SHA1
f62f56d5fab4374c209219048f4a68dd9447e92f

SHA256
30b184bf447250d10c93c9a70ec5535588bc7588eed09e7f73beb44e2d11bc16

SHA512
db58f424a385bbd5c670c7b80c2b7d4edb235562e7a23a1f8cc0265f06994338a9e36182d324c00de8a235bf2f83113c5ac4b77b613110b6b317ed67cbbcef3d

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
347KB

MD5
8f72115d411fc22a29cef1549d6d1105

SHA1
6d0d0140b05948148087a2c5dbcf39628d1aa081

SHA256
e50bdf576080bd84e404e86341f69e0e289afc9ed828c063dbfa6c5aa275006e

SHA512
c7f0bceafd4b0beab640b81e266c87c8924121cee72423220c29eb0dbb3cbc79cde2ae4e93576bbd18bc2dc49f55be4e10ede00ccc062fdc64ab1244af20fadc

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
347KB

MD5
8f72115d411fc22a29cef1549d6d1105

SHA1
6d0d0140b05948148087a2c5dbcf39628d1aa081

SHA256
e50bdf576080bd84e404e86341f69e0e289afc9ed828c063dbfa6c5aa275006e

SHA512
c7f0bceafd4b0beab640b81e266c87c8924121cee72423220c29eb0dbb3cbc79cde2ae4e93576bbd18bc2dc49f55be4e10ede00ccc062fdc64ab1244af20fadc

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
347KB

MD5
e7f4a840524d64bbe896f002f8a63c07

SHA1
df01de1801bc4f767cbe214e9b307b7fd5da9751

SHA256
694d059fac03a9bf85abde3edeb88a20dd94618269f3362920166aed2db90cc6

SHA512
f60b77da380d651b4274c35f396cfcb86ae8ca0a64bbf78b82db89364546f74427fa10648857d8bdd51896aa5b182f8d5172a1da6267287790171c0de142db25

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
347KB

MD5
e7f4a840524d64bbe896f002f8a63c07

SHA1
df01de1801bc4f767cbe214e9b307b7fd5da9751

SHA256
694d059fac03a9bf85abde3edeb88a20dd94618269f3362920166aed2db90cc6

SHA512
f60b77da380d651b4274c35f396cfcb86ae8ca0a64bbf78b82db89364546f74427fa10648857d8bdd51896aa5b182f8d5172a1da6267287790171c0de142db25

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
347KB

MD5
e7f4a840524d64bbe896f002f8a63c07

SHA1
df01de1801bc4f767cbe214e9b307b7fd5da9751

SHA256
694d059fac03a9bf85abde3edeb88a20dd94618269f3362920166aed2db90cc6

SHA512
f60b77da380d651b4274c35f396cfcb86ae8ca0a64bbf78b82db89364546f74427fa10648857d8bdd51896aa5b182f8d5172a1da6267287790171c0de142db25

Download Submit
C:\Windows\SysWOW64\Paihlpfi.exe

Filesize
347KB

MD5
82ca2dc55fcdb4a3996f03e584599d84

SHA1
71d564bbf133baf411c1ecb68a7888f562b83763

SHA256
7bdbe054b3908dc72d83f6a7b86b17d3b4ce64f927bfdb0300db2734def8fa51

SHA512
3898490811f2ab469f7984f338a505c8570e4dd7c5383599e4e8c72768ed786f4ab20d514d9a2c68e341b6bb95fcfdf7b00b8c19eba41f9e674ffebcf8192416

Download Submit
C:\Windows\SysWOW64\Paihlpfi.exe

Filesize
347KB

MD5
82ca2dc55fcdb4a3996f03e584599d84

SHA1
71d564bbf133baf411c1ecb68a7888f562b83763

SHA256
7bdbe054b3908dc72d83f6a7b86b17d3b4ce64f927bfdb0300db2734def8fa51

SHA512
3898490811f2ab469f7984f338a505c8570e4dd7c5383599e4e8c72768ed786f4ab20d514d9a2c68e341b6bb95fcfdf7b00b8c19eba41f9e674ffebcf8192416

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
347KB

MD5
17ac5c12146bc9b2377b562451ebf2f8

SHA1
344f6ae9343e44d69a5df8d727f2b60af781a4e8

SHA256
178bf46d411a7e0d638339a23e6e2eb9e3b6a6b00cbbd818215490dc8692f28a

SHA512
7dbb2f474b504f3852eadda6f535e6069ce8bc05064f68fdfb74984112add48ffda27ced302f91250c976ee403fa8a68d712db8fce114dcf4e342ab1a55886b0

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
347KB

MD5
17ac5c12146bc9b2377b562451ebf2f8

SHA1
344f6ae9343e44d69a5df8d727f2b60af781a4e8

SHA256
178bf46d411a7e0d638339a23e6e2eb9e3b6a6b00cbbd818215490dc8692f28a

SHA512
7dbb2f474b504f3852eadda6f535e6069ce8bc05064f68fdfb74984112add48ffda27ced302f91250c976ee403fa8a68d712db8fce114dcf4e342ab1a55886b0

Download Submit
C:\Windows\SysWOW64\Pmhbqbae.exe

Filesize
347KB

MD5
bdb2fc1c2f682910ddaa5c6f1c1cedd5

SHA1
56cafaf1aeb17537b6cb0634953e3cc15dae848d

SHA256
cc864e17279e65ef09f4dbee1ab5246dc29c991a8e9aa1ca0dc00eec0f21d8ca

SHA512
0085f467319d9a76f1aae61ae58b3671c775e45770f7e246c936e9fcfaf67524a1dc8518fe882cda6dc42ff2f96da31a9513746c514a1c60aba0113395d851bc

Download Submit
C:\Windows\SysWOW64\Pmhbqbae.exe

Filesize
347KB

MD5
bdb2fc1c2f682910ddaa5c6f1c1cedd5

SHA1
56cafaf1aeb17537b6cb0634953e3cc15dae848d

SHA256
cc864e17279e65ef09f4dbee1ab5246dc29c991a8e9aa1ca0dc00eec0f21d8ca

SHA512
0085f467319d9a76f1aae61ae58b3671c775e45770f7e246c936e9fcfaf67524a1dc8518fe882cda6dc42ff2f96da31a9513746c514a1c60aba0113395d851bc

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
347KB

MD5
200fd2c695852ca7d938dd5b3e812591

SHA1
30775135cd16eb40e6d41255e2eee0d535554109

SHA256
0ed2b2f684ba9a4f1d0cd405cd289b461f14cc6bc16c6f9d730695f3b3694518

SHA512
694c809827010f476e3051b01844e161fb221dbeb35e73407b1cf2bcffe7e5896811cca1d7811a566843dd8fbc89cb42091d37172c57bcdfbb9292342c4f5a2a

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
347KB

MD5
200fd2c695852ca7d938dd5b3e812591

SHA1
30775135cd16eb40e6d41255e2eee0d535554109

SHA256
0ed2b2f684ba9a4f1d0cd405cd289b461f14cc6bc16c6f9d730695f3b3694518

SHA512
694c809827010f476e3051b01844e161fb221dbeb35e73407b1cf2bcffe7e5896811cca1d7811a566843dd8fbc89cb42091d37172c57bcdfbb9292342c4f5a2a

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
347KB

MD5
b73765321a25a7326e2f70d3d896ba67

SHA1
26bffdaf748c8b8c65f58e647a6e4b265aac5993

SHA256
639163389344d381138a84c51acdeecfa76fbc7f5d087fcec3983880240108fb

SHA512
c0009c8550b81078d50a3ca160d0607bb27b5b0dcb0eba719e4795e08f73822e0d6e16e2b2def1d7e44ce0499869e164c47f0ecd9b5256dfa31d7e91047c33f6

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
347KB

MD5
b73765321a25a7326e2f70d3d896ba67

SHA1
26bffdaf748c8b8c65f58e647a6e4b265aac5993

SHA256
639163389344d381138a84c51acdeecfa76fbc7f5d087fcec3983880240108fb

SHA512
c0009c8550b81078d50a3ca160d0607bb27b5b0dcb0eba719e4795e08f73822e0d6e16e2b2def1d7e44ce0499869e164c47f0ecd9b5256dfa31d7e91047c33f6

Download Submit
memory/392-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/528-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/528-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1220-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1220-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1860-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1860-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2880-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2880-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3748-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3748-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4140-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4140-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4260-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4260-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads