b31e2128e7175c1d9627e4be7cc6d83438c5ef2975d70abd3ee9efe99e377be7

Analysis

max time kernel
90s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
Size

1.7MB
MD5

c3e934149b1dc912d83f4d24a1d883f0
SHA1

310b8322ab17560798c855254182afa00e942fc3
SHA256

b31e2128e7175c1d9627e4be7cc6d83438c5ef2975d70abd3ee9efe99e377be7
SHA512

e50b31426e37a32068034c86a94df4f14a80c05d33509c579e3f3d67b70574edfb871ae411cfa2249b2c7ff049cf894d9c39f44c33146d5f292d6ae5ce403476
SSDEEP

49152:K3ix7/ix7yix7/ix7TMigix7/ix7yix7/ix7:K3U/UyU/UAzU/UyU/U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglhld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fealin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fealin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpmld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dngjff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dngjff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndnpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglhld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe

Executes dropped EXE 29 IoCs

pid	Process
4752	Dndnpf32.exe
1656	Dngjff32.exe
1640	Enpmld32.exe
3848	Fealin32.exe
4308	Hlnjbedi.exe
1292	Hffken32.exe
4804	Hbohpn32.exe
1660	Ifmqfm32.exe
2896	Lnldla32.exe
2260	Ljeafb32.exe
4284	Lncjlq32.exe
4820	Mgnlkfal.exe
3332	Mokmdh32.exe
5000	Mqkiok32.exe
2732	Nnojho32.exe
3588	Nglhld32.exe
1044	Ofhknodl.exe
3368	Opqofe32.exe
1860	Oabhfg32.exe
1644	Paeelgnj.exe
3340	Phcgcqab.exe
2976	Afbgkl32.exe
4292	Ahaceo32.exe
4048	Bgnffj32.exe
3552	Bgpcliao.exe
4856	Cdimqm32.exe
1840	Cncnob32.exe
456	Dkndie32.exe
3088	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mqkiok32.exe	Mokmdh32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Hffken32.exe	Hlnjbedi.exe
File opened for modification	C:\Windows\SysWOW64\Ifmqfm32.exe	Hbohpn32.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Bgpcliao.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Dngjff32.exe	Dndnpf32.exe
File created	C:\Windows\SysWOW64\Enpmld32.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Ldldehjm.dll	Fealin32.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Hlnjbedi.exe	Fealin32.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Ifmqfm32.exe	Hbohpn32.exe
File created	C:\Windows\SysWOW64\Fmplqd32.dll	Ifmqfm32.exe
File opened for modification	C:\Windows\SysWOW64\Ljeafb32.exe	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Nglhld32.exe	Nnojho32.exe
File created	C:\Windows\SysWOW64\Phcgcqab.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Jlkidpke.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Kigcfhbi.dll	Hbohpn32.exe
File created	C:\Windows\SysWOW64\Lncjlq32.exe	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Pmikmcgp.dll	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Hffken32.exe	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lnldla32.exe
File created	C:\Windows\SysWOW64\Cnocia32.dll	Mgnlkfal.exe
File opened for modification	C:\Windows\SysWOW64\Oabhfg32.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Dndnpf32.exe	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
File opened for modification	C:\Windows\SysWOW64\Enpmld32.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Bgaclkia.dll	Hffken32.exe
File opened for modification	C:\Windows\SysWOW64\Opqofe32.exe	Ofhknodl.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Oidalg32.dll	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
File created	C:\Windows\SysWOW64\Ljeafb32.exe	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Lncjlq32.exe	Ljeafb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnlkfal.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Nnojho32.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Dngjff32.exe	Dndnpf32.exe
File created	C:\Windows\SysWOW64\Kldbpfio.dll	Dngjff32.exe
File opened for modification	C:\Windows\SysWOW64\Lnldla32.exe	Ifmqfm32.exe
File created	C:\Windows\SysWOW64\Ehmjob32.dll	Ljeafb32.exe
File opened for modification	C:\Windows\SysWOW64\Ofhknodl.exe	Nglhld32.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Hbohpn32.exe	Hffken32.exe
File created	C:\Windows\SysWOW64\Imnbiq32.dll	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Eleqaiga.dll	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Kmhjapnj.dll	Hlnjbedi.exe
File opened for modification	C:\Windows\SysWOW64\Nnojho32.exe	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Nglhld32.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Oabhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Fofdocoe.dll	Dndnpf32.exe
File opened for modification	C:\Windows\SysWOW64\Fealin32.exe	Enpmld32.exe
File created	C:\Windows\SysWOW64\Hlnjbedi.exe	Fealin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4024	3088	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldbpfio.dll"	Dngjff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll"	Hffken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll"	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigcfhbi.dll"	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldldehjm.dll"	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dngjff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fealin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlnjbedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnbiq32.dll"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll"	Dndnpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dngjff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmplqd32.dll"	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll"	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4752	3504	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe	82
PID 3504 wrote to memory of 4752	3504	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe	82
PID 3504 wrote to memory of 4752	3504	NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe	82
PID 4752 wrote to memory of 1656	4752	Dndnpf32.exe	83
PID 4752 wrote to memory of 1656	4752	Dndnpf32.exe	83
PID 4752 wrote to memory of 1656	4752	Dndnpf32.exe	83
PID 1656 wrote to memory of 1640	1656	Dngjff32.exe	85
PID 1656 wrote to memory of 1640	1656	Dngjff32.exe	85
PID 1656 wrote to memory of 1640	1656	Dngjff32.exe	85
PID 1640 wrote to memory of 3848	1640	Enpmld32.exe	86
PID 1640 wrote to memory of 3848	1640	Enpmld32.exe	86
PID 1640 wrote to memory of 3848	1640	Enpmld32.exe	86
PID 3848 wrote to memory of 4308	3848	Fealin32.exe	88
PID 3848 wrote to memory of 4308	3848	Fealin32.exe	88
PID 3848 wrote to memory of 4308	3848	Fealin32.exe	88
PID 4308 wrote to memory of 1292	4308	Hlnjbedi.exe	89
PID 4308 wrote to memory of 1292	4308	Hlnjbedi.exe	89
PID 4308 wrote to memory of 1292	4308	Hlnjbedi.exe	89
PID 1292 wrote to memory of 4804	1292	Hffken32.exe	90
PID 1292 wrote to memory of 4804	1292	Hffken32.exe	90
PID 1292 wrote to memory of 4804	1292	Hffken32.exe	90
PID 4804 wrote to memory of 1660	4804	Hbohpn32.exe	91
PID 4804 wrote to memory of 1660	4804	Hbohpn32.exe	91
PID 4804 wrote to memory of 1660	4804	Hbohpn32.exe	91
PID 1660 wrote to memory of 2896	1660	Ifmqfm32.exe	93
PID 1660 wrote to memory of 2896	1660	Ifmqfm32.exe	93
PID 1660 wrote to memory of 2896	1660	Ifmqfm32.exe	93
PID 2896 wrote to memory of 2260	2896	Lnldla32.exe	94
PID 2896 wrote to memory of 2260	2896	Lnldla32.exe	94
PID 2896 wrote to memory of 2260	2896	Lnldla32.exe	94
PID 2260 wrote to memory of 4284	2260	Ljeafb32.exe	95
PID 2260 wrote to memory of 4284	2260	Ljeafb32.exe	95
PID 2260 wrote to memory of 4284	2260	Ljeafb32.exe	95
PID 4284 wrote to memory of 4820	4284	Lncjlq32.exe	96
PID 4284 wrote to memory of 4820	4284	Lncjlq32.exe	96
PID 4284 wrote to memory of 4820	4284	Lncjlq32.exe	96
PID 4820 wrote to memory of 3332	4820	Mgnlkfal.exe	97
PID 4820 wrote to memory of 3332	4820	Mgnlkfal.exe	97
PID 4820 wrote to memory of 3332	4820	Mgnlkfal.exe	97
PID 3332 wrote to memory of 5000	3332	Mokmdh32.exe	98
PID 3332 wrote to memory of 5000	3332	Mokmdh32.exe	98
PID 3332 wrote to memory of 5000	3332	Mokmdh32.exe	98
PID 5000 wrote to memory of 2732	5000	Mqkiok32.exe	99
PID 5000 wrote to memory of 2732	5000	Mqkiok32.exe	99
PID 5000 wrote to memory of 2732	5000	Mqkiok32.exe	99
PID 2732 wrote to memory of 3588	2732	Nnojho32.exe	100
PID 2732 wrote to memory of 3588	2732	Nnojho32.exe	100
PID 2732 wrote to memory of 3588	2732	Nnojho32.exe	100
PID 3588 wrote to memory of 1044	3588	Nglhld32.exe	101
PID 3588 wrote to memory of 1044	3588	Nglhld32.exe	101
PID 3588 wrote to memory of 1044	3588	Nglhld32.exe	101
PID 1044 wrote to memory of 3368	1044	Ofhknodl.exe	102
PID 1044 wrote to memory of 3368	1044	Ofhknodl.exe	102
PID 1044 wrote to memory of 3368	1044	Ofhknodl.exe	102
PID 3368 wrote to memory of 1860	3368	Opqofe32.exe	103
PID 3368 wrote to memory of 1860	3368	Opqofe32.exe	103
PID 3368 wrote to memory of 1860	3368	Opqofe32.exe	103
PID 1860 wrote to memory of 1644	1860	Oabhfg32.exe	104
PID 1860 wrote to memory of 1644	1860	Oabhfg32.exe	104
PID 1860 wrote to memory of 1644	1860	Oabhfg32.exe	104
PID 1644 wrote to memory of 3340	1644	Paeelgnj.exe	105
PID 1644 wrote to memory of 3340	1644	Paeelgnj.exe	105
PID 1644 wrote to memory of 3340	1644	Paeelgnj.exe	105
PID 3340 wrote to memory of 2976	3340	Phcgcqab.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c3e934149b1dc912d83f4d24a1d883f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\Dndnpf32.exe
  C:\Windows\system32\Dndnpf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\Dngjff32.exe
    C:\Windows\system32\Dngjff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\Enpmld32.exe
      C:\Windows\system32\Enpmld32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
      - C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        30⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 400
        31⤵
        Program crash
        
        PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
1.7MB

MD5
37e4297ea41e6ac3c1ff98ab1dc2cd8a

SHA1
ec87f59819eba346f98aa15d8ba9b8c287f22d39

SHA256
41aa8916092bdf0e6072cf219300c78d685125f7dfe0745ab01fe75838c95641

SHA512
41dd151447a2c62c195b140694777cecfe31e1e22a39a8c8fd8e9aa82c986cd60073ce5ab2b7f2e65eb047bbd0d1b9d1ad7f65887a89be0f0ad86282bdaba75f

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
1.7MB

MD5
37e4297ea41e6ac3c1ff98ab1dc2cd8a

SHA1
ec87f59819eba346f98aa15d8ba9b8c287f22d39

SHA256
41aa8916092bdf0e6072cf219300c78d685125f7dfe0745ab01fe75838c95641

SHA512
41dd151447a2c62c195b140694777cecfe31e1e22a39a8c8fd8e9aa82c986cd60073ce5ab2b7f2e65eb047bbd0d1b9d1ad7f65887a89be0f0ad86282bdaba75f

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
1.7MB

MD5
cd4ea4de452dcec02ebf92c6e2430382

SHA1
9f28b3533f341f540e2c83812f4c3c188c1bd7fe

SHA256
8c12d6bf556cfe5da3f1397200825b73a0a892fad155201bdc84a96210ee470c

SHA512
57307e23a11fe0f8e215d4860c4bbf09cb3f67ef102ab7f590a59698a4c32342fc6b2593fb9e39b56e3f924661df8ccf439634523016e7124f10b10e03c01d4c

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
1.7MB

MD5
cd4ea4de452dcec02ebf92c6e2430382

SHA1
9f28b3533f341f540e2c83812f4c3c188c1bd7fe

SHA256
8c12d6bf556cfe5da3f1397200825b73a0a892fad155201bdc84a96210ee470c

SHA512
57307e23a11fe0f8e215d4860c4bbf09cb3f67ef102ab7f590a59698a4c32342fc6b2593fb9e39b56e3f924661df8ccf439634523016e7124f10b10e03c01d4c

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
1.7MB

MD5
cd4ea4de452dcec02ebf92c6e2430382

SHA1
9f28b3533f341f540e2c83812f4c3c188c1bd7fe

SHA256
8c12d6bf556cfe5da3f1397200825b73a0a892fad155201bdc84a96210ee470c

SHA512
57307e23a11fe0f8e215d4860c4bbf09cb3f67ef102ab7f590a59698a4c32342fc6b2593fb9e39b56e3f924661df8ccf439634523016e7124f10b10e03c01d4c

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
1.7MB

MD5
1334e7c407b9642404e34a0ee70ec43f

SHA1
b326d35fcd40d86d3e58d49aa1b3ec2adb2fca95

SHA256
f49c9233d3d0356e3004d3e327e168f28de6b70d2f044757521c4ebba41d9678

SHA512
2bcc3ef30be71b7b890862adfe67985dda56a2ed4bb6a5596d99b1e3bdaf992a06f78d29a6696e69b8fdda5f723595b8085f38593028c81aee4068eb8d99dd32

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
1.7MB

MD5
1334e7c407b9642404e34a0ee70ec43f

SHA1
b326d35fcd40d86d3e58d49aa1b3ec2adb2fca95

SHA256
f49c9233d3d0356e3004d3e327e168f28de6b70d2f044757521c4ebba41d9678

SHA512
2bcc3ef30be71b7b890862adfe67985dda56a2ed4bb6a5596d99b1e3bdaf992a06f78d29a6696e69b8fdda5f723595b8085f38593028c81aee4068eb8d99dd32

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
1.7MB

MD5
76033b1cbc2658a1a79416519435d7b7

SHA1
63dfd160bcca18abac77a9a2c66cbe0810315583

SHA256
997aef5d63d0bbe05cd73f125d4ff6a6c3ee17664b51c5a13950f7ce37146df6

SHA512
652424fa309676c1c1863b8aa188f0b591402d3a34c950bd813a32940004d55976bffd219712b5e7cbe385c634d5700bd452a551d295f53dd6ca88ea3e8ca38b

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
1.7MB

MD5
76033b1cbc2658a1a79416519435d7b7

SHA1
63dfd160bcca18abac77a9a2c66cbe0810315583

SHA256
997aef5d63d0bbe05cd73f125d4ff6a6c3ee17664b51c5a13950f7ce37146df6

SHA512
652424fa309676c1c1863b8aa188f0b591402d3a34c950bd813a32940004d55976bffd219712b5e7cbe385c634d5700bd452a551d295f53dd6ca88ea3e8ca38b

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
1.7MB

MD5
ed3ccee737d2ed02f700893f92af86e3

SHA1
c1f6eb058f8b578afdcb03c86c20963b25662cde

SHA256
d83434b10f1cd0a41a4d1061e2ef3da7c0cfb3591d0ce09c75ed9a60a4b69f92

SHA512
46298be8f7a4bb867c1178950f10f6987dc234e55a0fac42d3a0c3b5cc54ce399eb351dd17311ddf8b6b18cdebd492f501932c0a45ba00c35f69be1ebacefbd2

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
1.7MB

MD5
ed3ccee737d2ed02f700893f92af86e3

SHA1
c1f6eb058f8b578afdcb03c86c20963b25662cde

SHA256
d83434b10f1cd0a41a4d1061e2ef3da7c0cfb3591d0ce09c75ed9a60a4b69f92

SHA512
46298be8f7a4bb867c1178950f10f6987dc234e55a0fac42d3a0c3b5cc54ce399eb351dd17311ddf8b6b18cdebd492f501932c0a45ba00c35f69be1ebacefbd2

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
1.7MB

MD5
3c36902e5b6d3a0cdfa67813e726830a

SHA1
98a87ab99312fea2721c7484c4f8fbe04a2f32e9

SHA256
be00c3b4a7f9fc7e230e8b5220b59b29d99cfbe1c6aaa1bdddf3bcf8609538ac

SHA512
66f69c8615eacbe97f7cbd87ef96876735f76b62ce0bdc729f205ca16715559ebf3605a64f208b1b5d8509a5ca87f0ef22d5f62ce2d59b0f01339bccf8da4c3c

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
1.7MB

MD5
3c36902e5b6d3a0cdfa67813e726830a

SHA1
98a87ab99312fea2721c7484c4f8fbe04a2f32e9

SHA256
be00c3b4a7f9fc7e230e8b5220b59b29d99cfbe1c6aaa1bdddf3bcf8609538ac

SHA512
66f69c8615eacbe97f7cbd87ef96876735f76b62ce0bdc729f205ca16715559ebf3605a64f208b1b5d8509a5ca87f0ef22d5f62ce2d59b0f01339bccf8da4c3c

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
1.7MB

MD5
3e36a302bde5b8f117f315aa9de276c5

SHA1
fd6fd566b7aadbad07257b7f33aac4623e90d6d4

SHA256
3609b7f79738d33e58b86faae6e788358c8e701d6445a2ce7556ddd983729452

SHA512
7daf62d7dbcc78bfe0a426fd5411a5eb0baea15168b287efd2db896b25379b6263ae03f64656aed01b483aeb3e664217fb0dd08f58bf758390a3e08d22a25f8e

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
1.7MB

MD5
3e36a302bde5b8f117f315aa9de276c5

SHA1
fd6fd566b7aadbad07257b7f33aac4623e90d6d4

SHA256
3609b7f79738d33e58b86faae6e788358c8e701d6445a2ce7556ddd983729452

SHA512
7daf62d7dbcc78bfe0a426fd5411a5eb0baea15168b287efd2db896b25379b6263ae03f64656aed01b483aeb3e664217fb0dd08f58bf758390a3e08d22a25f8e

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
1.7MB

MD5
490ad430e348dd76de5d2576787b5aba

SHA1
caf53ff595185a361fbcdc59dd192c7a5a8460e2

SHA256
dfc4bf93f4b82704e2dd7754ddf110fb99a85cb0bab6907c1b14cac8d143dc0b

SHA512
732e6c70dce66f30f2e15f1751ae8aadd6917e5636eb044922a96b6dfbe211240814381c7c6254b3a2f72e0bacac2bd1ba868921db562a993bc047720db9a7b2

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
1.7MB

MD5
490ad430e348dd76de5d2576787b5aba

SHA1
caf53ff595185a361fbcdc59dd192c7a5a8460e2

SHA256
dfc4bf93f4b82704e2dd7754ddf110fb99a85cb0bab6907c1b14cac8d143dc0b

SHA512
732e6c70dce66f30f2e15f1751ae8aadd6917e5636eb044922a96b6dfbe211240814381c7c6254b3a2f72e0bacac2bd1ba868921db562a993bc047720db9a7b2

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
1.7MB

MD5
b43a8c4cdf6c67f5a001f07777a2fe7c

SHA1
a181e9207b35bfa80443397353c9e39a2f4b0107

SHA256
5f894f37f1131b85b61398fc47a0b731fc60c8f75c5fa387d44129c66bd15d32

SHA512
67f4273a221bd37410cc7980c291e6047714a0ce0b0718c1b5c5bbec0edd464b6c01f15a08ddee8f40e7eb1ef96c3644fd396c7c98301e39bf0f72f1bf693c8a

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
1.7MB

MD5
b43a8c4cdf6c67f5a001f07777a2fe7c

SHA1
a181e9207b35bfa80443397353c9e39a2f4b0107

SHA256
5f894f37f1131b85b61398fc47a0b731fc60c8f75c5fa387d44129c66bd15d32

SHA512
67f4273a221bd37410cc7980c291e6047714a0ce0b0718c1b5c5bbec0edd464b6c01f15a08ddee8f40e7eb1ef96c3644fd396c7c98301e39bf0f72f1bf693c8a

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
1.7MB

MD5
485afb18b2d2fc347b3e8a8d71e717db

SHA1
89848c06c4c674fe9ab134a1cd6eec8e88114567

SHA256
74e1acc3b853267c5393bd60ae77f0800ef2ebb553d9ab3e818ab93aa1ca1b7c

SHA512
593a8004088c4b812c37c6626af8a4cc3c2636f9fd82d550fea9f6ff7aebd87d7afdcbe5fc21e1758d809eaab58d4254ff785bb9ad09917c682b744d07d7e8d3

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
1.7MB

MD5
485afb18b2d2fc347b3e8a8d71e717db

SHA1
89848c06c4c674fe9ab134a1cd6eec8e88114567

SHA256
74e1acc3b853267c5393bd60ae77f0800ef2ebb553d9ab3e818ab93aa1ca1b7c

SHA512
593a8004088c4b812c37c6626af8a4cc3c2636f9fd82d550fea9f6ff7aebd87d7afdcbe5fc21e1758d809eaab58d4254ff785bb9ad09917c682b744d07d7e8d3

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
1.7MB

MD5
db87e67d32bec4ad83c4beae2bbf9f5a

SHA1
5ebc6e7896d0c3b30304b7344e7f45ab08584570

SHA256
0807e95b9c513b0034d44d2d325ce07e7770d6d91595e29a8c58efdd3be9bc52

SHA512
10fa6d18cc424852240e50215d8f9327de8a0b314207476c95d24e6fe8725593433d5695b668a6647d048de06736f47dfe7e93a34ab5475c8c58e593320209e3

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
1.7MB

MD5
db87e67d32bec4ad83c4beae2bbf9f5a

SHA1
5ebc6e7896d0c3b30304b7344e7f45ab08584570

SHA256
0807e95b9c513b0034d44d2d325ce07e7770d6d91595e29a8c58efdd3be9bc52

SHA512
10fa6d18cc424852240e50215d8f9327de8a0b314207476c95d24e6fe8725593433d5695b668a6647d048de06736f47dfe7e93a34ab5475c8c58e593320209e3

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
1.7MB

MD5
db87e67d32bec4ad83c4beae2bbf9f5a

SHA1
5ebc6e7896d0c3b30304b7344e7f45ab08584570

SHA256
0807e95b9c513b0034d44d2d325ce07e7770d6d91595e29a8c58efdd3be9bc52

SHA512
10fa6d18cc424852240e50215d8f9327de8a0b314207476c95d24e6fe8725593433d5695b668a6647d048de06736f47dfe7e93a34ab5475c8c58e593320209e3

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
1.7MB

MD5
e9d1d86950d16e5da06db1cf20f5fc34

SHA1
d4b181f4f3a4ee9f28e15c5189d535289b4c17f0

SHA256
488b90767b3c79f3aa75a2ba31a88a44158ec5fde8d83e2a59fc4a6576cc377b

SHA512
bf25a86aac3ca4ad27a2c83efa3bf1c785bf30643ba9b08a5b8f87aab21e48c354f775cbe5c7279a6182a95dd70b8bdd5eabec3226e3ddc28ae10c99aa56757a

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
1.7MB

MD5
e9d1d86950d16e5da06db1cf20f5fc34

SHA1
d4b181f4f3a4ee9f28e15c5189d535289b4c17f0

SHA256
488b90767b3c79f3aa75a2ba31a88a44158ec5fde8d83e2a59fc4a6576cc377b

SHA512
bf25a86aac3ca4ad27a2c83efa3bf1c785bf30643ba9b08a5b8f87aab21e48c354f775cbe5c7279a6182a95dd70b8bdd5eabec3226e3ddc28ae10c99aa56757a

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
1.7MB

MD5
d3e07477b9346742e4e3b3e54c26bc60

SHA1
b19e00e049c88293be7b651d5e5029bcf6ed9077

SHA256
5d440fbd5fac1c0faf0dfd9ceabe0b0e457764efeed87c076ebfca8f4fe62d7d

SHA512
706284982f7e90de5299dbedb0d621cbc149562832e1fbb6931b09e91dd58958ccbe1b19ce073c75aecb825b146a95ffb06a5884642aa827feb7dd5efaefcc25

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
1.7MB

MD5
d3e07477b9346742e4e3b3e54c26bc60

SHA1
b19e00e049c88293be7b651d5e5029bcf6ed9077

SHA256
5d440fbd5fac1c0faf0dfd9ceabe0b0e457764efeed87c076ebfca8f4fe62d7d

SHA512
706284982f7e90de5299dbedb0d621cbc149562832e1fbb6931b09e91dd58958ccbe1b19ce073c75aecb825b146a95ffb06a5884642aa827feb7dd5efaefcc25

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
1.7MB

MD5
9ef5a050ba14de8eea2e6b007fe4c9c2

SHA1
dc33741be6893dfad2938ae254f8127654e004a5

SHA256
2cc86c837c8acfcf7fcb848c615e37c8d7e554516a82faeb250afa4ecae49e2b

SHA512
8e8529d896a851ae3c8bab2b429bf79cf40f1619315cf86450aefe96fcb42f730b2d7d602ca7405c9b2d100b69e8628f5fe205a84dde24be71c57f3eb6b347da

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
1.7MB

MD5
9ef5a050ba14de8eea2e6b007fe4c9c2

SHA1
dc33741be6893dfad2938ae254f8127654e004a5

SHA256
2cc86c837c8acfcf7fcb848c615e37c8d7e554516a82faeb250afa4ecae49e2b

SHA512
8e8529d896a851ae3c8bab2b429bf79cf40f1619315cf86450aefe96fcb42f730b2d7d602ca7405c9b2d100b69e8628f5fe205a84dde24be71c57f3eb6b347da

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
1.7MB

MD5
4d34ade57c4d9c8d9c6b9e3c0bbff91e

SHA1
25477e8c23ab0b3666db1734565438a04b668314

SHA256
7bcc0b60a1a5e52b63dec04fb941f505165a74df0bc3cca2a57a9748b676053b

SHA512
50e3719f97a6cc965148cf1283c6fe75dd77387a7b7d7b99f97a7317db3dabea74033c51d63b3a80754af8a94ed26f18dd254ae72b85acab0f6303aa29aae257

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
1.7MB

MD5
4d34ade57c4d9c8d9c6b9e3c0bbff91e

SHA1
25477e8c23ab0b3666db1734565438a04b668314

SHA256
7bcc0b60a1a5e52b63dec04fb941f505165a74df0bc3cca2a57a9748b676053b

SHA512
50e3719f97a6cc965148cf1283c6fe75dd77387a7b7d7b99f97a7317db3dabea74033c51d63b3a80754af8a94ed26f18dd254ae72b85acab0f6303aa29aae257

Download Submit
C:\Windows\SysWOW64\Ifmqfm32.exe

Filesize
1.7MB

MD5
246fe970df32542609d99eb117505942

SHA1
642f064f751f349dde26698c7cd4e854e191b369

SHA256
d8a6bc7f131c2977e7848e6ee80e89ec99df841f1fc57545e08971f120ca82cc

SHA512
aea64373e915afdbba54ac3cb6f1d0e0a9cab20ac0095a2baf798585abb00feafc93909c4ff7e8620d8a0bcde9b56c9533fdbb658d9bc24191fbc519a85cb779

Download Submit
C:\Windows\SysWOW64\Ifmqfm32.exe

Filesize
1.7MB

MD5
246fe970df32542609d99eb117505942

SHA1
642f064f751f349dde26698c7cd4e854e191b369

SHA256
d8a6bc7f131c2977e7848e6ee80e89ec99df841f1fc57545e08971f120ca82cc

SHA512
aea64373e915afdbba54ac3cb6f1d0e0a9cab20ac0095a2baf798585abb00feafc93909c4ff7e8620d8a0bcde9b56c9533fdbb658d9bc24191fbc519a85cb779

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
1.7MB

MD5
ce50480bfa106483cf15375ea9cc572b

SHA1
5d7c6aea075e59d5a42a911e101d9e3bcb58676e

SHA256
aa98028918faebd79498d85f1702509ed172a1ad24fa48c8d11af7af21175f0b

SHA512
2632dea35b6f1fd61e02e785bed2786263100785eaea13132cd1d12c9300eba968cd0ddde06a93e32e88508a00b035b642522b6e73b640ffd123a9916224c855

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
1.7MB

MD5
98aa5ccade3de4461430e14428e83682

SHA1
703c61b79b386fb1d536861c783841bb936b2edc

SHA256
b30e05ae9f31e7fb07f7f53befd2451f2dba96763650ac1eea3a2cb4ca175f28

SHA512
4e3d554496e67f32ff1625f5bc4e6e51bc392563d659f323085f9186ccd2a8af4f79520d5862610f7d2a042ff1c219f8592e0232ff30c073b93acb03f235f6f4

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
1.7MB

MD5
98aa5ccade3de4461430e14428e83682

SHA1
703c61b79b386fb1d536861c783841bb936b2edc

SHA256
b30e05ae9f31e7fb07f7f53befd2451f2dba96763650ac1eea3a2cb4ca175f28

SHA512
4e3d554496e67f32ff1625f5bc4e6e51bc392563d659f323085f9186ccd2a8af4f79520d5862610f7d2a042ff1c219f8592e0232ff30c073b93acb03f235f6f4

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
1.7MB

MD5
9531b451d1bd58ceb50b13f8ded4c7b7

SHA1
e9c0b35e1ea59f034316f19c4228aeec180ca970

SHA256
ec9c8ea61cf53b5b5e41f0a72e2965f8432a1fd461e72b264e441965d578166e

SHA512
77b3520893a2577e84b64ee2fc99f75065f6f10878df65b68c4e95c2da503a4ef2e6aadee1632d977cc099ac6b609a4300522d69fd0cd9915563fd1301204812

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
1.7MB

MD5
9531b451d1bd58ceb50b13f8ded4c7b7

SHA1
e9c0b35e1ea59f034316f19c4228aeec180ca970

SHA256
ec9c8ea61cf53b5b5e41f0a72e2965f8432a1fd461e72b264e441965d578166e

SHA512
77b3520893a2577e84b64ee2fc99f75065f6f10878df65b68c4e95c2da503a4ef2e6aadee1632d977cc099ac6b609a4300522d69fd0cd9915563fd1301204812

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
1.7MB

MD5
ce50480bfa106483cf15375ea9cc572b

SHA1
5d7c6aea075e59d5a42a911e101d9e3bcb58676e

SHA256
aa98028918faebd79498d85f1702509ed172a1ad24fa48c8d11af7af21175f0b

SHA512
2632dea35b6f1fd61e02e785bed2786263100785eaea13132cd1d12c9300eba968cd0ddde06a93e32e88508a00b035b642522b6e73b640ffd123a9916224c855

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
1.7MB

MD5
ce50480bfa106483cf15375ea9cc572b

SHA1
5d7c6aea075e59d5a42a911e101d9e3bcb58676e

SHA256
aa98028918faebd79498d85f1702509ed172a1ad24fa48c8d11af7af21175f0b

SHA512
2632dea35b6f1fd61e02e785bed2786263100785eaea13132cd1d12c9300eba968cd0ddde06a93e32e88508a00b035b642522b6e73b640ffd123a9916224c855

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
1.7MB

MD5
bac3b159fe9e03c02090ea7e00598ebe

SHA1
da0142ac340b3a31fd3397ff1e6ca787d5970ee9

SHA256
3fcf7b739bf42d80eebc41ac65be71271163520d1536f03788dd759504f40a8a

SHA512
f111fbb8530b0e790f7159df4926e2614b7aef9c64f27d4716147eb0fc8a4993f923bee638657a80aa329b5aa4734c35216dfb08176f1b44a721a0cb8ded861a

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
1.7MB

MD5
bac3b159fe9e03c02090ea7e00598ebe

SHA1
da0142ac340b3a31fd3397ff1e6ca787d5970ee9

SHA256
3fcf7b739bf42d80eebc41ac65be71271163520d1536f03788dd759504f40a8a

SHA512
f111fbb8530b0e790f7159df4926e2614b7aef9c64f27d4716147eb0fc8a4993f923bee638657a80aa329b5aa4734c35216dfb08176f1b44a721a0cb8ded861a

Download Submit
C:\Windows\SysWOW64\Mokmdh32.exe

Filesize
1.7MB

MD5
3c4316432dca6a67c59662cb5074e2b9

SHA1
bbff8e196249ac87ad8a5c59d3c618799853f4aa

SHA256
179aaa77cd6980379f488a98adde3a9df43ef8ed11771065e3952598a10582c0

SHA512
5d3698f8be66114d01c728d7b694d2d6c0ad94b3799dc5ff21cf1130eb6bb657ecce3033bf7a64801791d92aa3d5226eb006a5016405728263be0ff8e9e9a986

Download Submit
C:\Windows\SysWOW64\Mokmdh32.exe

Filesize
1.7MB

MD5
3c4316432dca6a67c59662cb5074e2b9

SHA1
bbff8e196249ac87ad8a5c59d3c618799853f4aa

SHA256
179aaa77cd6980379f488a98adde3a9df43ef8ed11771065e3952598a10582c0

SHA512
5d3698f8be66114d01c728d7b694d2d6c0ad94b3799dc5ff21cf1130eb6bb657ecce3033bf7a64801791d92aa3d5226eb006a5016405728263be0ff8e9e9a986

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
1.7MB

MD5
4cb11cc6b7cfb00941b112c40a718d70

SHA1
952f52ab4728afcac8da96b2ea0bbe9980cc1abe

SHA256
d82bfc7bffb3dfcae2fd70782a3b8b843d493c0afaa50408344fa00ac1b865cb

SHA512
d7176c42ce30385622b4df3ea28c45c11a035891373899f894d4aef5974d19d3170ea9bb49933073b02a0f9257945c4caa1157cae1b4c56fd3a37ddbfa0f9a6f

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
1.7MB

MD5
4cb11cc6b7cfb00941b112c40a718d70

SHA1
952f52ab4728afcac8da96b2ea0bbe9980cc1abe

SHA256
d82bfc7bffb3dfcae2fd70782a3b8b843d493c0afaa50408344fa00ac1b865cb

SHA512
d7176c42ce30385622b4df3ea28c45c11a035891373899f894d4aef5974d19d3170ea9bb49933073b02a0f9257945c4caa1157cae1b4c56fd3a37ddbfa0f9a6f

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
1.7MB

MD5
f053829c58b760ac6b9cb81ad8581214

SHA1
ca1b88034b9737626375d74580e5132ada972129

SHA256
6659a139beb59e0a44992fac22a14c6b21a1343fb2e0b7983595bad48e699405

SHA512
a554ff48f2910c337d9c055c9211eb2216896e6489d49fff4cd31ca717741215d7107241693ecdbd1512bfa85b6d154c3997e46479b9b3828ccccaa4c389eb83

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
1.7MB

MD5
f053829c58b760ac6b9cb81ad8581214

SHA1
ca1b88034b9737626375d74580e5132ada972129

SHA256
6659a139beb59e0a44992fac22a14c6b21a1343fb2e0b7983595bad48e699405

SHA512
a554ff48f2910c337d9c055c9211eb2216896e6489d49fff4cd31ca717741215d7107241693ecdbd1512bfa85b6d154c3997e46479b9b3828ccccaa4c389eb83

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
1.7MB

MD5
b910979dd6ff8b742388e650ca926e34

SHA1
6e9b532d8d34e8de1f3a0b06c3d47788ec0f91f1

SHA256
b3e7533c1f1c17029a50af3bae0be87d377132fb2fc7cd6a949e81f935619b0e

SHA512
4ab1cbb0dfa34fed20febc247220eae84fa48e473987078f253e6c092ccb7a26bec4c5249b6b4ed9a4a5e83dd946160c8e5e598f764a6de6ddc59b1277665569

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
1.7MB

MD5
b910979dd6ff8b742388e650ca926e34

SHA1
6e9b532d8d34e8de1f3a0b06c3d47788ec0f91f1

SHA256
b3e7533c1f1c17029a50af3bae0be87d377132fb2fc7cd6a949e81f935619b0e

SHA512
4ab1cbb0dfa34fed20febc247220eae84fa48e473987078f253e6c092ccb7a26bec4c5249b6b4ed9a4a5e83dd946160c8e5e598f764a6de6ddc59b1277665569

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
1.7MB

MD5
042a92d1e5bfdf3224ce734ccb5ad474

SHA1
70ba22b4a4fd06690b4d766e1d94d0714a6582d5

SHA256
d1f97a154a4f355ae715be8fe3ef34a5ed1a286b9497ebcecdec741e12adc4e1

SHA512
fed3ca442bafd8fda5b4c9ba62f60cbfec7dada0bb346cad7da8797ac95170def47074a8c1d8c878878f23ea072f93bd2f159f98df29cb6b2e9f4a94f0b10e1d

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
1.7MB

MD5
042a92d1e5bfdf3224ce734ccb5ad474

SHA1
70ba22b4a4fd06690b4d766e1d94d0714a6582d5

SHA256
d1f97a154a4f355ae715be8fe3ef34a5ed1a286b9497ebcecdec741e12adc4e1

SHA512
fed3ca442bafd8fda5b4c9ba62f60cbfec7dada0bb346cad7da8797ac95170def47074a8c1d8c878878f23ea072f93bd2f159f98df29cb6b2e9f4a94f0b10e1d

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
1.7MB

MD5
0ceffb9780863d7a0618885351b72c2a

SHA1
fd5817d3941a7b93308b1e31d2201ea9d2ff1cf5

SHA256
0067807f992d608c7935a0bf51fc0e3aacee8a8288c0869773c26a639cd41314

SHA512
fcf6de3826f6b6558b9ab47429eb9428d4866feb0360ec76df2787a5e84eb13d6dd5d5e15916584f09baf84c2e5117ada52514bf764db5cd2341522f5b6985ee

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
1.7MB

MD5
0ceffb9780863d7a0618885351b72c2a

SHA1
fd5817d3941a7b93308b1e31d2201ea9d2ff1cf5

SHA256
0067807f992d608c7935a0bf51fc0e3aacee8a8288c0869773c26a639cd41314

SHA512
fcf6de3826f6b6558b9ab47429eb9428d4866feb0360ec76df2787a5e84eb13d6dd5d5e15916584f09baf84c2e5117ada52514bf764db5cd2341522f5b6985ee

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
1.7MB

MD5
ee7c8b1085bfa7f3bd88f21a56fa9263

SHA1
15a9bf6052b12c915753f585a29c470494e5e8a5

SHA256
0b069849f6b8f78fee934238a744417120b9f747127292af450962ccd1257ec9

SHA512
481029bbbadd7c5985539b95bff6df14c635fe49e1d2d17eff123e056f25833c53775509bd1150c2261ca6575259829e4747d4da604f42c5c4c35aa109e72c69

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
1.7MB

MD5
ee7c8b1085bfa7f3bd88f21a56fa9263

SHA1
15a9bf6052b12c915753f585a29c470494e5e8a5

SHA256
0b069849f6b8f78fee934238a744417120b9f747127292af450962ccd1257ec9

SHA512
481029bbbadd7c5985539b95bff6df14c635fe49e1d2d17eff123e056f25833c53775509bd1150c2261ca6575259829e4747d4da604f42c5c4c35aa109e72c69

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
1.7MB

MD5
ff9fc413eb38594366f88c9c6715ed10

SHA1
078db5a557e67eed64329777362ea348c8a5ec66

SHA256
5f7ad63daf55719e746e017fe8398c9c5a4a1cc106f910431baa079ec692dabb

SHA512
fe7c8ba00a75dcd565873b1aacf833a68a716b54d6a3acafe995bc8f6ee7fd86af687fcd3bc16ea42c41732f9a6e6cf17070b1bbb1bf896a0cca22ad2e63514b

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
1.7MB

MD5
ff9fc413eb38594366f88c9c6715ed10

SHA1
078db5a557e67eed64329777362ea348c8a5ec66

SHA256
5f7ad63daf55719e746e017fe8398c9c5a4a1cc106f910431baa079ec692dabb

SHA512
fe7c8ba00a75dcd565873b1aacf833a68a716b54d6a3acafe995bc8f6ee7fd86af687fcd3bc16ea42c41732f9a6e6cf17070b1bbb1bf896a0cca22ad2e63514b

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
1.7MB

MD5
377c7113f4694b9905b02be906f0a673

SHA1
571445172600d1387ca8cfe272ef593759579588

SHA256
767242d1a9a89e86718f615d9d6b438acf6e0810984e3d057532df17402f04f2

SHA512
cb772867b3b29806345c5c43dc57dfaa50cbfc7f493861e267565873726f2887edd4bfe786b075f9273911cdb8bc120bf973b63049c42862cf6b2a5ff8c0a68d

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
1.7MB

MD5
377c7113f4694b9905b02be906f0a673

SHA1
571445172600d1387ca8cfe272ef593759579588

SHA256
767242d1a9a89e86718f615d9d6b438acf6e0810984e3d057532df17402f04f2

SHA512
cb772867b3b29806345c5c43dc57dfaa50cbfc7f493861e267565873726f2887edd4bfe786b075f9273911cdb8bc120bf973b63049c42862cf6b2a5ff8c0a68d

Download Submit
memory/456-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads