22344ceccaa0e4bad56af66981d7581ae2b56fa0724fd0034d682a4f42b24dc7

Analysis

max time kernel
137s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Size

4.6MB
MD5

83aa596a09d675487701d6a478ea9bf0
SHA1

c8bcaf5e618f7b711248e4812bd89d31ca9b28e1
SHA256

22344ceccaa0e4bad56af66981d7581ae2b56fa0724fd0034d682a4f42b24dc7
SHA512

aff4babe4e0261d9239858a625f49dcaebb0e9cf9c078e2e7b35cf71db3838c48ccaf382f7d00f524e99db1aaefd78c3ae30f2673f2fa76a31967e85f8a3c3a3
SSDEEP

49152:UD/DzgZD/DTOD/DzgZD/DRHD/DzgZD/D:KLzgFLTULzgFLRjLzgFL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofecami.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbphdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cofecami.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llodgnja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcjfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfcjfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbphdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflfdbip.exe

Executes dropped EXE 15 IoCs

pid	Process
3340	Cbphdn32.exe
4708	Cofecami.exe
2052	Cfcjfk32.exe
1764	Llodgnja.exe
4336	Kapfiqoj.exe
2148	Mdpagc32.exe
1560	Ndnnianm.exe
1444	Okmpqjad.exe
3972	Oomelheh.exe
4428	Oflfdbip.exe
1752	Pilpfm32.exe
3004	Qckfid32.exe
1124	Qihoak32.exe
4640	Clpgkcdj.exe
4924	Dbkhnk32.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Naefjl32.dll	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Cbphdn32.exe	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
File opened for modification	C:\Windows\SysWOW64\Cbphdn32.exe	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
File opened for modification	C:\Windows\SysWOW64\Llodgnja.exe	Cfcjfk32.exe
File created	C:\Windows\SysWOW64\Pilpfm32.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Cofecami.exe	Cbphdn32.exe
File created	C:\Windows\SysWOW64\Kapfiqoj.exe	Llodgnja.exe
File created	C:\Windows\SysWOW64\Joboincl.dll	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Oomelheh.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Olaqbelh.dll	Cbphdn32.exe
File created	C:\Windows\SysWOW64\Cfcjfk32.exe	Cofecami.exe
File created	C:\Windows\SysWOW64\Blnlefae.dll	Cofecami.exe
File created	C:\Windows\SysWOW64\Mdpagc32.exe	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfcjfk32.exe	Cofecami.exe
File created	C:\Windows\SysWOW64\Leboon32.dll	Llodgnja.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Eldafjjc.dll	Qihoak32.exe
File created	C:\Windows\SysWOW64\Llodgnja.exe	Cfcjfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Okmpqjad.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qckfid32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Ieneofbo.dll	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
File created	C:\Windows\SysWOW64\Liabph32.dll	Cfcjfk32.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Ncloojfj.dll	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Qckfid32.exe	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Clpgkcdj.exe	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Kapfiqoj.exe	Llodgnja.exe
File created	C:\Windows\SysWOW64\Encnaa32.dll	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Odemep32.dll	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Oomelheh.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Clpgkcdj.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Cofecami.exe	Cbphdn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	Kapfiqoj.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Clpgkcdj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3916	4924	WerFault.exe	101

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnlefae.dll"	Cofecami.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll"	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbikenl.dll"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cofecami.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encnaa32.dll"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liabph32.dll"	Cfcjfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cofecami.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfcjfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbphdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.83aa596a09d675487701d6a478ea9bf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbphdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldafjjc.dll"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaqbelh.dll"	Cbphdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfcjfk32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3340	3752	NEAS.83aa596a09d675487701d6a478ea9bf0.exe	84
PID 3752 wrote to memory of 3340	3752	NEAS.83aa596a09d675487701d6a478ea9bf0.exe	84
PID 3752 wrote to memory of 3340	3752	NEAS.83aa596a09d675487701d6a478ea9bf0.exe	84
PID 3340 wrote to memory of 4708	3340	Cbphdn32.exe	85
PID 3340 wrote to memory of 4708	3340	Cbphdn32.exe	85
PID 3340 wrote to memory of 4708	3340	Cbphdn32.exe	85
PID 4708 wrote to memory of 2052	4708	Cofecami.exe	86
PID 4708 wrote to memory of 2052	4708	Cofecami.exe	86
PID 4708 wrote to memory of 2052	4708	Cofecami.exe	86
PID 2052 wrote to memory of 1764	2052	Cfcjfk32.exe	87
PID 2052 wrote to memory of 1764	2052	Cfcjfk32.exe	87
PID 2052 wrote to memory of 1764	2052	Cfcjfk32.exe	87
PID 1764 wrote to memory of 4336	1764	Llodgnja.exe	90
PID 1764 wrote to memory of 4336	1764	Llodgnja.exe	90
PID 1764 wrote to memory of 4336	1764	Llodgnja.exe	90
PID 4336 wrote to memory of 2148	4336	Kapfiqoj.exe	91
PID 4336 wrote to memory of 2148	4336	Kapfiqoj.exe	91
PID 4336 wrote to memory of 2148	4336	Kapfiqoj.exe	91
PID 2148 wrote to memory of 1560	2148	Mdpagc32.exe	92
PID 2148 wrote to memory of 1560	2148	Mdpagc32.exe	92
PID 2148 wrote to memory of 1560	2148	Mdpagc32.exe	92
PID 1560 wrote to memory of 1444	1560	Ndnnianm.exe	93
PID 1560 wrote to memory of 1444	1560	Ndnnianm.exe	93
PID 1560 wrote to memory of 1444	1560	Ndnnianm.exe	93
PID 1444 wrote to memory of 3972	1444	Okmpqjad.exe	94
PID 1444 wrote to memory of 3972	1444	Okmpqjad.exe	94
PID 1444 wrote to memory of 3972	1444	Okmpqjad.exe	94
PID 3972 wrote to memory of 4428	3972	Oomelheh.exe	95
PID 3972 wrote to memory of 4428	3972	Oomelheh.exe	95
PID 3972 wrote to memory of 4428	3972	Oomelheh.exe	95
PID 4428 wrote to memory of 1752	4428	Oflfdbip.exe	96
PID 4428 wrote to memory of 1752	4428	Oflfdbip.exe	96
PID 4428 wrote to memory of 1752	4428	Oflfdbip.exe	96
PID 1752 wrote to memory of 3004	1752	Pilpfm32.exe	97
PID 1752 wrote to memory of 3004	1752	Pilpfm32.exe	97
PID 1752 wrote to memory of 3004	1752	Pilpfm32.exe	97
PID 3004 wrote to memory of 1124	3004	Qckfid32.exe	98
PID 3004 wrote to memory of 1124	3004	Qckfid32.exe	98
PID 3004 wrote to memory of 1124	3004	Qckfid32.exe	98
PID 1124 wrote to memory of 4640	1124	Qihoak32.exe	99
PID 1124 wrote to memory of 4640	1124	Qihoak32.exe	99
PID 1124 wrote to memory of 4640	1124	Qihoak32.exe	99
PID 4640 wrote to memory of 4924	4640	Clpgkcdj.exe	101
PID 4640 wrote to memory of 4924	4640	Clpgkcdj.exe	101
PID 4640 wrote to memory of 4924	4640	Clpgkcdj.exe	101

C:\Users\Admin\AppData\Local\Temp\NEAS.83aa596a09d675487701d6a478ea9bf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.83aa596a09d675487701d6a478ea9bf0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\Cbphdn32.exe
  C:\Windows\system32\Cbphdn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\SysWOW64\Cofecami.exe
    C:\Windows\system32\Cofecami.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\Cfcjfk32.exe
      C:\Windows\system32\Cfcjfk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        16⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 404
        17⤵
        Program crash
        
        PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4924 -ip 4924
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbphdn32.exe

Filesize
4.6MB

MD5
b80cd19761e6918c0ac667e32b50beec

SHA1
c26d1778e7df4bdd413267e959319d6dd2bc27f8

SHA256
5eddd05d3b50e687f479b06f82eef7c54ea448ba44cbd4b0939c49122d2c26e2

SHA512
ae3085b59c6acb697127e3615cbd14b70b9a92d15e93398d68b120a4a74bf4017ab4bcc8cc14daf32fb8582d965549b6c6de0624ea26d63a1844e04e18b20a09

Download Submit
C:\Windows\SysWOW64\Cbphdn32.exe

Filesize
4.6MB

MD5
b80cd19761e6918c0ac667e32b50beec

SHA1
c26d1778e7df4bdd413267e959319d6dd2bc27f8

SHA256
5eddd05d3b50e687f479b06f82eef7c54ea448ba44cbd4b0939c49122d2c26e2

SHA512
ae3085b59c6acb697127e3615cbd14b70b9a92d15e93398d68b120a4a74bf4017ab4bcc8cc14daf32fb8582d965549b6c6de0624ea26d63a1844e04e18b20a09

Download Submit
C:\Windows\SysWOW64\Cfcjfk32.exe

Filesize
4.6MB

MD5
e44d38b2a82ebe97620b3df1417bfc7e

SHA1
11d06623cc39eb136a6db4fab8b112736ce0044f

SHA256
ff578c58144e2a842ac07ad9395d055269c646bab0979e4ea8525c99724e1c53

SHA512
69844087dac5380b2a42726dc1a0f8041747052f075c80acea1edf6fb7164b179322f6f0b1393bdeab8862155645e07a85ce1e780a094c15400c877bf3eb4891

Download Submit
C:\Windows\SysWOW64\Cfcjfk32.exe

Filesize
4.6MB

MD5
6db80abc8fe56ee2fc50a6d8dbbc0cfd

SHA1
15b93498ff671fc70910beff785b8f860a9492c8

SHA256
15f0bc696944dcadd833a78bffba7089219c3a20d00691fcc5707e747fc84e34

SHA512
0ef70c267b0336b99d1c4b199c0edf47f474aae16756db6722ff66055d1a8ad938c70751d745618ebd1680ddfda0d45009435ad960ef607cc91e41e623417e2f

Download Submit
C:\Windows\SysWOW64\Cfcjfk32.exe

Filesize
4.6MB

MD5
6db80abc8fe56ee2fc50a6d8dbbc0cfd

SHA1
15b93498ff671fc70910beff785b8f860a9492c8

SHA256
15f0bc696944dcadd833a78bffba7089219c3a20d00691fcc5707e747fc84e34

SHA512
0ef70c267b0336b99d1c4b199c0edf47f474aae16756db6722ff66055d1a8ad938c70751d745618ebd1680ddfda0d45009435ad960ef607cc91e41e623417e2f

Download Submit
C:\Windows\SysWOW64\Clpgkcdj.exe

Filesize
4.6MB

MD5
3b9bb30cd53eff82885abbd992e85410

SHA1
fba42b4c50b9fa88bc6a0711f369c7719d258a0f

SHA256
d1e1ad634f13942d06732e9f375c99d9d419cb413f80bd1feee649a8e8812d1d

SHA512
6b83762db02f84b250ba436b0d76a09327a757148c1406d0e2f20661e64b600bb400cda744350301e21a4552bb132c20c11063d18d647e3a034b1670c63bc6ce

Download Submit
C:\Windows\SysWOW64\Clpgkcdj.exe

Filesize
4.6MB

MD5
3b9bb30cd53eff82885abbd992e85410

SHA1
fba42b4c50b9fa88bc6a0711f369c7719d258a0f

SHA256
d1e1ad634f13942d06732e9f375c99d9d419cb413f80bd1feee649a8e8812d1d

SHA512
6b83762db02f84b250ba436b0d76a09327a757148c1406d0e2f20661e64b600bb400cda744350301e21a4552bb132c20c11063d18d647e3a034b1670c63bc6ce

Download Submit
C:\Windows\SysWOW64\Cofecami.exe

Filesize
4.6MB

MD5
e44d38b2a82ebe97620b3df1417bfc7e

SHA1
11d06623cc39eb136a6db4fab8b112736ce0044f

SHA256
ff578c58144e2a842ac07ad9395d055269c646bab0979e4ea8525c99724e1c53

SHA512
69844087dac5380b2a42726dc1a0f8041747052f075c80acea1edf6fb7164b179322f6f0b1393bdeab8862155645e07a85ce1e780a094c15400c877bf3eb4891

Download Submit
C:\Windows\SysWOW64\Cofecami.exe

Filesize
4.6MB

MD5
e44d38b2a82ebe97620b3df1417bfc7e

SHA1
11d06623cc39eb136a6db4fab8b112736ce0044f

SHA256
ff578c58144e2a842ac07ad9395d055269c646bab0979e4ea8525c99724e1c53

SHA512
69844087dac5380b2a42726dc1a0f8041747052f075c80acea1edf6fb7164b179322f6f0b1393bdeab8862155645e07a85ce1e780a094c15400c877bf3eb4891

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
4.6MB

MD5
6f7b365a3079d8def43ab4c6d250641d

SHA1
2226e98f2547b4d38bdedebf2238f3587c993870

SHA256
61b429fc38d869a60a8736e4897cd49f22962b98d19f2cb3ccb45fbc6a3b5fb6

SHA512
5837634c108ce0487629e90cf21bff12b739539072238be4d6c5f063bf84b39d2c90d7d4f6f876f698a2c16c20633b7c17563f2db6c1e01960e164eda01e7962

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
4.6MB

MD5
6f7b365a3079d8def43ab4c6d250641d

SHA1
2226e98f2547b4d38bdedebf2238f3587c993870

SHA256
61b429fc38d869a60a8736e4897cd49f22962b98d19f2cb3ccb45fbc6a3b5fb6

SHA512
5837634c108ce0487629e90cf21bff12b739539072238be4d6c5f063bf84b39d2c90d7d4f6f876f698a2c16c20633b7c17563f2db6c1e01960e164eda01e7962

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
4.6MB

MD5
057d2949c0127f6f435b26669004bc1c

SHA1
20dfa38199a3d6a0776e09516eaf67d6f2bd5abc

SHA256
dfcdffbf4b6c1bab3b16645ea99d099a7fd1c9239389ae3f407c074ec323ed76

SHA512
1bd63d69998d2034440674f4e0d35824085fea87f3a3d8800abaaf1a71ae03e504aabec374dc093070c2693a24fbe32df15a28795590ec58f6efd3b9fb682211

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
4.6MB

MD5
057d2949c0127f6f435b26669004bc1c

SHA1
20dfa38199a3d6a0776e09516eaf67d6f2bd5abc

SHA256
dfcdffbf4b6c1bab3b16645ea99d099a7fd1c9239389ae3f407c074ec323ed76

SHA512
1bd63d69998d2034440674f4e0d35824085fea87f3a3d8800abaaf1a71ae03e504aabec374dc093070c2693a24fbe32df15a28795590ec58f6efd3b9fb682211

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
4.6MB

MD5
57e8dd0e886f231e2c06cd2b248e9420

SHA1
81f91b6ebcb0074be2538a67281fda37f8428cbf

SHA256
a910a9dc315653ba4d7ab46c2b1fa8a0454f9d19549fa314c74402c7ee8e5446

SHA512
92ff79cf347e666c102e70eb977b39968a7f0ce92c068c55d941daaaacfac2c59e8e05c34ad2fcfea035298d09d0a8d94cbbef3b57c65fb60bb97520cc2130e4

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
4.6MB

MD5
57e8dd0e886f231e2c06cd2b248e9420

SHA1
81f91b6ebcb0074be2538a67281fda37f8428cbf

SHA256
a910a9dc315653ba4d7ab46c2b1fa8a0454f9d19549fa314c74402c7ee8e5446

SHA512
92ff79cf347e666c102e70eb977b39968a7f0ce92c068c55d941daaaacfac2c59e8e05c34ad2fcfea035298d09d0a8d94cbbef3b57c65fb60bb97520cc2130e4

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
4.6MB

MD5
08bb4218cedbe7ad60576b113d67afc1

SHA1
8275e8ff359b2779864f61042dca70d8bbe2787b

SHA256
d67ac8fdbc483a635ef10ff482d548aa48b9eabae20de2335f619a27b191dc5e

SHA512
11049757c0e69e40f62b2f391fd62502107a107a2eedb1053d1c947f564d9e4252539ef51dce5b197606e91fc81f79b45c6beed2ec5a9ec7c5048b700a4da369

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
4.6MB

MD5
08bb4218cedbe7ad60576b113d67afc1

SHA1
8275e8ff359b2779864f61042dca70d8bbe2787b

SHA256
d67ac8fdbc483a635ef10ff482d548aa48b9eabae20de2335f619a27b191dc5e

SHA512
11049757c0e69e40f62b2f391fd62502107a107a2eedb1053d1c947f564d9e4252539ef51dce5b197606e91fc81f79b45c6beed2ec5a9ec7c5048b700a4da369

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
4.6MB

MD5
2b0f017f0256d6ab633340975b983f56

SHA1
1eaaa2510cb2313ebbc7b052094288e5dbe1f0b8

SHA256
c5b2907fe604934db25de35b983271afba59d447ca39416e34df8382b207141b

SHA512
749e432b357c7de5751553c4887e9c824c78cc4465b262d45ab1eb9b353536030eb1577b8d5ed8111f7437287bc92b12dcc0020c371393dd0d2d1c09194e7126

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
4.6MB

MD5
2b0f017f0256d6ab633340975b983f56

SHA1
1eaaa2510cb2313ebbc7b052094288e5dbe1f0b8

SHA256
c5b2907fe604934db25de35b983271afba59d447ca39416e34df8382b207141b

SHA512
749e432b357c7de5751553c4887e9c824c78cc4465b262d45ab1eb9b353536030eb1577b8d5ed8111f7437287bc92b12dcc0020c371393dd0d2d1c09194e7126

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
4.6MB

MD5
e32bd35d6d9531684a08069bd546b8d1

SHA1
aa19c35701c59775e8269af2f4c87172458b30a8

SHA256
609ca3c28571364b22dcf7d24767c984e50c5f05685bee7cf1d6931ae813543e

SHA512
b5801093bd08702618d93639bbdf559889555d6e6965da65a6e155611f2f0c581fc7258ff9ac670e20670a19cbf5796647c02d1afca2c294843a747ee4449ba5

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
4.6MB

MD5
e32bd35d6d9531684a08069bd546b8d1

SHA1
aa19c35701c59775e8269af2f4c87172458b30a8

SHA256
609ca3c28571364b22dcf7d24767c984e50c5f05685bee7cf1d6931ae813543e

SHA512
b5801093bd08702618d93639bbdf559889555d6e6965da65a6e155611f2f0c581fc7258ff9ac670e20670a19cbf5796647c02d1afca2c294843a747ee4449ba5

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
4.6MB

MD5
81b1e6bf05bb9651f593ea447a29b46d

SHA1
083103ecf8f709c4044cc958beafcb410d3fe9bd

SHA256
9d76ed62195b98ef275ea350ae195bfd7063cf24448460dcbdaecba604b6e0cf

SHA512
09a5bab1b1291abeb780d077322d01d478519331a8fd367fe9ade1b330571a2e69b76c38700efa6beec327645a328a79535364b372eb36d4f5121fc62c891b8a

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
4.6MB

MD5
81b1e6bf05bb9651f593ea447a29b46d

SHA1
083103ecf8f709c4044cc958beafcb410d3fe9bd

SHA256
9d76ed62195b98ef275ea350ae195bfd7063cf24448460dcbdaecba604b6e0cf

SHA512
09a5bab1b1291abeb780d077322d01d478519331a8fd367fe9ade1b330571a2e69b76c38700efa6beec327645a328a79535364b372eb36d4f5121fc62c891b8a

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
4.6MB

MD5
4f0acae202b897636b582abccba758e2

SHA1
db3e9ae080b5aa7de88fb1bbc1c0c0fd1a564ab7

SHA256
c249807324125a9e23cef838c41599c444867961961719f77264e36ff11e69a9

SHA512
5296e5db39bad31d551e81bbd9d848c61f1852b07cd718602d62c66b0dc45350954ba18a04b37626ecdf70b13028d30b2cd748f8edcbbdd2ef4001d8ca9a8f1a

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
4.6MB

MD5
4f0acae202b897636b582abccba758e2

SHA1
db3e9ae080b5aa7de88fb1bbc1c0c0fd1a564ab7

SHA256
c249807324125a9e23cef838c41599c444867961961719f77264e36ff11e69a9

SHA512
5296e5db39bad31d551e81bbd9d848c61f1852b07cd718602d62c66b0dc45350954ba18a04b37626ecdf70b13028d30b2cd748f8edcbbdd2ef4001d8ca9a8f1a

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
4.6MB

MD5
5a9bafc3d5228793c4c4a953830ce96c

SHA1
a5f1c7e13a28cc2f0dcab7026439202bf893ac81

SHA256
a13db33689d5c2af8d7f5f9ccf772e9be8c0d8470e3c24a3a46c99143f225a4b

SHA512
7256abe093320bc3ae5b3efe242d71cb1a62d76d507272c1f1197691effd0285997e6a0a5ad63ad21474a67adeececcecf36b169cad3d7f9eca326c0d8035196

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
4.6MB

MD5
5a9bafc3d5228793c4c4a953830ce96c

SHA1
a5f1c7e13a28cc2f0dcab7026439202bf893ac81

SHA256
a13db33689d5c2af8d7f5f9ccf772e9be8c0d8470e3c24a3a46c99143f225a4b

SHA512
7256abe093320bc3ae5b3efe242d71cb1a62d76d507272c1f1197691effd0285997e6a0a5ad63ad21474a67adeececcecf36b169cad3d7f9eca326c0d8035196

Download Submit
C:\Windows\SysWOW64\Qckfid32.exe

Filesize
4.6MB

MD5
54af7be0273c2307b1bcf7cb13f7884d

SHA1
33155296aa360a753fd3d62b41f0623bceaaaeaf

SHA256
35a0dc39de9f23ef30b8f652512e90e79cbc425a933d4320da852576410b7911

SHA512
e307b32269188f4e32fe93794100edaebb2b67a520ac136e75575a7dafe58806045a6d959a90c9c2dc3371a28f449567add08b55ebba02d29a4372be0781ac65

Download Submit
C:\Windows\SysWOW64\Qckfid32.exe

Filesize
4.6MB

MD5
54af7be0273c2307b1bcf7cb13f7884d

SHA1
33155296aa360a753fd3d62b41f0623bceaaaeaf

SHA256
35a0dc39de9f23ef30b8f652512e90e79cbc425a933d4320da852576410b7911

SHA512
e307b32269188f4e32fe93794100edaebb2b67a520ac136e75575a7dafe58806045a6d959a90c9c2dc3371a28f449567add08b55ebba02d29a4372be0781ac65

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
4.6MB

MD5
525cf4b138da251eca2aa77eaafc3c1e

SHA1
36d18be12bb4691ac9006bb40124e77876f12039

SHA256
888365a4cbd1f1d5fb1ffff6aef47dab3af935b68c1163c6e62980d70df72a44

SHA512
a2fb009200eb7d92b66b43405b99457f4a923acbe68911c03a3356d08528d7ad6a69f173fc74a50ca7d58bb2c3d28c167a6b108076ddb5547610a660eb6d8bff

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
4.6MB

MD5
525cf4b138da251eca2aa77eaafc3c1e

SHA1
36d18be12bb4691ac9006bb40124e77876f12039

SHA256
888365a4cbd1f1d5fb1ffff6aef47dab3af935b68c1163c6e62980d70df72a44

SHA512
a2fb009200eb7d92b66b43405b99457f4a923acbe68911c03a3356d08528d7ad6a69f173fc74a50ca7d58bb2c3d28c167a6b108076ddb5547610a660eb6d8bff

Download Submit
memory/1124-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1124-117-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1444-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1444-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1560-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1560-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1752-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1752-101-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1764-38-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1764-50-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2052-35-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2052-26-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2148-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2148-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3004-114-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3004-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3340-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3340-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3752-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3752-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3972-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3972-86-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4336-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4428-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4428-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4640-126-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4640-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4708-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4708-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4924-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4924-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads