f502e8eff2a1612d0aff89220210e14036b5190f1f910fabbdcd49ad07b6477e

Analysis

max time kernel
176s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Size

470KB
MD5

bbd716794006a0725fa7887ebb0272c0
SHA1

58d87de13ea1ebdc702749db0ba7f6ace7908e25
SHA256

f502e8eff2a1612d0aff89220210e14036b5190f1f910fabbdcd49ad07b6477e
SHA512

10f41717e836aa37aca3a7748b6b5f006342513d41bb8f7a17ba75afa12b8078fd5e147ce28ea1a17538fde1c3bf06dce6d7b6e28750ba54bd11813e258f34e1
SSDEEP

12288:93e7/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurTG9c8QVj7:xk4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpemkcck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cleqfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bboplo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amoknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkjddke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amoknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlqpaafg.exe

Executes dropped EXE 27 IoCs

pid	Process
1204	Ofgmib32.exe
1700	Obnnnc32.exe
3764	Omcbkl32.exe
1684	Podkmgop.exe
3844	Pecpknke.exe
536	Pkabbgol.exe
3044	Qifbll32.exe
2108	Qelcamcj.exe
632	Qcncodki.exe
2256	Akihcfid.exe
3100	Aecialmb.exe
4116	Abgjkpll.exe
3604	Apkjddke.exe
3848	Amoknh32.exe
3068	Bboplo32.exe
1016	Bpemkcck.exe
2488	Cdebfago.exe
4808	Clpgkcdj.exe
2856	Clbdpc32.exe
3160	Cleqfb32.exe
1944	Cbaehl32.exe
3032	Cmgjee32.exe
1112	Ddqbbo32.exe
2140	Dbfoclai.exe
3500	Dbhlikpf.exe
1860	Dlqpaafg.exe
4968	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dbfoclai.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlqpaafg.exe
File opened for modification	C:\Windows\SysWOW64\Pecpknke.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Ifgeebem.dll	Aecialmb.exe
File created	C:\Windows\SysWOW64\Plmiie32.dll	Abgjkpll.exe
File opened for modification	C:\Windows\SysWOW64\Bboplo32.exe	Amoknh32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Fjgnln32.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Cdebfago.exe	Bpemkcck.exe
File opened for modification	C:\Windows\SysWOW64\Clbdpc32.exe	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Cbaehl32.exe	Cleqfb32.exe
File created	C:\Windows\SysWOW64\Ofgmib32.exe	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
File created	C:\Windows\SysWOW64\Pgoikbje.dll	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Qcncodki.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qifbll32.exe
File created	C:\Windows\SysWOW64\Eldafjjc.dll	Cdebfago.exe
File created	C:\Windows\SysWOW64\Dbfoclai.exe	Ddqbbo32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Bboplo32.exe	Amoknh32.exe
File created	C:\Windows\SysWOW64\Bpemkcck.exe	Bboplo32.exe
File created	C:\Windows\SysWOW64\Qhfaig32.dll	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dbfoclai.exe
File created	C:\Windows\SysWOW64\Ioeiam32.dll	Dbfoclai.exe
File created	C:\Windows\SysWOW64\Omcbkl32.exe	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Abgjkpll.exe	Aecialmb.exe
File opened for modification	C:\Windows\SysWOW64\Amoknh32.exe	Apkjddke.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Clpgkcdj.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Clbdpc32.exe	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Lcoeiajc.dll	Podkmgop.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pecpknke.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Hoclajjj.dll	Apkjddke.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Fldqdebb.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Cfmidc32.dll	Bpemkcck.exe
File opened for modification	C:\Windows\SysWOW64\Dlqpaafg.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Ngllodpm.dll	Clpgkcdj.exe
File opened for modification	C:\Windows\SysWOW64\Cbaehl32.exe	Cleqfb32.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Qcncodki.exe
File opened for modification	C:\Windows\SysWOW64\Abgjkpll.exe	Aecialmb.exe
File created	C:\Windows\SysWOW64\Hlhkja32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Dlqpaafg.exe	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Podkmgop.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Jaepkejo.dll	Cleqfb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjee32.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Mmhpkebp.dll	Amoknh32.exe
File created	C:\Windows\SysWOW64\Cmgjee32.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Cmgjee32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Qelcamcj.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Aecialmb.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Podkmgop.exe	Omcbkl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4796	4968	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmiie32.dll"	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhkja32.dll"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adljdi32.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiiibnn.dll"	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amoknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	NEAS.bbd716794006a0725fa7887ebb0272c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgeebem.dll"	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoclajjj.dll"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amoknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Podkmgop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	Cleqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpemkcck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhpkebp.dll"	Amoknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll"	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdebfago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omcbkl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1204	4724	NEAS.bbd716794006a0725fa7887ebb0272c0.exe	87
PID 4724 wrote to memory of 1204	4724	NEAS.bbd716794006a0725fa7887ebb0272c0.exe	87
PID 4724 wrote to memory of 1204	4724	NEAS.bbd716794006a0725fa7887ebb0272c0.exe	87
PID 1204 wrote to memory of 1700	1204	Ofgmib32.exe	88
PID 1204 wrote to memory of 1700	1204	Ofgmib32.exe	88
PID 1204 wrote to memory of 1700	1204	Ofgmib32.exe	88
PID 1700 wrote to memory of 3764	1700	Obnnnc32.exe	89
PID 1700 wrote to memory of 3764	1700	Obnnnc32.exe	89
PID 1700 wrote to memory of 3764	1700	Obnnnc32.exe	89
PID 3764 wrote to memory of 1684	3764	Omcbkl32.exe	90
PID 3764 wrote to memory of 1684	3764	Omcbkl32.exe	90
PID 3764 wrote to memory of 1684	3764	Omcbkl32.exe	90
PID 1684 wrote to memory of 3844	1684	Podkmgop.exe	92
PID 1684 wrote to memory of 3844	1684	Podkmgop.exe	92
PID 1684 wrote to memory of 3844	1684	Podkmgop.exe	92
PID 3844 wrote to memory of 536	3844	Pecpknke.exe	93
PID 3844 wrote to memory of 536	3844	Pecpknke.exe	93
PID 3844 wrote to memory of 536	3844	Pecpknke.exe	93
PID 536 wrote to memory of 3044	536	Pkabbgol.exe	94
PID 536 wrote to memory of 3044	536	Pkabbgol.exe	94
PID 536 wrote to memory of 3044	536	Pkabbgol.exe	94
PID 3044 wrote to memory of 2108	3044	Qifbll32.exe	96
PID 3044 wrote to memory of 2108	3044	Qifbll32.exe	96
PID 3044 wrote to memory of 2108	3044	Qifbll32.exe	96
PID 2108 wrote to memory of 632	2108	Qelcamcj.exe	97
PID 2108 wrote to memory of 632	2108	Qelcamcj.exe	97
PID 2108 wrote to memory of 632	2108	Qelcamcj.exe	97
PID 632 wrote to memory of 2256	632	Qcncodki.exe	98
PID 632 wrote to memory of 2256	632	Qcncodki.exe	98
PID 632 wrote to memory of 2256	632	Qcncodki.exe	98
PID 2256 wrote to memory of 3100	2256	Akihcfid.exe	99
PID 2256 wrote to memory of 3100	2256	Akihcfid.exe	99
PID 2256 wrote to memory of 3100	2256	Akihcfid.exe	99
PID 3100 wrote to memory of 4116	3100	Aecialmb.exe	100
PID 3100 wrote to memory of 4116	3100	Aecialmb.exe	100
PID 3100 wrote to memory of 4116	3100	Aecialmb.exe	100
PID 4116 wrote to memory of 3604	4116	Abgjkpll.exe	101
PID 4116 wrote to memory of 3604	4116	Abgjkpll.exe	101
PID 4116 wrote to memory of 3604	4116	Abgjkpll.exe	101
PID 3604 wrote to memory of 3848	3604	Apkjddke.exe	102
PID 3604 wrote to memory of 3848	3604	Apkjddke.exe	102
PID 3604 wrote to memory of 3848	3604	Apkjddke.exe	102
PID 3848 wrote to memory of 3068	3848	Amoknh32.exe	103
PID 3848 wrote to memory of 3068	3848	Amoknh32.exe	103
PID 3848 wrote to memory of 3068	3848	Amoknh32.exe	103
PID 3068 wrote to memory of 1016	3068	Bboplo32.exe	104
PID 3068 wrote to memory of 1016	3068	Bboplo32.exe	104
PID 3068 wrote to memory of 1016	3068	Bboplo32.exe	104
PID 1016 wrote to memory of 2488	1016	Bpemkcck.exe	105
PID 1016 wrote to memory of 2488	1016	Bpemkcck.exe	105
PID 1016 wrote to memory of 2488	1016	Bpemkcck.exe	105
PID 2488 wrote to memory of 4808	2488	Cdebfago.exe	107
PID 2488 wrote to memory of 4808	2488	Cdebfago.exe	107
PID 2488 wrote to memory of 4808	2488	Cdebfago.exe	107
PID 4808 wrote to memory of 2856	4808	Clpgkcdj.exe	108
PID 4808 wrote to memory of 2856	4808	Clpgkcdj.exe	108
PID 4808 wrote to memory of 2856	4808	Clpgkcdj.exe	108
PID 2856 wrote to memory of 3160	2856	Clbdpc32.exe	109
PID 2856 wrote to memory of 3160	2856	Clbdpc32.exe	109
PID 2856 wrote to memory of 3160	2856	Clbdpc32.exe	109
PID 3160 wrote to memory of 1944	3160	Cleqfb32.exe	110
PID 3160 wrote to memory of 1944	3160	Cleqfb32.exe	110
PID 3160 wrote to memory of 1944	3160	Cleqfb32.exe	110
PID 1944 wrote to memory of 3032	1944	Cbaehl32.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.bbd716794006a0725fa7887ebb0272c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bbd716794006a0725fa7887ebb0272c0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\Ofgmib32.exe
  C:\Windows\system32\Ofgmib32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\Obnnnc32.exe
    C:\Windows\system32\Obnnnc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\Omcbkl32.exe
      C:\Windows\system32\Omcbkl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860

C:\Windows\SysWOW64\Dbkhnk32.exe
C:\Windows\system32\Dbkhnk32.exe
1⤵
- Executes dropped EXE
PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 420
  2⤵
  - Program crash
  PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4968 -ip 4968
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
470KB

MD5
b3349d281de150a20982f8ad80e0e1e5

SHA1
99593b3f5b52cb85522aa17ddaa994a9ab6d332d

SHA256
e42a00ba8fa46be5662e5829aa06e0ae812c217b60199cb6ea5dec4f407422dd

SHA512
bfb3f42e2cbc5e17d497d2eda76e6b86f4f070877715ef2c6def0b53369c1c36cae8db38d1dd72b81fff9ab1ae9444d16172c46e7b91574c64f889457e22b4a9

Download Submit
C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
470KB

MD5
b3349d281de150a20982f8ad80e0e1e5

SHA1
99593b3f5b52cb85522aa17ddaa994a9ab6d332d

SHA256
e42a00ba8fa46be5662e5829aa06e0ae812c217b60199cb6ea5dec4f407422dd

SHA512
bfb3f42e2cbc5e17d497d2eda76e6b86f4f070877715ef2c6def0b53369c1c36cae8db38d1dd72b81fff9ab1ae9444d16172c46e7b91574c64f889457e22b4a9

Download Submit
C:\Windows\SysWOW64\Aecialmb.exe

Filesize
470KB

MD5
ac6dec6770e926a9c69da1e0b02ca8d1

SHA1
1e5e0ac8c739edb3ab1f32be2b0e54958da894a0

SHA256
ba100a9cb4288e1d5aaa08631282e87ab1be0bb5bc7d1cb16d58dec7d484b154

SHA512
a49dd8b9eaf73d70c5f4c4fe7f2b0fb2d0d879b7c243a54fd4c550fd2c95da988afdb74adb0268e44e39c4735b0946b54ce402811551887f9bdf7fca2204d2af

Download Submit
C:\Windows\SysWOW64\Aecialmb.exe

Filesize
470KB

MD5
ac6dec6770e926a9c69da1e0b02ca8d1

SHA1
1e5e0ac8c739edb3ab1f32be2b0e54958da894a0

SHA256
ba100a9cb4288e1d5aaa08631282e87ab1be0bb5bc7d1cb16d58dec7d484b154

SHA512
a49dd8b9eaf73d70c5f4c4fe7f2b0fb2d0d879b7c243a54fd4c550fd2c95da988afdb74adb0268e44e39c4735b0946b54ce402811551887f9bdf7fca2204d2af

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
470KB

MD5
fdedc7ad60d423845cdb20d07b01a9b1

SHA1
d12ba95dcb5dd22fe915fe3c7f515455ffe27cb7

SHA256
3a470269d9c19cdf1d7ba735060b144e96186a863fd819b4d0f1fcae9b087b25

SHA512
0ca3dcb5e86f4c3a842ab0fd9c022db6ac3e362eea9f186ea43d3a40ca3ee862a0293eeafeab0b1e31375da3f6ea44e169e42e24277501f9b8faf1b97268b767

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
470KB

MD5
fdedc7ad60d423845cdb20d07b01a9b1

SHA1
d12ba95dcb5dd22fe915fe3c7f515455ffe27cb7

SHA256
3a470269d9c19cdf1d7ba735060b144e96186a863fd819b4d0f1fcae9b087b25

SHA512
0ca3dcb5e86f4c3a842ab0fd9c022db6ac3e362eea9f186ea43d3a40ca3ee862a0293eeafeab0b1e31375da3f6ea44e169e42e24277501f9b8faf1b97268b767

Download Submit
C:\Windows\SysWOW64\Amoknh32.exe

Filesize
470KB

MD5
cb0647e29ce5e35c97d28e278958b95f

SHA1
d9cd5d10d385003ab1b8142a89655c0dd5feacde

SHA256
c0df0eb6c3f298f4b0e0102ac0274d07af0867a6745dfcdce6877f015c93c742

SHA512
d7d34b067e161cbe62a8d96283814c06984bf3bec8b487cecd1ab2ee8a410407327bd3b883d475475152883ca5e55b9288c65a47be0be7860c7bee612745c1f5

Download Submit
C:\Windows\SysWOW64\Amoknh32.exe

Filesize
470KB

MD5
cb0647e29ce5e35c97d28e278958b95f

SHA1
d9cd5d10d385003ab1b8142a89655c0dd5feacde

SHA256
c0df0eb6c3f298f4b0e0102ac0274d07af0867a6745dfcdce6877f015c93c742

SHA512
d7d34b067e161cbe62a8d96283814c06984bf3bec8b487cecd1ab2ee8a410407327bd3b883d475475152883ca5e55b9288c65a47be0be7860c7bee612745c1f5

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
470KB

MD5
486ffbcf94c3c3ea696939f129c9c862

SHA1
4b528952d042fd755388f7cb40d4426e35ee3638

SHA256
36ee0bdda4c592c5fe1017bf5ced16a88aa3df90d074633e911fa2182034e3da

SHA512
36891cef03cd2150b41c0d3cf101bc7b63b399e3471eab9f66cde9988b019e55a1b31ed68de7c80b45adee65ba413feda147071e3d037da8e5ac66c0bdcfc686

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
470KB

MD5
486ffbcf94c3c3ea696939f129c9c862

SHA1
4b528952d042fd755388f7cb40d4426e35ee3638

SHA256
36ee0bdda4c592c5fe1017bf5ced16a88aa3df90d074633e911fa2182034e3da

SHA512
36891cef03cd2150b41c0d3cf101bc7b63b399e3471eab9f66cde9988b019e55a1b31ed68de7c80b45adee65ba413feda147071e3d037da8e5ac66c0bdcfc686

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
470KB

MD5
6821f51a93ffa9a6f2d41d1d362c1709

SHA1
4198b2a7ccf8e019a02b22f474069c89f79b3769

SHA256
7f4923237c8ca4c7719a1d5bd47bde83cbb93b821fc4ea4395e58d4db9836db0

SHA512
dfcdbcd274043d5e1e724b45ccda97256640f3e757760527416d243a1c47a2bd174145f0a337e3be9fc3f8c52fea5be1caa5a1a3861ef6c00bbcd71a4676a206

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
470KB

MD5
6821f51a93ffa9a6f2d41d1d362c1709

SHA1
4198b2a7ccf8e019a02b22f474069c89f79b3769

SHA256
7f4923237c8ca4c7719a1d5bd47bde83cbb93b821fc4ea4395e58d4db9836db0

SHA512
dfcdbcd274043d5e1e724b45ccda97256640f3e757760527416d243a1c47a2bd174145f0a337e3be9fc3f8c52fea5be1caa5a1a3861ef6c00bbcd71a4676a206

Download Submit
C:\Windows\SysWOW64\Bpemkcck.exe

Filesize
470KB

MD5
f3f0e584b464ecc5ff38204117d5a9b1

SHA1
9234187e6733a9d04bcea902d9bbcce474ccacbf

SHA256
002b661d45bd2eab06b4cf4e81d56f0743c04b671cb98ed0c708b5fbcd83c3bd

SHA512
cdccc14cd8d7469adc8ae8366db9e7191ad58f1ee6b3a954d0e12ab17a43efd22f0abcaaf1c58db3150274b9ea7a6b81f887f15098684218bfb0b9b79aeaab7c

Download Submit
C:\Windows\SysWOW64\Bpemkcck.exe

Filesize
470KB

MD5
f3f0e584b464ecc5ff38204117d5a9b1

SHA1
9234187e6733a9d04bcea902d9bbcce474ccacbf

SHA256
002b661d45bd2eab06b4cf4e81d56f0743c04b671cb98ed0c708b5fbcd83c3bd

SHA512
cdccc14cd8d7469adc8ae8366db9e7191ad58f1ee6b3a954d0e12ab17a43efd22f0abcaaf1c58db3150274b9ea7a6b81f887f15098684218bfb0b9b79aeaab7c

Download Submit
C:\Windows\SysWOW64\Cbaehl32.exe

Filesize
470KB

MD5
cda6ab101f4a8b9482939866ad2308dd

SHA1
82990d4bed8c02329a91d62c080ada61d34ec6e7

SHA256
614abb12e29e9b4dcacedaa3b05893aecec7ebe48c1ebf08384a4947aa4dde9d

SHA512
b66e23ef9b212826ed433df683d882c862524a8a2d3be4fc181de4835dd57d858fe2ad9205c8645ca72dcf69d22b1ad261abdeac7b77a2b52eb418a41dd0563d

Download Submit
C:\Windows\SysWOW64\Cbaehl32.exe

Filesize
470KB

MD5
cda6ab101f4a8b9482939866ad2308dd

SHA1
82990d4bed8c02329a91d62c080ada61d34ec6e7

SHA256
614abb12e29e9b4dcacedaa3b05893aecec7ebe48c1ebf08384a4947aa4dde9d

SHA512
b66e23ef9b212826ed433df683d882c862524a8a2d3be4fc181de4835dd57d858fe2ad9205c8645ca72dcf69d22b1ad261abdeac7b77a2b52eb418a41dd0563d

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
470KB

MD5
b3a185bd8fc259192d180173ed7ee4ce

SHA1
2130e223a1ac1e652b3fce89adafde71b76c0b15

SHA256
86a4e6ea7da1355d1bcdea9a0866e0b2db1f1e041e52e990863a934d6ce92ac9

SHA512
4ba72b1df41b010d5c0bb150ad5ad4351ce2f5d262c60f3b41b13dbd9bdb2d884d3b92f3ed5fcfe22ec3592cae074b2c62765c2886155692f9f5a4d77d585952

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
470KB

MD5
b3a185bd8fc259192d180173ed7ee4ce

SHA1
2130e223a1ac1e652b3fce89adafde71b76c0b15

SHA256
86a4e6ea7da1355d1bcdea9a0866e0b2db1f1e041e52e990863a934d6ce92ac9

SHA512
4ba72b1df41b010d5c0bb150ad5ad4351ce2f5d262c60f3b41b13dbd9bdb2d884d3b92f3ed5fcfe22ec3592cae074b2c62765c2886155692f9f5a4d77d585952

Download Submit
C:\Windows\SysWOW64\Clbdpc32.exe

Filesize
470KB

MD5
0f9ded938c6d9623d7a2b1c12689e5a0

SHA1
85e823ce73b5a1a3aa423fad94bd4e7fcf3c182f

SHA256
e8458648f78ae0d14995cab5bd7b1c41591487f7649c62f8ee0628311786d66f

SHA512
280c32546191353895377ff4367f2fae784ee4382c6518684b0e9832afd0f5e3f5d2049b5045b089e9e75ec02b48f5c9eac0b9d6db33274d37ef0e3a5152bb63

Download Submit
C:\Windows\SysWOW64\Clbdpc32.exe

Filesize
470KB

MD5
0f9ded938c6d9623d7a2b1c12689e5a0

SHA1
85e823ce73b5a1a3aa423fad94bd4e7fcf3c182f

SHA256
e8458648f78ae0d14995cab5bd7b1c41591487f7649c62f8ee0628311786d66f

SHA512
280c32546191353895377ff4367f2fae784ee4382c6518684b0e9832afd0f5e3f5d2049b5045b089e9e75ec02b48f5c9eac0b9d6db33274d37ef0e3a5152bb63

Download Submit
C:\Windows\SysWOW64\Cleqfb32.exe

Filesize
470KB

MD5
283ef98c8287e88a5def1654683c99af

SHA1
576794dab755c381e94c35978de150f886f88d59

SHA256
e3952ba910de08b1d064af050555f6057c7dac84031075ef795160d451738cb7

SHA512
5f85da4f9af4235f01fbf935808a8b3f7d2d02390b63a87e2d88a7cc01150acda8227b1554613f4974d191410e411e4709ffd13afcc080b2e67c62d4a842eccd

Download Submit
C:\Windows\SysWOW64\Cleqfb32.exe

Filesize
470KB

MD5
283ef98c8287e88a5def1654683c99af

SHA1
576794dab755c381e94c35978de150f886f88d59

SHA256
e3952ba910de08b1d064af050555f6057c7dac84031075ef795160d451738cb7

SHA512
5f85da4f9af4235f01fbf935808a8b3f7d2d02390b63a87e2d88a7cc01150acda8227b1554613f4974d191410e411e4709ffd13afcc080b2e67c62d4a842eccd

Download Submit
C:\Windows\SysWOW64\Clpgkcdj.exe

Filesize
470KB

MD5
69b246d17914130e0705997b0e801c37

SHA1
2d5dbdf9af11ebb42df92767a2560566cf182cf5

SHA256
1e48aec1e2dc0a981e8999dfc220eeebb48a07e40753609ec3b51eb226236aaf

SHA512
aba45d4ded3d93005ef5845c0d512da013afe318f368c686b953bed6b9d79a11016b65df9259d006362e39bd6fc7470dfc89e136e3791109cb3a98f330cbb9af

Download Submit
C:\Windows\SysWOW64\Clpgkcdj.exe

Filesize
470KB

MD5
69b246d17914130e0705997b0e801c37

SHA1
2d5dbdf9af11ebb42df92767a2560566cf182cf5

SHA256
1e48aec1e2dc0a981e8999dfc220eeebb48a07e40753609ec3b51eb226236aaf

SHA512
aba45d4ded3d93005ef5845c0d512da013afe318f368c686b953bed6b9d79a11016b65df9259d006362e39bd6fc7470dfc89e136e3791109cb3a98f330cbb9af

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
470KB

MD5
e01d4d696afcfe1ada7c30311e9d4a12

SHA1
71e67c6c6ab35e4ecac76fa0d92d5c0cbb030a4a

SHA256
73fcbce65cb7cefbc5eda844b187a1d07d82c54b89dcc8100d231a8a89d75c0a

SHA512
06750fb4ac354f6ef6ab50527727a3068177e7ece983a1d96966cbfff47ed8d9b6df8a95ca58cd8666ccd04958c318a1dcd2fd0895187e67178710780c4a8993

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
470KB

MD5
e01d4d696afcfe1ada7c30311e9d4a12

SHA1
71e67c6c6ab35e4ecac76fa0d92d5c0cbb030a4a

SHA256
73fcbce65cb7cefbc5eda844b187a1d07d82c54b89dcc8100d231a8a89d75c0a

SHA512
06750fb4ac354f6ef6ab50527727a3068177e7ece983a1d96966cbfff47ed8d9b6df8a95ca58cd8666ccd04958c318a1dcd2fd0895187e67178710780c4a8993

Download Submit
C:\Windows\SysWOW64\Dbfoclai.exe

Filesize
470KB

MD5
a89ba1536a90a7dfbbb5eea30377baa6

SHA1
d780c09ab685f18b7938f3c362a228b18036237b

SHA256
455888761f2a138349fc1bc8cea31513da80d3cf50f14c00cb219d71a890bc49

SHA512
1c56c6c1ab1a7e5789df5e6658a770077726657a87e2c79bc30bb70598926a33f7b367b358f2ecc687b8e1cb52d75869e1fc3c05afd5e274e70d30f7863abd01

Download Submit
C:\Windows\SysWOW64\Dbfoclai.exe

Filesize
470KB

MD5
a89ba1536a90a7dfbbb5eea30377baa6

SHA1
d780c09ab685f18b7938f3c362a228b18036237b

SHA256
455888761f2a138349fc1bc8cea31513da80d3cf50f14c00cb219d71a890bc49

SHA512
1c56c6c1ab1a7e5789df5e6658a770077726657a87e2c79bc30bb70598926a33f7b367b358f2ecc687b8e1cb52d75869e1fc3c05afd5e274e70d30f7863abd01

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
470KB

MD5
a1b1a9e5cba29bb903d053586191337f

SHA1
73e57d568f8d176d8c131f12660361e1f141e573

SHA256
e389155c11211ad107fc538054638005fe60b1d153abb13c2b8d193f80a80eea

SHA512
ef77eb8bfc778a0ba1b77bd75c7b7da639d39803edd0a3f92ed601aa40395cd5daae492d40b19fa286f5c882079a725469afa8181e88fc9a1c779b2d768e0a76

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
470KB

MD5
a1b1a9e5cba29bb903d053586191337f

SHA1
73e57d568f8d176d8c131f12660361e1f141e573

SHA256
e389155c11211ad107fc538054638005fe60b1d153abb13c2b8d193f80a80eea

SHA512
ef77eb8bfc778a0ba1b77bd75c7b7da639d39803edd0a3f92ed601aa40395cd5daae492d40b19fa286f5c882079a725469afa8181e88fc9a1c779b2d768e0a76

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
470KB

MD5
8308eea8ee40c0668a30aadfd2674476

SHA1
74b359711a1f42b0d23c30412067d62fe97b331d

SHA256
726087b2638dfb798c06d6aaafbe47b95de115c0bbb3290ed412701b01efe9b2

SHA512
f47c27a02ced338955689cdbdefd1c303b5e0b10ebe48dbbe5919fab68c8b098b243645a3819f851532059da93f26a12838cc90d974e441580a403a5d7993fa6

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
470KB

MD5
8308eea8ee40c0668a30aadfd2674476

SHA1
74b359711a1f42b0d23c30412067d62fe97b331d

SHA256
726087b2638dfb798c06d6aaafbe47b95de115c0bbb3290ed412701b01efe9b2

SHA512
f47c27a02ced338955689cdbdefd1c303b5e0b10ebe48dbbe5919fab68c8b098b243645a3819f851532059da93f26a12838cc90d974e441580a403a5d7993fa6

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
470KB

MD5
f409de3738134494160ec2b01f9cef8e

SHA1
2f0a9f8ffa9d238be5ee3b7cdb14cc0218af1ccd

SHA256
93158506155cc9f0f0c8a5f6e58dee9525fc0b7f6859449650b89d7ef0b6730a

SHA512
19a3721373d13906f40457c7151025f577ab6160eead0db8413c96f9de793d3df2d2e2352bb47137c1094e0dc5e8e368ad6b8f506c5e16fe9bd287b27c9ab184

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
470KB

MD5
f409de3738134494160ec2b01f9cef8e

SHA1
2f0a9f8ffa9d238be5ee3b7cdb14cc0218af1ccd

SHA256
93158506155cc9f0f0c8a5f6e58dee9525fc0b7f6859449650b89d7ef0b6730a

SHA512
19a3721373d13906f40457c7151025f577ab6160eead0db8413c96f9de793d3df2d2e2352bb47137c1094e0dc5e8e368ad6b8f506c5e16fe9bd287b27c9ab184

Download Submit
C:\Windows\SysWOW64\Dlqpaafg.exe

Filesize
470KB

MD5
290a17ef33074a759ed19d4c6738d40d

SHA1
cbb46b35244d37f6bacfc1fccd5a9eb4514bc969

SHA256
db34513aae47851897f064b5ea0033d06a21f4d3bbbe2a4b6b56d007765d0019

SHA512
27dc76361cc9167795cc9de1ac7023f47c57aadaa190d9c5fccd03d0100daa459f4361ddc0bb6818bbd35bf278e19c51fa873d99adb69c7ad4774ed4c57ae921

Download Submit
C:\Windows\SysWOW64\Dlqpaafg.exe

Filesize
470KB

MD5
290a17ef33074a759ed19d4c6738d40d

SHA1
cbb46b35244d37f6bacfc1fccd5a9eb4514bc969

SHA256
db34513aae47851897f064b5ea0033d06a21f4d3bbbe2a4b6b56d007765d0019

SHA512
27dc76361cc9167795cc9de1ac7023f47c57aadaa190d9c5fccd03d0100daa459f4361ddc0bb6818bbd35bf278e19c51fa873d99adb69c7ad4774ed4c57ae921

Download Submit
C:\Windows\SysWOW64\Lcoeiajc.dll

Filesize
7KB

MD5
f5ddb743d6f196e0f5ac90839db58d35

SHA1
1ffa3c5be33f08d178956f30a2c437a2e783bddf

SHA256
26987d8944a275937ed6f63d6a96dc4ff603df8d296312e9c5d006b64619df21

SHA512
af9f54e4a9e001417d1dba8a7b6cae4b3bc1902f008d3e808c11846b2f8b98b2d40406ca7382e541b185e8d1d775077efd539e374ee4068d3433629e302305bc

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
470KB

MD5
da19a4b667cf3360713f5b722111f226

SHA1
973a9c32a6c6bb3f0669dca659bf0d2e7eab6454

SHA256
a539dd664c7c72ca113b20cb5c6c9d6cb469647de206f5e71e340a95a08cead6

SHA512
14925952432a4355113e61d0aa556c7198b9f1537fca8b59e026f32c5e26e9b6b66725f26f87e2ea75f2f6d2f31ceaa9fa21d6ebe2b30ffdae8553f3554e66e2

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
470KB

MD5
da19a4b667cf3360713f5b722111f226

SHA1
973a9c32a6c6bb3f0669dca659bf0d2e7eab6454

SHA256
a539dd664c7c72ca113b20cb5c6c9d6cb469647de206f5e71e340a95a08cead6

SHA512
14925952432a4355113e61d0aa556c7198b9f1537fca8b59e026f32c5e26e9b6b66725f26f87e2ea75f2f6d2f31ceaa9fa21d6ebe2b30ffdae8553f3554e66e2

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
470KB

MD5
db81327374829f5184265e5fbe831186

SHA1
631db0db9f80862fa86dbfde5be7e15f7b118a68

SHA256
80eff70ca8d0cbfdd9a249c703791eeddfe6d59a93924e03180ab13bd09b20d9

SHA512
1ae966d3fdce56998cf9a2164dbb7aeb2a7435f60fd36ac4ba650779701b429ecc3bbbb32d8410b7d0e6f0ab29b48ef80ca98d1fce0ba8af08dd7eb4cdcba60b

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
470KB

MD5
db81327374829f5184265e5fbe831186

SHA1
631db0db9f80862fa86dbfde5be7e15f7b118a68

SHA256
80eff70ca8d0cbfdd9a249c703791eeddfe6d59a93924e03180ab13bd09b20d9

SHA512
1ae966d3fdce56998cf9a2164dbb7aeb2a7435f60fd36ac4ba650779701b429ecc3bbbb32d8410b7d0e6f0ab29b48ef80ca98d1fce0ba8af08dd7eb4cdcba60b

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
470KB

MD5
6d073ca9ebc4cfde4a6969667d804604

SHA1
6ce635271b235934f36fb451ca06265166ac7b62

SHA256
c784bcd009f17b43b02866575841cdf21500c749e06c8393894dabbf772c80cd

SHA512
d8e9e02f0d06d16649ac37cbd86bf5693bd5ad4bd896799f6a4466a5db051268d18c4c52907fe3d4fe48c75519c0a83dddbd8371b680562ef37cf71a5e569445

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
470KB

MD5
6d073ca9ebc4cfde4a6969667d804604

SHA1
6ce635271b235934f36fb451ca06265166ac7b62

SHA256
c784bcd009f17b43b02866575841cdf21500c749e06c8393894dabbf772c80cd

SHA512
d8e9e02f0d06d16649ac37cbd86bf5693bd5ad4bd896799f6a4466a5db051268d18c4c52907fe3d4fe48c75519c0a83dddbd8371b680562ef37cf71a5e569445

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
470KB

MD5
54c40a9d76b0d61c585e39d3ae86219a

SHA1
8d8fde8a8afc00bb907e34173aef2709ea2a53d3

SHA256
e5baab3f70f6330ce7c9e88ad0dfbb856e3fbfaae2aa1ca570efe334f979b5ab

SHA512
177420f190f1da4c1ba0ceb4f6a3f8cfe30c31e6dc9c194f733b0777dab22353b57dde0f126397d69a7645fd2a6aca883826b9982d145d0d0c52ccdd76cce195

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
470KB

MD5
5a269f7b69850a1e66201288e36cceba

SHA1
c0fa8c5c28417c19cf0f5c8146f402abe6bbfea9

SHA256
b7f0f2b85dcfc4be067b60b837a8fedacb1752c0bac770f6f462fff262960804

SHA512
0b6892af8fcdea5147a629eb1cb2d337de51bc0b8892e38fa3927b545143a6df1c4b04cc3030a01ffcfece258d0e01b25f30969a7fff89a4e4992e034bbf59dd

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
470KB

MD5
5a269f7b69850a1e66201288e36cceba

SHA1
c0fa8c5c28417c19cf0f5c8146f402abe6bbfea9

SHA256
b7f0f2b85dcfc4be067b60b837a8fedacb1752c0bac770f6f462fff262960804

SHA512
0b6892af8fcdea5147a629eb1cb2d337de51bc0b8892e38fa3927b545143a6df1c4b04cc3030a01ffcfece258d0e01b25f30969a7fff89a4e4992e034bbf59dd

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
470KB

MD5
f0e13759cf3a3a90d072b2f0069e0b06

SHA1
5abae9469ed3f1031909f45996de020fa1d56c8b

SHA256
519c9c25c6065790c7b2a99893d8dd0df9da7f87b1a0b31ea2a4a9decef0c89b

SHA512
a986023bed429ff10f2c1c256faa51b735bc2962355a17f5ce231e30c53406aed13117d9ed7018d30047bc3ef41b97a4c926d32c9eb02d8ecb18a848bb19554e

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
470KB

MD5
f0e13759cf3a3a90d072b2f0069e0b06

SHA1
5abae9469ed3f1031909f45996de020fa1d56c8b

SHA256
519c9c25c6065790c7b2a99893d8dd0df9da7f87b1a0b31ea2a4a9decef0c89b

SHA512
a986023bed429ff10f2c1c256faa51b735bc2962355a17f5ce231e30c53406aed13117d9ed7018d30047bc3ef41b97a4c926d32c9eb02d8ecb18a848bb19554e

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe

Filesize
470KB

MD5
54c40a9d76b0d61c585e39d3ae86219a

SHA1
8d8fde8a8afc00bb907e34173aef2709ea2a53d3

SHA256
e5baab3f70f6330ce7c9e88ad0dfbb856e3fbfaae2aa1ca570efe334f979b5ab

SHA512
177420f190f1da4c1ba0ceb4f6a3f8cfe30c31e6dc9c194f733b0777dab22353b57dde0f126397d69a7645fd2a6aca883826b9982d145d0d0c52ccdd76cce195

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe

Filesize
470KB

MD5
54c40a9d76b0d61c585e39d3ae86219a

SHA1
8d8fde8a8afc00bb907e34173aef2709ea2a53d3

SHA256
e5baab3f70f6330ce7c9e88ad0dfbb856e3fbfaae2aa1ca570efe334f979b5ab

SHA512
177420f190f1da4c1ba0ceb4f6a3f8cfe30c31e6dc9c194f733b0777dab22353b57dde0f126397d69a7645fd2a6aca883826b9982d145d0d0c52ccdd76cce195

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
470KB

MD5
cb1b917fdec1cfba802476f8ffe57a17

SHA1
03a9b9b08750ba28753c7e7e02ff461b761a84af

SHA256
64e4c427d84a44ed8ccaa915f6b142bc7cd129a031732d7b915ab05bac46f6b9

SHA512
aac5ff3b466ca1ed99d5918827c86a2cc5475d1838f3d98db50a65405ffd7c4a9d2a0e01491a496da5e68a088c6fec8c39603d0fddbe5106652cd35b900875b6

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
470KB

MD5
cb1b917fdec1cfba802476f8ffe57a17

SHA1
03a9b9b08750ba28753c7e7e02ff461b761a84af

SHA256
64e4c427d84a44ed8ccaa915f6b142bc7cd129a031732d7b915ab05bac46f6b9

SHA512
aac5ff3b466ca1ed99d5918827c86a2cc5475d1838f3d98db50a65405ffd7c4a9d2a0e01491a496da5e68a088c6fec8c39603d0fddbe5106652cd35b900875b6

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
470KB

MD5
e04d50a1bb5f97f0d3e0ce08db501701

SHA1
ba109e4b89533ed5b760fd11b2cb7f3c8ed6a87d

SHA256
7c69d91ec1f4e21b9ea35ca399f2c19f7097547fbb90994cbe7c4d969840e25c

SHA512
ce403c05dc4a0ececc5fa26a0f8aa4ea81f87092316b1ca22ea28a47054b1f3046c923256960aade9b49359bb2e127a79cfc8eb23646ed544130466624e5e548

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
470KB

MD5
e04d50a1bb5f97f0d3e0ce08db501701

SHA1
ba109e4b89533ed5b760fd11b2cb7f3c8ed6a87d

SHA256
7c69d91ec1f4e21b9ea35ca399f2c19f7097547fbb90994cbe7c4d969840e25c

SHA512
ce403c05dc4a0ececc5fa26a0f8aa4ea81f87092316b1ca22ea28a47054b1f3046c923256960aade9b49359bb2e127a79cfc8eb23646ed544130466624e5e548

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
470KB

MD5
64c202af77c86edf011dc08313e626b0

SHA1
41af65e59fdb25019f45b49a7b3ff750ef8142b3

SHA256
553836c549b7c4f90062df34d8fd7a9388e46a1f5d5225c28bda8a44e4b323b5

SHA512
936b10f3ea442a3cb596afdbf0f6d75b8979394d7d7102bb868f64d21ac7c74c05115a7b57fd0715031605ea116a2aefc8137f6d519fc3abc01e8bf6f9d91a69

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
470KB

MD5
64c202af77c86edf011dc08313e626b0

SHA1
41af65e59fdb25019f45b49a7b3ff750ef8142b3

SHA256
553836c549b7c4f90062df34d8fd7a9388e46a1f5d5225c28bda8a44e4b323b5

SHA512
936b10f3ea442a3cb596afdbf0f6d75b8979394d7d7102bb868f64d21ac7c74c05115a7b57fd0715031605ea116a2aefc8137f6d519fc3abc01e8bf6f9d91a69

Download Submit
memory/536-47-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/536-311-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/632-72-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/632-307-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1016-300-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1016-127-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1112-330-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1112-183-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1204-8-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1204-313-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1684-32-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1684-312-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1700-20-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1700-315-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1860-212-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1860-334-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1944-325-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1944-175-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2108-64-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2108-308-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2140-196-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2140-328-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2256-84-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2256-306-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2488-299-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2488-136-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2856-297-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2856-156-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3032-184-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3032-329-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3044-309-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3044-56-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3068-301-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3068-119-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3100-305-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3100-90-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3160-159-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3160-322-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3500-335-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3500-200-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3604-303-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3604-104-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3764-23-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3764-320-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3844-310-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3844-39-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3848-302-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3848-112-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4116-304-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4116-96-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4724-316-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4724-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4808-298-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4808-148-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4968-216-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4968-339-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads