8067bf2e80aaf340b552b38f755b9285caf7759f8e534604c31fdd3aa01d0909

Analysis

max time kernel
196s
max time network
231s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Size

96KB
MD5

4d0ad7d14df01576569c79ef4ab43c3d
SHA1

f8b045fd9356af5ac678ff90498f6883509a9460
SHA256

8067bf2e80aaf340b552b38f755b9285caf7759f8e534604c31fdd3aa01d0909
SHA512

f7db7adf646f4ae1d824f3624f7ca44935c2e4ce99567820a55cc275cb34865fb18a0485b02176b27759f80afe88196e4affc411da57b999f309e3ac4b788763
SSDEEP

1536:lvfkKpAJMyGwnz25J+Hrth+snor9H8PhoMPxkckQhZeYLfNbw4CRQ+cR5R45WtqF:lvcKyWlIKArth+6PhocAQhZeY13Ce+cO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbkdgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhelddln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Plagmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdaneff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnadkmhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igneng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aegidp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbacekmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Knmkak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnmccfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mabnlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lokdgpqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbofpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kggmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhelddln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phmnpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Necljgcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Necljgcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knmkak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aegidp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fineho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbacekmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kggmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkaljpmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eimegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eimegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnlda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbgoik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iooigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndnlda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkdgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bogkgmho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljmmnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkgmho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kflnjldl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iooigo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabnlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plagmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fineho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noaclkef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epdaneff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnadkmhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnmccfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbofpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nocpaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbgcch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eodlad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noaclkef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbgcch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lokdgpqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkaljpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbgoik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igneng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kflnjldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phmnpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocpaj32.exe

Executes dropped EXE 29 IoCs

pid	Process
4504	Knmkak32.exe
3824	Kkaljpmd.exe
1072	Kbkdgj32.exe
2860	Lhelddln.exe
3460	Lbgcch32.exe
2952	Eodlad32.exe
2856	Aegidp32.exe
312	Jbgoik32.exe
1176	Plagmh32.exe
4104	Fineho32.exe
4900	Ljmmnf32.exe
3488	Epdaneff.exe
4016	Eimegk32.exe
1644	Lnadkmhj.exe
2292	Mcnmccfa.exe
4472	Mabnlh32.exe
460	Lokdgpqe.exe
708	Bogkgmho.exe
3672	Bbofpk32.exe
2004	Bbacekmj.exe
1412	Igneng32.exe
3520	Kflnjldl.exe
3188	Phmnpf32.exe
4516	Iooigo32.exe
4860	Necljgcd.exe
3560	Kggmgb32.exe
3800	Noaclkef.exe
4360	Ndnlda32.exe
4480	Nocpaj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Leadag32.dll	Plagmh32.exe
File created	C:\Windows\SysWOW64\Fmoapj32.dll	Lokdgpqe.exe
File opened for modification	C:\Windows\SysWOW64\Bbacekmj.exe	Bbofpk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjcleobl.exe	Nocpaj32.exe
File created	C:\Windows\SysWOW64\Bleoga32.dll	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
File created	C:\Windows\SysWOW64\Fineho32.exe	Plagmh32.exe
File created	C:\Windows\SysWOW64\Epdaneff.exe	Ljmmnf32.exe
File created	C:\Windows\SysWOW64\Mogjpn32.dll	Mcnmccfa.exe
File created	C:\Windows\SysWOW64\Lokdgpqe.exe	Mabnlh32.exe
File created	C:\Windows\SysWOW64\Mmjphk32.dll	Kflnjldl.exe
File opened for modification	C:\Windows\SysWOW64\Iooigo32.exe	Phmnpf32.exe
File created	C:\Windows\SysWOW64\Kkaljpmd.exe	Knmkak32.exe
File created	C:\Windows\SysWOW64\Lbgcch32.exe	Lhelddln.exe
File created	C:\Windows\SysWOW64\Kflnjldl.exe	Igneng32.exe
File opened for modification	C:\Windows\SysWOW64\Necljgcd.exe	Iooigo32.exe
File opened for modification	C:\Windows\SysWOW64\Kggmgb32.exe	Necljgcd.exe
File created	C:\Windows\SysWOW64\Iemkjd32.dll	Aegidp32.exe
File created	C:\Windows\SysWOW64\Mkoenj32.dll	Bbofpk32.exe
File opened for modification	C:\Windows\SysWOW64\Epdaneff.exe	Ljmmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Lnadkmhj.exe	Eimegk32.exe
File created	C:\Windows\SysWOW64\Mfefpi32.dll	Ndnlda32.exe
File created	C:\Windows\SysWOW64\Eodlad32.exe	Lbgcch32.exe
File created	C:\Windows\SysWOW64\Aegidp32.exe	Eodlad32.exe
File created	C:\Windows\SysWOW64\Lnadkmhj.exe	Eimegk32.exe
File created	C:\Windows\SysWOW64\Aqhopg32.dll	Mabnlh32.exe
File opened for modification	C:\Windows\SysWOW64\Plagmh32.exe	Jbgoik32.exe
File created	C:\Windows\SysWOW64\Eimegk32.exe	Epdaneff.exe
File opened for modification	C:\Windows\SysWOW64\Bbofpk32.exe	Bogkgmho.exe
File created	C:\Windows\SysWOW64\Noaclkef.exe	Kggmgb32.exe
File created	C:\Windows\SysWOW64\Ljmmnf32.exe	Fineho32.exe
File created	C:\Windows\SysWOW64\Hjcleobl.exe	Nocpaj32.exe
File created	C:\Windows\SysWOW64\Hdfpfdap.dll	Knmkak32.exe
File created	C:\Windows\SysWOW64\Olhogh32.dll	Jbgoik32.exe
File opened for modification	C:\Windows\SysWOW64\Nocpaj32.exe	Ndnlda32.exe
File created	C:\Windows\SysWOW64\Npnjhn32.dll	Eodlad32.exe
File created	C:\Windows\SysWOW64\Mabnlh32.exe	Mcnmccfa.exe
File opened for modification	C:\Windows\SysWOW64\Lokdgpqe.exe	Mabnlh32.exe
File created	C:\Windows\SysWOW64\Ohnhhbhc.dll	Necljgcd.exe
File created	C:\Windows\SysWOW64\Ggpmhfkl.dll	Kggmgb32.exe
File created	C:\Windows\SysWOW64\Kbkdgj32.exe	Kkaljpmd.exe
File created	C:\Windows\SysWOW64\Lhelddln.exe	Kbkdgj32.exe
File created	C:\Windows\SysWOW64\Hlfolq32.dll	Ljmmnf32.exe
File created	C:\Windows\SysWOW64\Pacmbj32.dll	Bogkgmho.exe
File created	C:\Windows\SysWOW64\Plagmh32.exe	Jbgoik32.exe
File created	C:\Windows\SysWOW64\Aknhia32.dll	Fineho32.exe
File opened for modification	C:\Windows\SysWOW64\Aegidp32.exe	Eodlad32.exe
File opened for modification	C:\Windows\SysWOW64\Igneng32.exe	Bbacekmj.exe
File opened for modification	C:\Windows\SysWOW64\Kflnjldl.exe	Igneng32.exe
File created	C:\Windows\SysWOW64\Ljgiaejh.dll	Phmnpf32.exe
File created	C:\Windows\SysWOW64\Knmkak32.exe	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
File opened for modification	C:\Windows\SysWOW64\Lhelddln.exe	Kbkdgj32.exe
File created	C:\Windows\SysWOW64\Mcnmccfa.exe	Lnadkmhj.exe
File created	C:\Windows\SysWOW64\Bogkgmho.exe	Lokdgpqe.exe
File created	C:\Windows\SysWOW64\Bbofpk32.exe	Bogkgmho.exe
File created	C:\Windows\SysWOW64\Necljgcd.exe	Iooigo32.exe
File opened for modification	C:\Windows\SysWOW64\Kbkdgj32.exe	Kkaljpmd.exe
File created	C:\Windows\SysWOW64\Gakgdedc.dll	Kkaljpmd.exe
File created	C:\Windows\SysWOW64\Imaqfd32.dll	Lbgcch32.exe
File opened for modification	C:\Windows\SysWOW64\Fineho32.exe	Plagmh32.exe
File created	C:\Windows\SysWOW64\Bbacekmj.exe	Bbofpk32.exe
File created	C:\Windows\SysWOW64\Igneng32.exe	Bbacekmj.exe
File created	C:\Windows\SysWOW64\Phmnpf32.exe	Kflnjldl.exe
File opened for modification	C:\Windows\SysWOW64\Phmnpf32.exe	Kflnjldl.exe
File opened for modification	C:\Windows\SysWOW64\Lbgcch32.exe	Lhelddln.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eimegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Igneng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kggmgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Knmkak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnmff32.dll"	Kbkdgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnadkmhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhogh32.dll"	Jbgoik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljmmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnmccfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mabnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbacekmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kflnjldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpfadma.dll"	Iooigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Knmkak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kggmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Plagmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfolq32.dll"	Ljmmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbacekmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidekikq.dll"	Bbacekmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Necljgcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Noaclkef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbkdgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbgoik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mabnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoenj32.dll"	Bbofpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnhhbhc.dll"	Necljgcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imaqfd32.dll"	Lbgcch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakgdedc.dll"	Kkaljpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eodlad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhia32.dll"	Fineho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpaqgf32.dll"	Eimegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phmnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podopd32.dll"	Noaclkef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nocpaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbkdgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aegidp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Plagmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpnih32.dll"	Epdaneff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogjpn32.dll"	Mcnmccfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkaljpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eodlad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjd32.dll"	Aegidp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Epdaneff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhopg32.dll"	Mabnlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lokdgpqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfpfdap.dll"	Knmkak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljmmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kflnjldl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhelddln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbgcch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leadag32.dll"	Plagmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fineho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lokdgpqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglpdkpa.dll"	Igneng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjphk32.dll"	Kflnjldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfefpi32.dll"	Ndnlda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleoga32.dll"	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nocpaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phmnpf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4504	3508	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe	88
PID 3508 wrote to memory of 4504	3508	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe	88
PID 3508 wrote to memory of 4504	3508	NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe	88
PID 4504 wrote to memory of 3824	4504	Knmkak32.exe	89
PID 4504 wrote to memory of 3824	4504	Knmkak32.exe	89
PID 4504 wrote to memory of 3824	4504	Knmkak32.exe	89
PID 3824 wrote to memory of 1072	3824	Kkaljpmd.exe	90
PID 3824 wrote to memory of 1072	3824	Kkaljpmd.exe	90
PID 3824 wrote to memory of 1072	3824	Kkaljpmd.exe	90
PID 1072 wrote to memory of 2860	1072	Kbkdgj32.exe	91
PID 1072 wrote to memory of 2860	1072	Kbkdgj32.exe	91
PID 1072 wrote to memory of 2860	1072	Kbkdgj32.exe	91
PID 2860 wrote to memory of 3460	2860	Lhelddln.exe	93
PID 2860 wrote to memory of 3460	2860	Lhelddln.exe	93
PID 2860 wrote to memory of 3460	2860	Lhelddln.exe	93
PID 3460 wrote to memory of 2952	3460	Lbgcch32.exe	94
PID 3460 wrote to memory of 2952	3460	Lbgcch32.exe	94
PID 3460 wrote to memory of 2952	3460	Lbgcch32.exe	94
PID 2952 wrote to memory of 2856	2952	Eodlad32.exe	95
PID 2952 wrote to memory of 2856	2952	Eodlad32.exe	95
PID 2952 wrote to memory of 2856	2952	Eodlad32.exe	95
PID 2856 wrote to memory of 312	2856	Aegidp32.exe	96
PID 2856 wrote to memory of 312	2856	Aegidp32.exe	96
PID 2856 wrote to memory of 312	2856	Aegidp32.exe	96
PID 312 wrote to memory of 1176	312	Jbgoik32.exe	97
PID 312 wrote to memory of 1176	312	Jbgoik32.exe	97
PID 312 wrote to memory of 1176	312	Jbgoik32.exe	97
PID 1176 wrote to memory of 4104	1176	Plagmh32.exe	99
PID 1176 wrote to memory of 4104	1176	Plagmh32.exe	99
PID 1176 wrote to memory of 4104	1176	Plagmh32.exe	99
PID 4104 wrote to memory of 4900	4104	Fineho32.exe	101
PID 4104 wrote to memory of 4900	4104	Fineho32.exe	101
PID 4104 wrote to memory of 4900	4104	Fineho32.exe	101
PID 4900 wrote to memory of 3488	4900	Ljmmnf32.exe	102
PID 4900 wrote to memory of 3488	4900	Ljmmnf32.exe	102
PID 4900 wrote to memory of 3488	4900	Ljmmnf32.exe	102
PID 3488 wrote to memory of 4016	3488	Epdaneff.exe	104
PID 3488 wrote to memory of 4016	3488	Epdaneff.exe	104
PID 3488 wrote to memory of 4016	3488	Epdaneff.exe	104
PID 4016 wrote to memory of 1644	4016	Eimegk32.exe	105
PID 4016 wrote to memory of 1644	4016	Eimegk32.exe	105
PID 4016 wrote to memory of 1644	4016	Eimegk32.exe	105
PID 1644 wrote to memory of 2292	1644	Lnadkmhj.exe	106
PID 1644 wrote to memory of 2292	1644	Lnadkmhj.exe	106
PID 1644 wrote to memory of 2292	1644	Lnadkmhj.exe	106
PID 2292 wrote to memory of 4472	2292	Mcnmccfa.exe	108
PID 2292 wrote to memory of 4472	2292	Mcnmccfa.exe	108
PID 2292 wrote to memory of 4472	2292	Mcnmccfa.exe	108
PID 4472 wrote to memory of 460	4472	Mabnlh32.exe	109
PID 4472 wrote to memory of 460	4472	Mabnlh32.exe	109
PID 4472 wrote to memory of 460	4472	Mabnlh32.exe	109
PID 460 wrote to memory of 708	460	Lokdgpqe.exe	110
PID 460 wrote to memory of 708	460	Lokdgpqe.exe	110
PID 460 wrote to memory of 708	460	Lokdgpqe.exe	110
PID 708 wrote to memory of 3672	708	Bogkgmho.exe	111
PID 708 wrote to memory of 3672	708	Bogkgmho.exe	111
PID 708 wrote to memory of 3672	708	Bogkgmho.exe	111
PID 3672 wrote to memory of 2004	3672	Bbofpk32.exe	113
PID 3672 wrote to memory of 2004	3672	Bbofpk32.exe	113
PID 3672 wrote to memory of 2004	3672	Bbofpk32.exe	113
PID 2004 wrote to memory of 1412	2004	Bbacekmj.exe	114
PID 2004 wrote to memory of 1412	2004	Bbacekmj.exe	114
PID 2004 wrote to memory of 1412	2004	Bbacekmj.exe	114
PID 1412 wrote to memory of 3520	1412	Igneng32.exe	115

C:\Users\Admin\AppData\Local\Temp\NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4d0ad7d14df01576569c79ef4ab43c3d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\Knmkak32.exe
  C:\Windows\system32\Knmkak32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\Kkaljpmd.exe
    C:\Windows\system32\Kkaljpmd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\SysWOW64\Kbkdgj32.exe
      C:\Windows\system32\Kbkdgj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\SysWOW64\Lhelddln.exe
        
        C:\Windows\system32\Lhelddln.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\Lbgcch32.exe
        
        C:\Windows\system32\Lbgcch32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Eodlad32.exe
        
        C:\Windows\system32\Eodlad32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Aegidp32.exe
        
        C:\Windows\system32\Aegidp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Jbgoik32.exe
        
        C:\Windows\system32\Jbgoik32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\Plagmh32.exe
        
        C:\Windows\system32\Plagmh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Fineho32.exe
        
        C:\Windows\system32\Fineho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ljmmnf32.exe
        
        C:\Windows\system32\Ljmmnf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Epdaneff.exe
        
        C:\Windows\system32\Epdaneff.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Eimegk32.exe
        
        C:\Windows\system32\Eimegk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Lnadkmhj.exe
        
        C:\Windows\system32\Lnadkmhj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Mcnmccfa.exe
        
        C:\Windows\system32\Mcnmccfa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Mabnlh32.exe
        
        C:\Windows\system32\Mabnlh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Lokdgpqe.exe
        
        C:\Windows\system32\Lokdgpqe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Bogkgmho.exe
        
        C:\Windows\system32\Bogkgmho.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Bbofpk32.exe
        
        C:\Windows\system32\Bbofpk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Bbacekmj.exe
        
        C:\Windows\system32\Bbacekmj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Igneng32.exe
        
        C:\Windows\system32\Igneng32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Kflnjldl.exe
        
        C:\Windows\system32\Kflnjldl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Phmnpf32.exe
        
        C:\Windows\system32\Phmnpf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Iooigo32.exe
        
        C:\Windows\system32\Iooigo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Necljgcd.exe
        
        C:\Windows\system32\Necljgcd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Kggmgb32.exe
        
        C:\Windows\system32\Kggmgb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Noaclkef.exe
        
        C:\Windows\system32\Noaclkef.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Ndnlda32.exe
        
        C:\Windows\system32\Ndnlda32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Nocpaj32.exe
        
        C:\Windows\system32\Nocpaj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aegidp32.exe

Filesize
96KB

MD5
751154406ce3b73979f32857833898d8

SHA1
a8f03d0d92329ef6e7a1302160f218c91e2a539b

SHA256
f3b1f28cb04f9e00b58133ce97ab921fec42020af090c035c407eb42bc581b82

SHA512
0e5b9c5198a1e4e50a2ef62ebdede8838a296eeadd8c8d32145b2c236bc8a2697aa31c6420732206101effd1a0fd397b356cd2832f67e7bb90ff4d5dc70521a6

Download Submit
C:\Windows\SysWOW64\Aegidp32.exe

Filesize
96KB

MD5
751154406ce3b73979f32857833898d8

SHA1
a8f03d0d92329ef6e7a1302160f218c91e2a539b

SHA256
f3b1f28cb04f9e00b58133ce97ab921fec42020af090c035c407eb42bc581b82

SHA512
0e5b9c5198a1e4e50a2ef62ebdede8838a296eeadd8c8d32145b2c236bc8a2697aa31c6420732206101effd1a0fd397b356cd2832f67e7bb90ff4d5dc70521a6

Download Submit
C:\Windows\SysWOW64\Bbacekmj.exe

Filesize
96KB

MD5
ce3dce14d7e6a09cb5ace4f3f9657a44

SHA1
950d4a33c3d4db52664e8ed0f997693fa8d117a7

SHA256
3c6bad7d974a045eb4f0bc69229938c49d7d7c2dfab3833092c8d0c622a31edf

SHA512
2144fa1fd6d028aee819463218fe48620e3ed13fcaafaf7466557aa256beb942235096ca7d196273e2992e238a44a19aadd142590ad30af7e254679fbfa1fc72

Download Submit
C:\Windows\SysWOW64\Bbacekmj.exe

Filesize
96KB

MD5
ce3dce14d7e6a09cb5ace4f3f9657a44

SHA1
950d4a33c3d4db52664e8ed0f997693fa8d117a7

SHA256
3c6bad7d974a045eb4f0bc69229938c49d7d7c2dfab3833092c8d0c622a31edf

SHA512
2144fa1fd6d028aee819463218fe48620e3ed13fcaafaf7466557aa256beb942235096ca7d196273e2992e238a44a19aadd142590ad30af7e254679fbfa1fc72

Download Submit
C:\Windows\SysWOW64\Bbofpk32.exe

Filesize
96KB

MD5
5e1ac7e288440f94ac6acbd893b2516b

SHA1
313f1806768e009d82e5aeb54afabfcccf9d2a37

SHA256
0237fdd3e64731dfe1de4a13148d286f26c50100abd5d74260508f661c5ddef5

SHA512
909484a77701d6d360246c0d4493e94e190e5d68712b5ffb9f4be9bfccefd25f29f0fc712ac7068d9bb11915d0cdcaf23604404a1cbbff8369599970517ee4e6

Download Submit
C:\Windows\SysWOW64\Bbofpk32.exe

Filesize
96KB

MD5
5e1ac7e288440f94ac6acbd893b2516b

SHA1
313f1806768e009d82e5aeb54afabfcccf9d2a37

SHA256
0237fdd3e64731dfe1de4a13148d286f26c50100abd5d74260508f661c5ddef5

SHA512
909484a77701d6d360246c0d4493e94e190e5d68712b5ffb9f4be9bfccefd25f29f0fc712ac7068d9bb11915d0cdcaf23604404a1cbbff8369599970517ee4e6

Download Submit
C:\Windows\SysWOW64\Bogkgmho.exe

Filesize
96KB

MD5
2e523b9666730ae9e1180dc256d67e3f

SHA1
c458a2269be4d14fe21e1fb9968bf40cd4d3b0a6

SHA256
7ff723aea70c1cf99d7d740f561b1e7112e3c2607080f931a40faa47b9d8184a

SHA512
41fbfeca2b844fe41aee7f6980f64229f9784908082dda019dc31923b3abfdc8ba55c4544147c677025c364b154979b0fddf145ec2ee5811aa3a4ca3b0c24f38

Download Submit
C:\Windows\SysWOW64\Bogkgmho.exe

Filesize
96KB

MD5
2e523b9666730ae9e1180dc256d67e3f

SHA1
c458a2269be4d14fe21e1fb9968bf40cd4d3b0a6

SHA256
7ff723aea70c1cf99d7d740f561b1e7112e3c2607080f931a40faa47b9d8184a

SHA512
41fbfeca2b844fe41aee7f6980f64229f9784908082dda019dc31923b3abfdc8ba55c4544147c677025c364b154979b0fddf145ec2ee5811aa3a4ca3b0c24f38

Download Submit
C:\Windows\SysWOW64\Eimegk32.exe

Filesize
96KB

MD5
039a32fe98a17a9794d9b1131224771f

SHA1
2e852123aa4eb50254fe52f306d6c3e3b6dedc3c

SHA256
e3b7621b5481ae44267c4cbaa8488e7acc178add95d06d37e96b85c9744bfcd0

SHA512
cc57e8fc8bec2950d968ca4ada913dbfe1ca8aed1c9afc829d26b4d5c679a31f21a9852e6d8f8b79c8cb8dac907e67c46a8e64db03b9758e5e5315b48d290617

Download Submit
C:\Windows\SysWOW64\Eimegk32.exe

Filesize
96KB

MD5
039a32fe98a17a9794d9b1131224771f

SHA1
2e852123aa4eb50254fe52f306d6c3e3b6dedc3c

SHA256
e3b7621b5481ae44267c4cbaa8488e7acc178add95d06d37e96b85c9744bfcd0

SHA512
cc57e8fc8bec2950d968ca4ada913dbfe1ca8aed1c9afc829d26b4d5c679a31f21a9852e6d8f8b79c8cb8dac907e67c46a8e64db03b9758e5e5315b48d290617

Download Submit
C:\Windows\SysWOW64\Eodlad32.exe

Filesize
96KB

MD5
1f968bbf10f01f05199136398583b00d

SHA1
b7cc6a587ecf11f14e3c010abc807fdd676b66e4

SHA256
c2861730e78696e9d9302ebaee3a96ce8a07070bdc1283b34d05c2a26a262630

SHA512
9ee3923fc2c13665783cc9fd4106dae7467712fad1396b9e2dc028bdc3fd0f6831847ff56cca161b63c468cf5a47f6c5bac59b4250f24c428805118c6b331e4e

Download Submit
C:\Windows\SysWOW64\Eodlad32.exe

Filesize
96KB

MD5
1f968bbf10f01f05199136398583b00d

SHA1
b7cc6a587ecf11f14e3c010abc807fdd676b66e4

SHA256
c2861730e78696e9d9302ebaee3a96ce8a07070bdc1283b34d05c2a26a262630

SHA512
9ee3923fc2c13665783cc9fd4106dae7467712fad1396b9e2dc028bdc3fd0f6831847ff56cca161b63c468cf5a47f6c5bac59b4250f24c428805118c6b331e4e

Download Submit
C:\Windows\SysWOW64\Epdaneff.exe

Filesize
96KB

MD5
caa71019f6f13b3d5ea0de32cfd3532f

SHA1
2485d0a119390d93f760e7ec800114f6d8aabbee

SHA256
a700e54701b168365c050f9bce3e8cf6d9b1e0c3a4b7366c2d2d546e634252db

SHA512
fca9d2041ea9f6e6802a5a684eb83e0d6ff3d68310f6fa928d8a3b20569cac16ab3f3a341b460a8720d21360e2861ddee63829d7efe9c82baca2961d9218138d

Download Submit
C:\Windows\SysWOW64\Epdaneff.exe

Filesize
96KB

MD5
caa71019f6f13b3d5ea0de32cfd3532f

SHA1
2485d0a119390d93f760e7ec800114f6d8aabbee

SHA256
a700e54701b168365c050f9bce3e8cf6d9b1e0c3a4b7366c2d2d546e634252db

SHA512
fca9d2041ea9f6e6802a5a684eb83e0d6ff3d68310f6fa928d8a3b20569cac16ab3f3a341b460a8720d21360e2861ddee63829d7efe9c82baca2961d9218138d

Download Submit
C:\Windows\SysWOW64\Fineho32.exe

Filesize
96KB

MD5
7264f7982da09d7f5ba0cd676c8efdb0

SHA1
05136cc52bd57014ab2369c65c4e9fba323c0d4e

SHA256
79841d1402a6fbf2795b21d6bfd08e91a9dd23f2ebda277b4c4c7f80542e6345

SHA512
39c44e516ece68038416c4b3c589e791d43b1b915fbcf9b432c29d863ecc5b26e271b518c2cc32f5c52b42fc6ff3558e6d23ceedb80b95a3d9dcea99c7ef9c2d

Download Submit
C:\Windows\SysWOW64\Fineho32.exe

Filesize
96KB

MD5
7264f7982da09d7f5ba0cd676c8efdb0

SHA1
05136cc52bd57014ab2369c65c4e9fba323c0d4e

SHA256
79841d1402a6fbf2795b21d6bfd08e91a9dd23f2ebda277b4c4c7f80542e6345

SHA512
39c44e516ece68038416c4b3c589e791d43b1b915fbcf9b432c29d863ecc5b26e271b518c2cc32f5c52b42fc6ff3558e6d23ceedb80b95a3d9dcea99c7ef9c2d

Download Submit
C:\Windows\SysWOW64\Igneng32.exe

Filesize
96KB

MD5
4b029b54aa7d6d6bc78f93494e565b99

SHA1
68006f5d579ee410c1712709990d4c4ff50183a0

SHA256
ec3dc067beb9603a72ee5fa488ced42cee7aa9df2697cec86b0fc1e4fe8a5860

SHA512
e06d6fbf32268d5018f192d58e431c5f93fc9d8eb681555c606313b55b8484755ad752ed5e0e43d883f5e8aa81badfd7b5bde241e735fa98273e5339a39baae6

Download Submit
C:\Windows\SysWOW64\Igneng32.exe

Filesize
96KB

MD5
4b029b54aa7d6d6bc78f93494e565b99

SHA1
68006f5d579ee410c1712709990d4c4ff50183a0

SHA256
ec3dc067beb9603a72ee5fa488ced42cee7aa9df2697cec86b0fc1e4fe8a5860

SHA512
e06d6fbf32268d5018f192d58e431c5f93fc9d8eb681555c606313b55b8484755ad752ed5e0e43d883f5e8aa81badfd7b5bde241e735fa98273e5339a39baae6

Download Submit
C:\Windows\SysWOW64\Iooigo32.exe

Filesize
96KB

MD5
41099e2fe7694a34e7d078c2fd4348a4

SHA1
053de51edc14c15316838e11c0c4f12f147d955b

SHA256
5ecd3e901722fb2a7186e5151202277b54141fad13aa2db5300c8ca5e9053d14

SHA512
61fc9adde828fd7cb317d33e4ae5d32266366e14128ff55ce8057c570e8e8c03e868612cc9075aaaf6ed261e9f0b4cb3fc1afba6bc78b1597b576201b6edca58

Download Submit
C:\Windows\SysWOW64\Iooigo32.exe

Filesize
96KB

MD5
41099e2fe7694a34e7d078c2fd4348a4

SHA1
053de51edc14c15316838e11c0c4f12f147d955b

SHA256
5ecd3e901722fb2a7186e5151202277b54141fad13aa2db5300c8ca5e9053d14

SHA512
61fc9adde828fd7cb317d33e4ae5d32266366e14128ff55ce8057c570e8e8c03e868612cc9075aaaf6ed261e9f0b4cb3fc1afba6bc78b1597b576201b6edca58

Download Submit
C:\Windows\SysWOW64\Jbgoik32.exe

Filesize
96KB

MD5
76f89f967f8c58f54d9821d78ddfbe2d

SHA1
24ad58e4ca608d646c9526151cf1f62d51ac5f5d

SHA256
fd1b30a28d95a482626d9f0c38c6258a2c82b224e5063f09f350bb134d6068b0

SHA512
534e5c741f10824d9b8ec416422e94e0e7cf825f0bcee4b1894ef57835e596a24fe65c0fea07c280f0f68f3e02e63917e7baca18b5c17253ff5e672ff4b8eb67

Download Submit
C:\Windows\SysWOW64\Jbgoik32.exe

Filesize
96KB

MD5
76f89f967f8c58f54d9821d78ddfbe2d

SHA1
24ad58e4ca608d646c9526151cf1f62d51ac5f5d

SHA256
fd1b30a28d95a482626d9f0c38c6258a2c82b224e5063f09f350bb134d6068b0

SHA512
534e5c741f10824d9b8ec416422e94e0e7cf825f0bcee4b1894ef57835e596a24fe65c0fea07c280f0f68f3e02e63917e7baca18b5c17253ff5e672ff4b8eb67

Download Submit
C:\Windows\SysWOW64\Jdjijl32.dll

Filesize
7KB

MD5
5eae6f1516a257404b5cc95b38bb41f3

SHA1
45b00ce0558ace3ad0ace28057821e193864d182

SHA256
47960c03121bdf3b472ee64f9be1daa2c937cdea2436a596d33ea78316bcce55

SHA512
e359044f3ec995bc4ad9944f00535605865cb6a4f4134c87d8a05290bba04d1b89ef94b098ff039a0581bdecbe0ed156d4cb6ff7f099230b581585a26b488a46

Download Submit
C:\Windows\SysWOW64\Kbkdgj32.exe

Filesize
96KB

MD5
4a28896024e23481302dfbeecf3f5bd2

SHA1
190b3179cabe213fbb9765776c88095a60a9ce13

SHA256
47e13fb34edb5d9c24e5932a15ad489fb34cc2360ae155842a2803c9f658f477

SHA512
a2a2a361a2cb38ef44939a06f3125cf043683ffeb377eed77bf584e301cc338dbeb2f7c1cb57381f0d28f268a4351d15dd6463e6001936c49903a61d29c20ac4

Download Submit
C:\Windows\SysWOW64\Kbkdgj32.exe

Filesize
96KB

MD5
4a28896024e23481302dfbeecf3f5bd2

SHA1
190b3179cabe213fbb9765776c88095a60a9ce13

SHA256
47e13fb34edb5d9c24e5932a15ad489fb34cc2360ae155842a2803c9f658f477

SHA512
a2a2a361a2cb38ef44939a06f3125cf043683ffeb377eed77bf584e301cc338dbeb2f7c1cb57381f0d28f268a4351d15dd6463e6001936c49903a61d29c20ac4

Download Submit
C:\Windows\SysWOW64\Kflnjldl.exe

Filesize
96KB

MD5
94e72d685215d69b5911d9fbefb4950b

SHA1
1f481ed792aa5bd7ac205d7642430716a1ea2d46

SHA256
e1e8207885e360969d2bc70b1b6272d5cb91a999b62c5271e39a958cb1a7cdec

SHA512
0d060c26065969b1fd061d29926b59259cc56fc481386564376bd4d96eb9e5b0f709526ed9fe4362825f9cbae97887b7c4a6a3f2914c35a6e455e07b8472c363

Download Submit
C:\Windows\SysWOW64\Kflnjldl.exe

Filesize
96KB

MD5
94e72d685215d69b5911d9fbefb4950b

SHA1
1f481ed792aa5bd7ac205d7642430716a1ea2d46

SHA256
e1e8207885e360969d2bc70b1b6272d5cb91a999b62c5271e39a958cb1a7cdec

SHA512
0d060c26065969b1fd061d29926b59259cc56fc481386564376bd4d96eb9e5b0f709526ed9fe4362825f9cbae97887b7c4a6a3f2914c35a6e455e07b8472c363

Download Submit
C:\Windows\SysWOW64\Kflnjldl.exe

Filesize
96KB

MD5
94e72d685215d69b5911d9fbefb4950b

SHA1
1f481ed792aa5bd7ac205d7642430716a1ea2d46

SHA256
e1e8207885e360969d2bc70b1b6272d5cb91a999b62c5271e39a958cb1a7cdec

SHA512
0d060c26065969b1fd061d29926b59259cc56fc481386564376bd4d96eb9e5b0f709526ed9fe4362825f9cbae97887b7c4a6a3f2914c35a6e455e07b8472c363

Download Submit
C:\Windows\SysWOW64\Kggmgb32.exe

Filesize
96KB

MD5
13c957dcf583cb2c51c99985fc91d5e1

SHA1
7be81df99ee27bb822251c300ca49097053b944a

SHA256
734caf27760149ddd9e22a25bdb195c7d2edb18cef4719a6b7a658ab1427b29f

SHA512
edda5116d588c4478bfe1f80d1bb46a1bc3ebcf6b09a65754f2bcb4a80cba196540df47a76caf2cabdbd024120924230cdb4248af1c8c46c3bdeeba9937e279e

Download Submit
C:\Windows\SysWOW64\Kggmgb32.exe

Filesize
96KB

MD5
13c957dcf583cb2c51c99985fc91d5e1

SHA1
7be81df99ee27bb822251c300ca49097053b944a

SHA256
734caf27760149ddd9e22a25bdb195c7d2edb18cef4719a6b7a658ab1427b29f

SHA512
edda5116d588c4478bfe1f80d1bb46a1bc3ebcf6b09a65754f2bcb4a80cba196540df47a76caf2cabdbd024120924230cdb4248af1c8c46c3bdeeba9937e279e

Download Submit
C:\Windows\SysWOW64\Kkaljpmd.exe

Filesize
96KB

MD5
bfe6342546cc72465aa0b0c4fcc0ea8f

SHA1
fe2bc8267a15a7d6d74009d07bd32cc006b47fd9

SHA256
1716b4258b5f50ae737d313599d530adb0bfe4345b782bf5656202523dce64a0

SHA512
82e3cb864092f5e83440f019758578a432f423b550fdb13e63dbb28e9f3c6072713742f0088e1169f8ad6439e1be7d9410a952c1af1bf9ef0885491b9260df77

Download Submit
C:\Windows\SysWOW64\Kkaljpmd.exe

Filesize
96KB

MD5
bfe6342546cc72465aa0b0c4fcc0ea8f

SHA1
fe2bc8267a15a7d6d74009d07bd32cc006b47fd9

SHA256
1716b4258b5f50ae737d313599d530adb0bfe4345b782bf5656202523dce64a0

SHA512
82e3cb864092f5e83440f019758578a432f423b550fdb13e63dbb28e9f3c6072713742f0088e1169f8ad6439e1be7d9410a952c1af1bf9ef0885491b9260df77

Download Submit
C:\Windows\SysWOW64\Knmkak32.exe

Filesize
96KB

MD5
88f0ea37ee2bcb4818a826e7de6345b4

SHA1
47082e6d0443a2bc8a3aa9a86df47945215813ac

SHA256
04ceac7b65bf52e3b2853f3762d6ea492d44ba50ae86b0eb866acb9264e15fd4

SHA512
ebd85aa526e82e853503fc6f573f88d3719fc12554a42d926ec8ffa2bd407a2b13e2bfa213b5b97800adae05e97ee708efe482bc5a2438b684373dc9072e7808

Download Submit
C:\Windows\SysWOW64\Knmkak32.exe

Filesize
96KB

MD5
88f0ea37ee2bcb4818a826e7de6345b4

SHA1
47082e6d0443a2bc8a3aa9a86df47945215813ac

SHA256
04ceac7b65bf52e3b2853f3762d6ea492d44ba50ae86b0eb866acb9264e15fd4

SHA512
ebd85aa526e82e853503fc6f573f88d3719fc12554a42d926ec8ffa2bd407a2b13e2bfa213b5b97800adae05e97ee708efe482bc5a2438b684373dc9072e7808

Download Submit
C:\Windows\SysWOW64\Lbgcch32.exe

Filesize
96KB

MD5
e23e7f64a1c4e84a1be172648739db43

SHA1
3e33f40c7de3170357c8883cffe0ed2bf1c253b8

SHA256
ebee0f588f8b173e86492a1bcc7ce73149a27cf3fa6c26a1a1dbc1c651904734

SHA512
00592540e83425d2b80e311e2f01adb5fe1bf98398ef450dcaa993832a3f754bc30b9a56a3424a3f17dca8bccaf547d35d68d2a94a42d94f44a2293c2c561f0c

Download Submit
C:\Windows\SysWOW64\Lbgcch32.exe

Filesize
96KB

MD5
e23e7f64a1c4e84a1be172648739db43

SHA1
3e33f40c7de3170357c8883cffe0ed2bf1c253b8

SHA256
ebee0f588f8b173e86492a1bcc7ce73149a27cf3fa6c26a1a1dbc1c651904734

SHA512
00592540e83425d2b80e311e2f01adb5fe1bf98398ef450dcaa993832a3f754bc30b9a56a3424a3f17dca8bccaf547d35d68d2a94a42d94f44a2293c2c561f0c

Download Submit
C:\Windows\SysWOW64\Lhelddln.exe

Filesize
96KB

MD5
6b08552a88b30c9b330921c30238c4be

SHA1
a13d1a778bd6b22e9c8cf42b385ebdfe146f54eb

SHA256
55d399f12204d1635c776fd414a15cf6bc2815b9572926e37293a2a84bff90b6

SHA512
c444bc969e546aca9ff25b8eca2364c4e31bf477c3a06b7f5387090997b7796efb5594db57724da8e3c03136c9e1b0e3f3ea0469497443bac433244fb9d4da4e

Download Submit
C:\Windows\SysWOW64\Lhelddln.exe

Filesize
96KB

MD5
6b08552a88b30c9b330921c30238c4be

SHA1
a13d1a778bd6b22e9c8cf42b385ebdfe146f54eb

SHA256
55d399f12204d1635c776fd414a15cf6bc2815b9572926e37293a2a84bff90b6

SHA512
c444bc969e546aca9ff25b8eca2364c4e31bf477c3a06b7f5387090997b7796efb5594db57724da8e3c03136c9e1b0e3f3ea0469497443bac433244fb9d4da4e

Download Submit
C:\Windows\SysWOW64\Ljmmnf32.exe

Filesize
96KB

MD5
7264f7982da09d7f5ba0cd676c8efdb0

SHA1
05136cc52bd57014ab2369c65c4e9fba323c0d4e

SHA256
79841d1402a6fbf2795b21d6bfd08e91a9dd23f2ebda277b4c4c7f80542e6345

SHA512
39c44e516ece68038416c4b3c589e791d43b1b915fbcf9b432c29d863ecc5b26e271b518c2cc32f5c52b42fc6ff3558e6d23ceedb80b95a3d9dcea99c7ef9c2d

Download Submit
C:\Windows\SysWOW64\Ljmmnf32.exe

Filesize
96KB

MD5
8d18123c89b58c2116bc7b79e839da36

SHA1
c06305057b95ba7be60c5584a48a7757d959701b

SHA256
489d57d92cd6ac5c864a4f1f5f28d5d5b291d33654e24cb7fde5a5d244dbd2b3

SHA512
46ab938892ba5735f36f30b5640b833cf615c2779b112a378f121ff6a901e621574425b20734608064749ee4ebe2a19e10eb019ed4e53468eded6a01436bd0bb

Download Submit
C:\Windows\SysWOW64\Ljmmnf32.exe

Filesize
96KB

MD5
8d18123c89b58c2116bc7b79e839da36

SHA1
c06305057b95ba7be60c5584a48a7757d959701b

SHA256
489d57d92cd6ac5c864a4f1f5f28d5d5b291d33654e24cb7fde5a5d244dbd2b3

SHA512
46ab938892ba5735f36f30b5640b833cf615c2779b112a378f121ff6a901e621574425b20734608064749ee4ebe2a19e10eb019ed4e53468eded6a01436bd0bb

Download Submit
C:\Windows\SysWOW64\Lnadkmhj.exe

Filesize
96KB

MD5
4849df942d370ab6a00698c0edfdf86c

SHA1
645fe808c9d4cb62b21ab38e09d3c2fada4a337a

SHA256
6137d2378f965214dbefaf580a981a6cc56d6f42cbbd9cb0a72e788a49007912

SHA512
5efa6af7810c40df7e3a5e12fa8c72f229768077ad0920c6a660e048e0b7b649dfded08da3942d611ce8baa00ef8393fe654d88aa6fbc4cd3fad333bbc9abdfa

Download Submit
C:\Windows\SysWOW64\Lnadkmhj.exe

Filesize
96KB

MD5
4849df942d370ab6a00698c0edfdf86c

SHA1
645fe808c9d4cb62b21ab38e09d3c2fada4a337a

SHA256
6137d2378f965214dbefaf580a981a6cc56d6f42cbbd9cb0a72e788a49007912

SHA512
5efa6af7810c40df7e3a5e12fa8c72f229768077ad0920c6a660e048e0b7b649dfded08da3942d611ce8baa00ef8393fe654d88aa6fbc4cd3fad333bbc9abdfa

Download Submit
C:\Windows\SysWOW64\Lokdgpqe.exe

Filesize
96KB

MD5
c412be26020e4a1bbaccce6190a1d150

SHA1
f9f319748b940fb92c2aad56f664b431c96a63b9

SHA256
6929b2bbc3ed2e0bd894a19036ed2c04b74022cc30a1a137584db3acdfe103d3

SHA512
bd26410f859e5c74f5b0c32c532df5eb0c69346dd3338f83e8061d8b69a0be3caadd983c499bcd4ef76e964ff43a3a6f049fa127a4b937f9d78a9bf02b3cd592

Download Submit
C:\Windows\SysWOW64\Lokdgpqe.exe

Filesize
96KB

MD5
c412be26020e4a1bbaccce6190a1d150

SHA1
f9f319748b940fb92c2aad56f664b431c96a63b9

SHA256
6929b2bbc3ed2e0bd894a19036ed2c04b74022cc30a1a137584db3acdfe103d3

SHA512
bd26410f859e5c74f5b0c32c532df5eb0c69346dd3338f83e8061d8b69a0be3caadd983c499bcd4ef76e964ff43a3a6f049fa127a4b937f9d78a9bf02b3cd592

Download Submit
C:\Windows\SysWOW64\Mabnlh32.exe

Filesize
96KB

MD5
420ddb1f931296e5a7f2cb5433989ea4

SHA1
66fbae23f72c946dbfbb9797533e3fbc8faaec21

SHA256
4b159e52038b47929028a2d82a07684d0454e71274a02b0a9a4de939fc27270b

SHA512
321f0adc0abbb3fed0206ce20dd9d132113ff2271026ae4fd9ea8b9372ca76b598d340059fb5d2fbc054aa4957de4ec4243fbcc1f5a3a6c72dd9dd395c7deaec

Download Submit
C:\Windows\SysWOW64\Mabnlh32.exe

Filesize
96KB

MD5
420ddb1f931296e5a7f2cb5433989ea4

SHA1
66fbae23f72c946dbfbb9797533e3fbc8faaec21

SHA256
4b159e52038b47929028a2d82a07684d0454e71274a02b0a9a4de939fc27270b

SHA512
321f0adc0abbb3fed0206ce20dd9d132113ff2271026ae4fd9ea8b9372ca76b598d340059fb5d2fbc054aa4957de4ec4243fbcc1f5a3a6c72dd9dd395c7deaec

Download Submit
C:\Windows\SysWOW64\Mcnmccfa.exe

Filesize
96KB

MD5
402ed3df4dd560442d992cbcb942c8c3

SHA1
ff39a96592fb24de9f006ab6932f154345a5265b

SHA256
a0e4d31e4aae8b73a47f8ca71a435c28cb2b0e86eb3b361523d314194ac626f0

SHA512
f7eb3606301f11b3277093e226df98184208a812e43f0129f13c63b5a4725dc8b51213624a53d4ce73ed399a344fb9afce988e3c9752a71e331a3f83b07da442

Download Submit
C:\Windows\SysWOW64\Mcnmccfa.exe

Filesize
96KB

MD5
402ed3df4dd560442d992cbcb942c8c3

SHA1
ff39a96592fb24de9f006ab6932f154345a5265b

SHA256
a0e4d31e4aae8b73a47f8ca71a435c28cb2b0e86eb3b361523d314194ac626f0

SHA512
f7eb3606301f11b3277093e226df98184208a812e43f0129f13c63b5a4725dc8b51213624a53d4ce73ed399a344fb9afce988e3c9752a71e331a3f83b07da442

Download Submit
C:\Windows\SysWOW64\Ndnlda32.exe

Filesize
96KB

MD5
6fb587c53b70b5e95d9e8e4f48af020f

SHA1
125d277051e6f7ae73e1f0ce12642991dcc072a8

SHA256
f9510cfec4327114a641af0286befc176b4d640afda75840b30ef3424819ccb6

SHA512
d9feaaf6545063a48d76c8624068c39991bfe4f6762479ab1d9b9a439e27112210cb8892d20eb112523656d90aa83baab1b63637addfa1666a9c4859f9b922c7

Download Submit
C:\Windows\SysWOW64\Ndnlda32.exe

Filesize
96KB

MD5
6fb587c53b70b5e95d9e8e4f48af020f

SHA1
125d277051e6f7ae73e1f0ce12642991dcc072a8

SHA256
f9510cfec4327114a641af0286befc176b4d640afda75840b30ef3424819ccb6

SHA512
d9feaaf6545063a48d76c8624068c39991bfe4f6762479ab1d9b9a439e27112210cb8892d20eb112523656d90aa83baab1b63637addfa1666a9c4859f9b922c7

Download Submit
C:\Windows\SysWOW64\Necljgcd.exe

Filesize
96KB

MD5
80e16d6f73fa1d661ab8e48edfdfce5c

SHA1
c35e0dec976d5630aacc5683c317a2a5d00e274a

SHA256
f9539ec8c6c15773d6797cc41d418b6f6391b686f0aa9460a55c325bf1c9441d

SHA512
7a3592c2e8707d5aa99aa0409ee7c9b093669c27314196f0576ae5cd7af0ce5242e2d8691e5be094aab093c371953035352308f678b59edd4a9749f9dc5802ab

Download Submit
C:\Windows\SysWOW64\Necljgcd.exe

Filesize
96KB

MD5
80e16d6f73fa1d661ab8e48edfdfce5c

SHA1
c35e0dec976d5630aacc5683c317a2a5d00e274a

SHA256
f9539ec8c6c15773d6797cc41d418b6f6391b686f0aa9460a55c325bf1c9441d

SHA512
7a3592c2e8707d5aa99aa0409ee7c9b093669c27314196f0576ae5cd7af0ce5242e2d8691e5be094aab093c371953035352308f678b59edd4a9749f9dc5802ab

Download Submit
C:\Windows\SysWOW64\Noaclkef.exe

Filesize
96KB

MD5
49b8911c8a646b05377994257a955fcf

SHA1
43e02cd71b0be17f6a4df48309c1c64e51d123ec

SHA256
7af67e8003d2ae413742ec66951e78d25a2738818432f3f0ed80baff8011852a

SHA512
53afb2a788025b561dd382a369778e940d57479e61328d4889ed46116cf85ac8a4b08b8a611df8fd9edbdafcfea5f8a1c39cebe2354e0e5f5e9ddf1b9bd4fd7e

Download Submit
C:\Windows\SysWOW64\Noaclkef.exe

Filesize
96KB

MD5
49b8911c8a646b05377994257a955fcf

SHA1
43e02cd71b0be17f6a4df48309c1c64e51d123ec

SHA256
7af67e8003d2ae413742ec66951e78d25a2738818432f3f0ed80baff8011852a

SHA512
53afb2a788025b561dd382a369778e940d57479e61328d4889ed46116cf85ac8a4b08b8a611df8fd9edbdafcfea5f8a1c39cebe2354e0e5f5e9ddf1b9bd4fd7e

Download Submit
C:\Windows\SysWOW64\Nocpaj32.exe

Filesize
96KB

MD5
9406caeff7d9de2e785be1d084a32010

SHA1
c4a55856104ac89a0d6782b8e3d8c9827519df6d

SHA256
4829c1705a9b349cf34ab6fe3225bc4680f2064ffba9358ed258b7a5f2d8b143

SHA512
12afa8c47c24284432518aff903d89a08523d3616481110842b73d1f24c7af77d4829933ba0a12cdbdd01ea63cbca1e7402bb83ddb9bc8d0576d3b5ce5eb765f

Download Submit
C:\Windows\SysWOW64\Nocpaj32.exe

Filesize
96KB

MD5
9406caeff7d9de2e785be1d084a32010

SHA1
c4a55856104ac89a0d6782b8e3d8c9827519df6d

SHA256
4829c1705a9b349cf34ab6fe3225bc4680f2064ffba9358ed258b7a5f2d8b143

SHA512
12afa8c47c24284432518aff903d89a08523d3616481110842b73d1f24c7af77d4829933ba0a12cdbdd01ea63cbca1e7402bb83ddb9bc8d0576d3b5ce5eb765f

Download Submit
C:\Windows\SysWOW64\Phmnpf32.exe

Filesize
96KB

MD5
d20b4d50b86e30d5f69b2e9fa7fc5328

SHA1
8633e4b1486f3a48904568cde61400ad3f634589

SHA256
058eab2147734b3680f59ed978edd674c7f0baf28fb8e342ff57c42f2de4afb1

SHA512
8be0fa870bd34c6540db2d672eac947248a341a00dd86a0e0a08b8d58adfb99bf5a8701b2e52556f8442ef64d716a31b283e1ac41f797c111a8ab4dd25ad76e6

Download Submit
C:\Windows\SysWOW64\Phmnpf32.exe

Filesize
96KB

MD5
d20b4d50b86e30d5f69b2e9fa7fc5328

SHA1
8633e4b1486f3a48904568cde61400ad3f634589

SHA256
058eab2147734b3680f59ed978edd674c7f0baf28fb8e342ff57c42f2de4afb1

SHA512
8be0fa870bd34c6540db2d672eac947248a341a00dd86a0e0a08b8d58adfb99bf5a8701b2e52556f8442ef64d716a31b283e1ac41f797c111a8ab4dd25ad76e6

Download Submit
C:\Windows\SysWOW64\Plagmh32.exe

Filesize
96KB

MD5
9caf78ed101d4929b3f7535cf03f79dc

SHA1
23af24b37ac476d265aa119112c6cb45e28aff17

SHA256
d8107d21c40ce57b8838aa3bb166f22007b2bcbd7cee4fdf265a84ef4653bc51

SHA512
2013a2d705927f58608ce854282ffad5d18106c8c492d6e77211e871471503b7ea0cca755e0ee328595328aad52c45e05620ba806f78293cd9607e161e2f4b47

Download Submit
C:\Windows\SysWOW64\Plagmh32.exe

Filesize
96KB

MD5
9caf78ed101d4929b3f7535cf03f79dc

SHA1
23af24b37ac476d265aa119112c6cb45e28aff17

SHA256
d8107d21c40ce57b8838aa3bb166f22007b2bcbd7cee4fdf265a84ef4653bc51

SHA512
2013a2d705927f58608ce854282ffad5d18106c8c492d6e77211e871471503b7ea0cca755e0ee328595328aad52c45e05620ba806f78293cd9607e161e2f4b47

Download Submit
memory/312-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/312-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/460-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/460-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/708-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1176-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1176-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3508-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3508-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3560-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3800-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3824-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads