d2daeddd10caa25db1369e5e54aef3cf5ff4930c2d3a0349cc45234e7e3a926f

Analysis

max time kernel
17s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cb40d6edb16f79c183515590342e5e90.exe
Size

89KB
MD5

cb40d6edb16f79c183515590342e5e90
SHA1

6d11e8fa4b5ed35ae8c505913b799450420bdd37
SHA256

d2daeddd10caa25db1369e5e54aef3cf5ff4930c2d3a0349cc45234e7e3a926f
SHA512

55f2b2f42f3ed74e25435128d744066c2a51698a0e33eb1614b178fc524796f0ff15518066ff76d5f91c7f4a54821d10006cf321d2ffb2e6309177b95443ca11
SSDEEP

1536:ovITSXaUFgbWL8i7tOySxjPdhNSDODd22kHCoPH4RQJR+KRFR3RzR1URJrCiuiN7:xTSqE8h7lPdhNSDu2YogeJjb5ZXUf2ib

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfgklkoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledepn32.exe

Executes dropped EXE 8 IoCs

pid	Process
1344	Kiikpnmj.exe
4248	Ledepn32.exe
1512	Legben32.exe
2744	Lhgkgijg.exe
2272	Mcoljagj.exe
2356	Mqhfoebo.exe
3124	Nfgklkoc.exe
1448	Nqoloc32.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lhgkgijg.exe	Legben32.exe
File opened for modification	C:\Windows\SysWOW64\Mcoljagj.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Ohfkgknc.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Legben32.exe	Ledepn32.exe
File opened for modification	C:\Windows\SysWOW64\Legben32.exe	Ledepn32.exe
File created	C:\Windows\SysWOW64\Egopbhnc.dll	Ledepn32.exe
File created	C:\Windows\SysWOW64\Mcoljagj.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Akmcfjdp.dll	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Nbebbk32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Kiikpnmj.exe	NEAS.cb40d6edb16f79c183515590342e5e90.exe
File created	C:\Windows\SysWOW64\Lhgkgijg.exe	Legben32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgklkoc.exe	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Ledepn32.exe	Kiikpnmj.exe
File opened for modification	C:\Windows\SysWOW64\Mqhfoebo.exe	Mcoljagj.exe
File opened for modification	C:\Windows\SysWOW64\Nqoloc32.exe	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Kiikpnmj.exe	NEAS.cb40d6edb16f79c183515590342e5e90.exe
File created	C:\Windows\SysWOW64\Mmdaih32.dll	NEAS.cb40d6edb16f79c183515590342e5e90.exe
File created	C:\Windows\SysWOW64\Nfgklkoc.exe	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Lfqedp32.dll	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Nmdkcj32.dll	Legben32.exe
File created	C:\Windows\SysWOW64\Mqhfoebo.exe	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Mgccelpk.dll	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Ecfjqmbc.dll	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nqoloc32.exe
File opened for modification	C:\Windows\SysWOW64\Ledepn32.exe	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Nqoloc32.exe	Nfgklkoc.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll"	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll"	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ledepn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjqmbc.dll"	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Legben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.cb40d6edb16f79c183515590342e5e90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhgkgijg.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1344	1508	NEAS.cb40d6edb16f79c183515590342e5e90.exe	83
PID 1508 wrote to memory of 1344	1508	NEAS.cb40d6edb16f79c183515590342e5e90.exe	83
PID 1508 wrote to memory of 1344	1508	NEAS.cb40d6edb16f79c183515590342e5e90.exe	83
PID 1344 wrote to memory of 4248	1344	Kiikpnmj.exe	84
PID 1344 wrote to memory of 4248	1344	Kiikpnmj.exe	84
PID 1344 wrote to memory of 4248	1344	Kiikpnmj.exe	84
PID 4248 wrote to memory of 1512	4248	Ledepn32.exe	85
PID 4248 wrote to memory of 1512	4248	Ledepn32.exe	85
PID 4248 wrote to memory of 1512	4248	Ledepn32.exe	85
PID 1512 wrote to memory of 2744	1512	Legben32.exe	86
PID 1512 wrote to memory of 2744	1512	Legben32.exe	86
PID 1512 wrote to memory of 2744	1512	Legben32.exe	86
PID 2744 wrote to memory of 2272	2744	Lhgkgijg.exe	87
PID 2744 wrote to memory of 2272	2744	Lhgkgijg.exe	87
PID 2744 wrote to memory of 2272	2744	Lhgkgijg.exe	87
PID 2272 wrote to memory of 2356	2272	Mcoljagj.exe	88
PID 2272 wrote to memory of 2356	2272	Mcoljagj.exe	88
PID 2272 wrote to memory of 2356	2272	Mcoljagj.exe	88
PID 2356 wrote to memory of 3124	2356	Mqhfoebo.exe	89
PID 2356 wrote to memory of 3124	2356	Mqhfoebo.exe	89
PID 2356 wrote to memory of 3124	2356	Mqhfoebo.exe	89
PID 3124 wrote to memory of 1448	3124	Nfgklkoc.exe	90
PID 3124 wrote to memory of 1448	3124	Nfgklkoc.exe	90
PID 3124 wrote to memory of 1448	3124	Nfgklkoc.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.cb40d6edb16f79c183515590342e5e90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cb40d6edb16f79c183515590342e5e90.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\Kiikpnmj.exe
  C:\Windows\system32\Kiikpnmj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\Ledepn32.exe
    C:\Windows\system32\Ledepn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\SysWOW64\Legben32.exe
      C:\Windows\system32\Legben32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
89KB

MD5
08512fb2da6e42cc62b09c81e43bbf7a

SHA1
37e3bd7d1b4a57f594ec35f4b247da1e3eac5b21

SHA256
2755e6860e59dcd69c2170459b12f8417ccfa23cd5d27061c59c352189b9fedd

SHA512
60f3314d1a8d49d9e4323ac24f6c47a4f1043a2294e44103aa9a36f0b3995084efde201364910961d9856bdcce08bfef95ad8517bceaabdaba87d79801ef87df

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
89KB

MD5
08512fb2da6e42cc62b09c81e43bbf7a

SHA1
37e3bd7d1b4a57f594ec35f4b247da1e3eac5b21

SHA256
2755e6860e59dcd69c2170459b12f8417ccfa23cd5d27061c59c352189b9fedd

SHA512
60f3314d1a8d49d9e4323ac24f6c47a4f1043a2294e44103aa9a36f0b3995084efde201364910961d9856bdcce08bfef95ad8517bceaabdaba87d79801ef87df

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
89KB

MD5
fbf575cc63ce96871a3d51a2408d57d3

SHA1
68229c49e7ba3facfea2749c60cff880115999e2

SHA256
1aa87eb8a42bb169c3bca09eb4468685917ca7e09980bf145f8fca77b7746193

SHA512
f429b75ef548041362b9e51ffa124c8a469951636a5d15ab908a66f92b88ac1c8609bc9015c00167f6de79e42bfa28482395b49d34f680ea5dae6bcadffb679c

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
89KB

MD5
fbf575cc63ce96871a3d51a2408d57d3

SHA1
68229c49e7ba3facfea2749c60cff880115999e2

SHA256
1aa87eb8a42bb169c3bca09eb4468685917ca7e09980bf145f8fca77b7746193

SHA512
f429b75ef548041362b9e51ffa124c8a469951636a5d15ab908a66f92b88ac1c8609bc9015c00167f6de79e42bfa28482395b49d34f680ea5dae6bcadffb679c

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
89KB

MD5
16f618eac28e7e8bc7a70d104869290a

SHA1
56de07736f226c49c43fa9379c78a7b9a7f18e7b

SHA256
a82253cc51e8916aa1fdb30add726f59aa58293cb71aec2e707e59cb27eda4d1

SHA512
37ac459b0c59679c08d34811c1b1fa375de25a8d612f535d73fbfd8287316cd5d732828591dc921fadb4059b33ac3504b0d7e661fdb2042de71f3ad810475a11

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
89KB

MD5
16f618eac28e7e8bc7a70d104869290a

SHA1
56de07736f226c49c43fa9379c78a7b9a7f18e7b

SHA256
a82253cc51e8916aa1fdb30add726f59aa58293cb71aec2e707e59cb27eda4d1

SHA512
37ac459b0c59679c08d34811c1b1fa375de25a8d612f535d73fbfd8287316cd5d732828591dc921fadb4059b33ac3504b0d7e661fdb2042de71f3ad810475a11

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
89KB

MD5
7afbf81a18b37d944d9a8841db8ff511

SHA1
b167dd2c12d6175fa30a7ad1fb014f37d53d92bc

SHA256
ad6f8004e2e1c6ebfd57081e6d7d4e959bcbb8feeb2fcc87610593f02d3491ed

SHA512
3ae6615ea6a2f39f685adfd794ffa1aba2a6d07ac4ba118ec07d7c3c0c1962d7d16a3a35376f486cba19193c5570775a267e1997bf0a57aa9a90659e93f1cc13

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
89KB

MD5
7afbf81a18b37d944d9a8841db8ff511

SHA1
b167dd2c12d6175fa30a7ad1fb014f37d53d92bc

SHA256
ad6f8004e2e1c6ebfd57081e6d7d4e959bcbb8feeb2fcc87610593f02d3491ed

SHA512
3ae6615ea6a2f39f685adfd794ffa1aba2a6d07ac4ba118ec07d7c3c0c1962d7d16a3a35376f486cba19193c5570775a267e1997bf0a57aa9a90659e93f1cc13

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
89KB

MD5
9a9472d5ea41126203ed98b9133c3258

SHA1
a3b93c1ebc0446fdd658df079737b4e138d0c7d5

SHA256
f8d866a97f0198290274056897bc51c172610085f8d9be895694adbf8a4582eb

SHA512
b43ea732a4e748839883e1da755a6a1e678c4507d0b81940913dfc6e7b7312b6c540bdf744e263346b9229a5eb934584fa424506cb81bf81ed97d4594a786f42

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
89KB

MD5
9a9472d5ea41126203ed98b9133c3258

SHA1
a3b93c1ebc0446fdd658df079737b4e138d0c7d5

SHA256
f8d866a97f0198290274056897bc51c172610085f8d9be895694adbf8a4582eb

SHA512
b43ea732a4e748839883e1da755a6a1e678c4507d0b81940913dfc6e7b7312b6c540bdf744e263346b9229a5eb934584fa424506cb81bf81ed97d4594a786f42

Download Submit
C:\Windows\SysWOW64\Mqhfoebo.exe

Filesize
89KB

MD5
a80544be5886ae9f8bcddab5a8cf4ade

SHA1
26c10b11b809a832cb8d44e40763800bdac99fec

SHA256
f3afb4e3b7f987a26a1f0f6a6d1a34f4bb0f4968b523b3aa8627029fb4921e8d

SHA512
557df40b7cc23a971035f3f646d24365f34190c86bc2595d38cd8b2a587b00c7a5e2b9fdbc18d60b3b4962b074ba44f6a5d2bbc3c1ee370e0008062888ac0c24

Download Submit
C:\Windows\SysWOW64\Mqhfoebo.exe

Filesize
89KB

MD5
a80544be5886ae9f8bcddab5a8cf4ade

SHA1
26c10b11b809a832cb8d44e40763800bdac99fec

SHA256
f3afb4e3b7f987a26a1f0f6a6d1a34f4bb0f4968b523b3aa8627029fb4921e8d

SHA512
557df40b7cc23a971035f3f646d24365f34190c86bc2595d38cd8b2a587b00c7a5e2b9fdbc18d60b3b4962b074ba44f6a5d2bbc3c1ee370e0008062888ac0c24

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
89KB

MD5
ff1627b8c4bf837665872d6628509088

SHA1
5d19c1ce097677065b39f65849196679bd38ad3e

SHA256
7215af05343df5be68c03b5811b3499d31501ec696a0ced9b3bbe656c31c9a4d

SHA512
5a7b511f200b7f08a54439c4ace129bb5a24701e8e6391ddf056efab7766e2871d5189120fd06c7fd10049394a33aa308b594f581e83e2f63743a965c055c91e

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
89KB

MD5
ff1627b8c4bf837665872d6628509088

SHA1
5d19c1ce097677065b39f65849196679bd38ad3e

SHA256
7215af05343df5be68c03b5811b3499d31501ec696a0ced9b3bbe656c31c9a4d

SHA512
5a7b511f200b7f08a54439c4ace129bb5a24701e8e6391ddf056efab7766e2871d5189120fd06c7fd10049394a33aa308b594f581e83e2f63743a965c055c91e

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
89KB

MD5
ff1627b8c4bf837665872d6628509088

SHA1
5d19c1ce097677065b39f65849196679bd38ad3e

SHA256
7215af05343df5be68c03b5811b3499d31501ec696a0ced9b3bbe656c31c9a4d

SHA512
5a7b511f200b7f08a54439c4ace129bb5a24701e8e6391ddf056efab7766e2871d5189120fd06c7fd10049394a33aa308b594f581e83e2f63743a965c055c91e

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
89KB

MD5
c4130624f2912f5e3cb755d84fb74a51

SHA1
4742b8600783c13e83e04c4a80f5f00ee58e705c

SHA256
4533689c7386424f2985152c90decbf61303df6148d90af865d5c9a38dbb734e

SHA512
d1952792934a4b7feda75c8425f9055439e9b492bb11275f17fdf16098b3d861540b3bbf380a8a3a3f7d096ecd82f51e26928252b5ee47c8819d9d18ccb31dfb

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
89KB

MD5
c4130624f2912f5e3cb755d84fb74a51

SHA1
4742b8600783c13e83e04c4a80f5f00ee58e705c

SHA256
4533689c7386424f2985152c90decbf61303df6148d90af865d5c9a38dbb734e

SHA512
d1952792934a4b7feda75c8425f9055439e9b492bb11275f17fdf16098b3d861540b3bbf380a8a3a3f7d096ecd82f51e26928252b5ee47c8819d9d18ccb31dfb

Download Submit
C:\Windows\SysWOW64\Ohfkgknc.dll

Filesize
7KB

MD5
7a40102b6affc2b081fad50689656665

SHA1
ea429eb6fe0057034d27523e051830d74a623020

SHA256
eb1ab421db53f2572589f47760d04bf84a78722e7b257a1472a1c30922b90522

SHA512
db42a6ae87e464a0c772b1d981b03ae1fc0f21b5a9875b963e5f6dcd0fd6bc29d040da24abc6d83cf89db3a63d2d5f93dd9bbf31bcbd615a1cb999a9e3c099b1

Download Submit
memory/1344-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3124-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4248-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads