4dd1893546e88976c9b76daa4c3886fbb508b538630fb7d9b754cdc4be01ff16

Analysis

max time kernel
139s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Size

87KB
MD5

dea53bae1e41da355b0c1e97578115d1
SHA1

55177346d4bc34a80cda63806c6ed75dee261874
SHA256

4dd1893546e88976c9b76daa4c3886fbb508b538630fb7d9b754cdc4be01ff16
SHA512

a4d0404d60e781ad000c398f59809d93e7c36209651b9cd72caf77fbcc80d5787ce07a73f966f7736f08d2d602944354db35439bead9617f8c21a00c64483c0f
SSDEEP

1536:KLVf8/RRTlZgMi33nvfCU01MyCZyUiHqA4mZftxRQ4gRSRBDNrR0RVe7R6R8RPDA:KVf8JplZgMivfm1MJZ4R4mZftxeZAnDG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qaqegecm.exe

Executes dropped EXE 30 IoCs

pid	Process
3020	Phcgcqab.exe
3008	Palklf32.exe
2632	Pfiddm32.exe
3536	Qhhpop32.exe
4232	Qaqegecm.exe
3012	Qhjmdp32.exe
5116	Qmgelf32.exe
3296	Afpjel32.exe
4812	Aphnnafb.exe
2268	Aoioli32.exe
3756	Aokkahlo.exe
4860	Aggpfkjj.exe
2876	Apodoq32.exe
4188	Aaoaic32.exe
3988	Baannc32.exe
4500	Bhkfkmmg.exe
216	Bpfkpp32.exe
3816	Bogkmgba.exe
4032	Bddcenpi.exe
1432	Bnlhncgi.exe
2504	Bgelgi32.exe
1356	Cpmapodj.exe
3548	Coqncejg.exe
2752	Cpbjkn32.exe
4792	Cnfkdb32.exe
964	Cgnomg32.exe
3992	Cogddd32.exe
368	Dddllkbf.exe
1524	Dnmaea32.exe
3888	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pfiddm32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Ekbmje32.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Coqncejg.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Bnlhncgi.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Apodoq32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Aaoaic32.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Aaoaic32.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfkpp32.exe	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	Baannc32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Afpjel32.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Qhjmdp32.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
File created	C:\Windows\SysWOW64\Palklf32.exe	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Qhhpop32.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Qmgelf32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Idaiki32.dll	Palklf32.exe
File opened for modification	C:\Windows\SysWOW64\Aggpfkjj.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Cpmapodj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4252	3888	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.dea53bae1e41da355b0c1e97578115d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Palklf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3020	4100	NEAS.dea53bae1e41da355b0c1e97578115d1.exe	84
PID 4100 wrote to memory of 3020	4100	NEAS.dea53bae1e41da355b0c1e97578115d1.exe	84
PID 4100 wrote to memory of 3020	4100	NEAS.dea53bae1e41da355b0c1e97578115d1.exe	84
PID 3020 wrote to memory of 3008	3020	Phcgcqab.exe	85
PID 3020 wrote to memory of 3008	3020	Phcgcqab.exe	85
PID 3020 wrote to memory of 3008	3020	Phcgcqab.exe	85
PID 3008 wrote to memory of 2632	3008	Palklf32.exe	86
PID 3008 wrote to memory of 2632	3008	Palklf32.exe	86
PID 3008 wrote to memory of 2632	3008	Palklf32.exe	86
PID 2632 wrote to memory of 3536	2632	Pfiddm32.exe	87
PID 2632 wrote to memory of 3536	2632	Pfiddm32.exe	87
PID 2632 wrote to memory of 3536	2632	Pfiddm32.exe	87
PID 3536 wrote to memory of 4232	3536	Qhhpop32.exe	88
PID 3536 wrote to memory of 4232	3536	Qhhpop32.exe	88
PID 3536 wrote to memory of 4232	3536	Qhhpop32.exe	88
PID 4232 wrote to memory of 3012	4232	Qaqegecm.exe	89
PID 4232 wrote to memory of 3012	4232	Qaqegecm.exe	89
PID 4232 wrote to memory of 3012	4232	Qaqegecm.exe	89
PID 3012 wrote to memory of 5116	3012	Qhjmdp32.exe	90
PID 3012 wrote to memory of 5116	3012	Qhjmdp32.exe	90
PID 3012 wrote to memory of 5116	3012	Qhjmdp32.exe	90
PID 5116 wrote to memory of 3296	5116	Qmgelf32.exe	91
PID 5116 wrote to memory of 3296	5116	Qmgelf32.exe	91
PID 5116 wrote to memory of 3296	5116	Qmgelf32.exe	91
PID 3296 wrote to memory of 4812	3296	Afpjel32.exe	92
PID 3296 wrote to memory of 4812	3296	Afpjel32.exe	92
PID 3296 wrote to memory of 4812	3296	Afpjel32.exe	92
PID 4812 wrote to memory of 2268	4812	Aphnnafb.exe	93
PID 4812 wrote to memory of 2268	4812	Aphnnafb.exe	93
PID 4812 wrote to memory of 2268	4812	Aphnnafb.exe	93
PID 2268 wrote to memory of 3756	2268	Aoioli32.exe	94
PID 2268 wrote to memory of 3756	2268	Aoioli32.exe	94
PID 2268 wrote to memory of 3756	2268	Aoioli32.exe	94
PID 3756 wrote to memory of 4860	3756	Aokkahlo.exe	95
PID 3756 wrote to memory of 4860	3756	Aokkahlo.exe	95
PID 3756 wrote to memory of 4860	3756	Aokkahlo.exe	95
PID 4860 wrote to memory of 2876	4860	Aggpfkjj.exe	96
PID 4860 wrote to memory of 2876	4860	Aggpfkjj.exe	96
PID 4860 wrote to memory of 2876	4860	Aggpfkjj.exe	96
PID 2876 wrote to memory of 4188	2876	Apodoq32.exe	97
PID 2876 wrote to memory of 4188	2876	Apodoq32.exe	97
PID 2876 wrote to memory of 4188	2876	Apodoq32.exe	97
PID 4188 wrote to memory of 3988	4188	Aaoaic32.exe	98
PID 4188 wrote to memory of 3988	4188	Aaoaic32.exe	98
PID 4188 wrote to memory of 3988	4188	Aaoaic32.exe	98
PID 3988 wrote to memory of 4500	3988	Baannc32.exe	99
PID 3988 wrote to memory of 4500	3988	Baannc32.exe	99
PID 3988 wrote to memory of 4500	3988	Baannc32.exe	99
PID 4500 wrote to memory of 216	4500	Bhkfkmmg.exe	100
PID 4500 wrote to memory of 216	4500	Bhkfkmmg.exe	100
PID 4500 wrote to memory of 216	4500	Bhkfkmmg.exe	100
PID 216 wrote to memory of 3816	216	Bpfkpp32.exe	101
PID 216 wrote to memory of 3816	216	Bpfkpp32.exe	101
PID 216 wrote to memory of 3816	216	Bpfkpp32.exe	101
PID 3816 wrote to memory of 4032	3816	Bogkmgba.exe	103
PID 3816 wrote to memory of 4032	3816	Bogkmgba.exe	103
PID 3816 wrote to memory of 4032	3816	Bogkmgba.exe	103
PID 4032 wrote to memory of 1432	4032	Bddcenpi.exe	102
PID 4032 wrote to memory of 1432	4032	Bddcenpi.exe	102
PID 4032 wrote to memory of 1432	4032	Bddcenpi.exe	102
PID 1432 wrote to memory of 2504	1432	Bnlhncgi.exe	104
PID 1432 wrote to memory of 2504	1432	Bnlhncgi.exe	104
PID 1432 wrote to memory of 2504	1432	Bnlhncgi.exe	104
PID 2504 wrote to memory of 1356	2504	Bgelgi32.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.dea53bae1e41da355b0c1e97578115d1.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dea53bae1e41da355b0c1e97578115d1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\Phcgcqab.exe
  C:\Windows\system32\Phcgcqab.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Palklf32.exe
    C:\Windows\system32\Palklf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\Pfiddm32.exe
      C:\Windows\system32\Pfiddm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
      - C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032

C:\Windows\SysWOW64\Bnlhncgi.exe
C:\Windows\system32\Bnlhncgi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\Bgelgi32.exe
  C:\Windows\system32\Bgelgi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\Cpmapodj.exe
    C:\Windows\system32\Cpmapodj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1356
  - - C:\Windows\SysWOW64\Coqncejg.exe
      C:\Windows\system32\Coqncejg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:3548
    - - C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
      - C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        11⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 420
        12⤵
        Program crash
        
        PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3888 -ip 3888
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
87KB

MD5
aa9c12c4948f3246baf54df7bdf528cd

SHA1
ecd6489ad44291dfbe5b8a00f99c6d1e09c6e9f5

SHA256
0e31622da5014f8488781f30ecdf90343231dcce172c04bae17bf93a4ce1b0e9

SHA512
6ad8c13b7bfecaf04b56659c5f5db1aff7322e1e398fb5aab1433b67dfcf43d63dc1596c1367006e4d9bdc04924fdf4aa665421c36fb29709af0454ca16b5945

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
87KB

MD5
aa9c12c4948f3246baf54df7bdf528cd

SHA1
ecd6489ad44291dfbe5b8a00f99c6d1e09c6e9f5

SHA256
0e31622da5014f8488781f30ecdf90343231dcce172c04bae17bf93a4ce1b0e9

SHA512
6ad8c13b7bfecaf04b56659c5f5db1aff7322e1e398fb5aab1433b67dfcf43d63dc1596c1367006e4d9bdc04924fdf4aa665421c36fb29709af0454ca16b5945

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
87KB

MD5
e06de07c4380a4ad74a50161b67f2650

SHA1
544fc46873237061a3d30f31c71b33da4f865d10

SHA256
5a67c9751e9e670b07e969a2044c8fcc5c294e13e0d031d3d3651b639a292a37

SHA512
3dbb32d4821075b9df6b670ade7c2a469c57fefc5dbe8e88fad7a19dbab4aefd534a505aae06e0b0904de97aff9aff1cf3461bc9d560d4f321650a2f73e83959

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
87KB

MD5
e06de07c4380a4ad74a50161b67f2650

SHA1
544fc46873237061a3d30f31c71b33da4f865d10

SHA256
5a67c9751e9e670b07e969a2044c8fcc5c294e13e0d031d3d3651b639a292a37

SHA512
3dbb32d4821075b9df6b670ade7c2a469c57fefc5dbe8e88fad7a19dbab4aefd534a505aae06e0b0904de97aff9aff1cf3461bc9d560d4f321650a2f73e83959

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
87KB

MD5
e06de07c4380a4ad74a50161b67f2650

SHA1
544fc46873237061a3d30f31c71b33da4f865d10

SHA256
5a67c9751e9e670b07e969a2044c8fcc5c294e13e0d031d3d3651b639a292a37

SHA512
3dbb32d4821075b9df6b670ade7c2a469c57fefc5dbe8e88fad7a19dbab4aefd534a505aae06e0b0904de97aff9aff1cf3461bc9d560d4f321650a2f73e83959

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
87KB

MD5
3a0d641f4fc0ced6e258cbf89110b5b6

SHA1
d4fdd6efc19f4f5dc4161aa6af053ecfc0ee6f28

SHA256
c4433ca6a1c53d1a7618c4cdcafded68f3da13efc8d03638878b1573d616ae4c

SHA512
abcf074e661482a78c3383f726179af0ee71d8d21c49941fec1fc3054014e81bb734ba93b7fec9604c0cd53495eb601d08f8e085af5786808910197301974d2e

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
87KB

MD5
3a0d641f4fc0ced6e258cbf89110b5b6

SHA1
d4fdd6efc19f4f5dc4161aa6af053ecfc0ee6f28

SHA256
c4433ca6a1c53d1a7618c4cdcafded68f3da13efc8d03638878b1573d616ae4c

SHA512
abcf074e661482a78c3383f726179af0ee71d8d21c49941fec1fc3054014e81bb734ba93b7fec9604c0cd53495eb601d08f8e085af5786808910197301974d2e

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
87KB

MD5
30cb1960c9505bb662108fd8fa2c58a6

SHA1
1a5a79784dc736205228ac9cbc4744efc10f8b5a

SHA256
9cb5ac6e3d374f0121807ba467e60be2454acec89b74022d22667686bfa993fb

SHA512
03b56552b0edbcf5a73d650685d4d2044ddb6df466683f7dc0b3eedb4b620caa19aed6304696de8ed4b3874f2a4aad4b87f96814dad1f0355354e47f46c73a04

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
87KB

MD5
30cb1960c9505bb662108fd8fa2c58a6

SHA1
1a5a79784dc736205228ac9cbc4744efc10f8b5a

SHA256
9cb5ac6e3d374f0121807ba467e60be2454acec89b74022d22667686bfa993fb

SHA512
03b56552b0edbcf5a73d650685d4d2044ddb6df466683f7dc0b3eedb4b620caa19aed6304696de8ed4b3874f2a4aad4b87f96814dad1f0355354e47f46c73a04

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
87KB

MD5
9f462d6d5bbf9c0ef1d5c3f88b671403

SHA1
f2f3586a4528556254c54efa0c2200fc3d6b7d73

SHA256
f4f8ab4736114b2f037d16fe6702bd6b84679c1779ddba9bd58c4c41c3c75891

SHA512
467f368e6ceedb191b8dc01cda0e8569a6cd487a16863d115013a4f504420cd4f2d0bf3ecb3116a8aaa7c34fa79da94be60c2af7874e103f442a4ef67ffd5672

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
87KB

MD5
9f462d6d5bbf9c0ef1d5c3f88b671403

SHA1
f2f3586a4528556254c54efa0c2200fc3d6b7d73

SHA256
f4f8ab4736114b2f037d16fe6702bd6b84679c1779ddba9bd58c4c41c3c75891

SHA512
467f368e6ceedb191b8dc01cda0e8569a6cd487a16863d115013a4f504420cd4f2d0bf3ecb3116a8aaa7c34fa79da94be60c2af7874e103f442a4ef67ffd5672

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
87KB

MD5
1fc25303005c32d697bccecaa5169220

SHA1
75123c68b94ef8bd2ae2ac3d7f4900cd81296424

SHA256
4b74e778564b0d63cf2c08094806bb05e8e0c00aff1a6b36a07abe7e204b6e3c

SHA512
407ccf45dfdc3e2d499515b6434897abadf9a88166a9df68a47f69fa17a86a6242a87c9a43e535f6cf42efe6a017fb37fdbb6dcac7b829f0ab7f1f98bf565eda

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
87KB

MD5
1fc25303005c32d697bccecaa5169220

SHA1
75123c68b94ef8bd2ae2ac3d7f4900cd81296424

SHA256
4b74e778564b0d63cf2c08094806bb05e8e0c00aff1a6b36a07abe7e204b6e3c

SHA512
407ccf45dfdc3e2d499515b6434897abadf9a88166a9df68a47f69fa17a86a6242a87c9a43e535f6cf42efe6a017fb37fdbb6dcac7b829f0ab7f1f98bf565eda

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
87KB

MD5
4371d17b547c6ccfa513fbb86206b500

SHA1
46301b7381f12deca9595baac166f61427bbab25

SHA256
944515d5cc26c5b8d8b5225e5c02e63368196193270d92fc417260c56be24f16

SHA512
05612a803c6a9c5af3866975e0d704f46baa295fbaee9ece532457211c67f5bb15e33cfd7ce3421e186af95fe7378b56ee197b9414726b6a57aaecea4eab4c67

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
87KB

MD5
4371d17b547c6ccfa513fbb86206b500

SHA1
46301b7381f12deca9595baac166f61427bbab25

SHA256
944515d5cc26c5b8d8b5225e5c02e63368196193270d92fc417260c56be24f16

SHA512
05612a803c6a9c5af3866975e0d704f46baa295fbaee9ece532457211c67f5bb15e33cfd7ce3421e186af95fe7378b56ee197b9414726b6a57aaecea4eab4c67

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
87KB

MD5
9fc3c1be5482bc9be14c71a181d88217

SHA1
35e39c58473727595f5d459c15d1377bea7cb258

SHA256
a53e712c149596535e3658251319b3be2084a1cbad2dc3c2f82c2705c5314af7

SHA512
8f663d3922bef0f877d217da53560824cf5f11e3ad0a2c30e2e39209791786a3cadf7c6414f303ae8e19752669afa4e4e552dd17f399d9bbde2020cb50226b42

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
87KB

MD5
9fc3c1be5482bc9be14c71a181d88217

SHA1
35e39c58473727595f5d459c15d1377bea7cb258

SHA256
a53e712c149596535e3658251319b3be2084a1cbad2dc3c2f82c2705c5314af7

SHA512
8f663d3922bef0f877d217da53560824cf5f11e3ad0a2c30e2e39209791786a3cadf7c6414f303ae8e19752669afa4e4e552dd17f399d9bbde2020cb50226b42

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
87KB

MD5
179cac39760f8b55bf084ca1772702ea

SHA1
6bafb5b5b4415202e76e2b9237eeaf198ab609d3

SHA256
602455b2f881d6843553367223c8ec82755a066cfba6225c50328c7d4993d3db

SHA512
875a1f9ca96c45e5f93f6af1431ae6c3a7f0f245c0e730800432db6314111f217669c503e2b0b7def1b46d0803c70bbcc129c97ae9ef61fce9721c14a0291ec5

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
87KB

MD5
179cac39760f8b55bf084ca1772702ea

SHA1
6bafb5b5b4415202e76e2b9237eeaf198ab609d3

SHA256
602455b2f881d6843553367223c8ec82755a066cfba6225c50328c7d4993d3db

SHA512
875a1f9ca96c45e5f93f6af1431ae6c3a7f0f245c0e730800432db6314111f217669c503e2b0b7def1b46d0803c70bbcc129c97ae9ef61fce9721c14a0291ec5

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
87KB

MD5
352f990390d2165981aa9b40a694bd08

SHA1
aec3d58d8b08c0d494a8fd5f41c243c26a0290ae

SHA256
be2818eabb6d601160810157636550702e3837482f53552c5e4ac0191e02cb1f

SHA512
34ddc54a701aba323361f2e46985256deaf1c58dd193e616b45421741213e7d8f682e53d57dced8bfb65f3b127d36b88093af609bd6d94dfa48add7699faef82

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
87KB

MD5
352f990390d2165981aa9b40a694bd08

SHA1
aec3d58d8b08c0d494a8fd5f41c243c26a0290ae

SHA256
be2818eabb6d601160810157636550702e3837482f53552c5e4ac0191e02cb1f

SHA512
34ddc54a701aba323361f2e46985256deaf1c58dd193e616b45421741213e7d8f682e53d57dced8bfb65f3b127d36b88093af609bd6d94dfa48add7699faef82

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
87KB

MD5
1fade7cf1301a1e8be33ecfa3e81faaf

SHA1
d97e347ee97e9c371a7697fbfc4483f7fe37fae3

SHA256
b028e1a2893a241d735880e9dc6e2896051410a63142d5d573d02556e3e351ce

SHA512
1a921a8d212189dc6585a1165b1cdb694dfe6ae0621e6d73ef36e7aeaee18687bec452d6ea7d1b4bc3e7a88cd5452c9130d4723df9120219dce0023c8dc22ba8

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
87KB

MD5
1fade7cf1301a1e8be33ecfa3e81faaf

SHA1
d97e347ee97e9c371a7697fbfc4483f7fe37fae3

SHA256
b028e1a2893a241d735880e9dc6e2896051410a63142d5d573d02556e3e351ce

SHA512
1a921a8d212189dc6585a1165b1cdb694dfe6ae0621e6d73ef36e7aeaee18687bec452d6ea7d1b4bc3e7a88cd5452c9130d4723df9120219dce0023c8dc22ba8

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
87KB

MD5
49340c80969ed5380c70f74bd5cb97e1

SHA1
c4b54dcba62ba01a9599d929e91f69cf29de86b8

SHA256
b32dd8651f0d47c24fddbe29f5df7ee6ec449dd987adee7c2578a4ded37e0693

SHA512
1b6137e722f58f75f81ddb4578c6c06c0f11e513a2a5ca24dbcf73abd3c1b0f95ac0fe73b81d99eac21ff2224eb9b3f54572e69ff763d0503b7bd3b842ae4a14

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
87KB

MD5
49340c80969ed5380c70f74bd5cb97e1

SHA1
c4b54dcba62ba01a9599d929e91f69cf29de86b8

SHA256
b32dd8651f0d47c24fddbe29f5df7ee6ec449dd987adee7c2578a4ded37e0693

SHA512
1b6137e722f58f75f81ddb4578c6c06c0f11e513a2a5ca24dbcf73abd3c1b0f95ac0fe73b81d99eac21ff2224eb9b3f54572e69ff763d0503b7bd3b842ae4a14

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
87KB

MD5
cdb1fd52bfb0e86ee53e63de0c00dafa

SHA1
7df3cbfff098528ee2cc08b06bb04a3a311dbc1e

SHA256
5997fd8dc9d7d3d2f0bb26b61764207e1531a0d9223e782cc5b9f91b0d8c08c5

SHA512
a615f03bc9cb37d8ea5b32b641aa6ea18e96e54a402a992053c058e985dc0baccbc6c10acdaedeef8959670e023b7604ebc5c6ac31ab945b93409f1169d00134

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
87KB

MD5
cdb1fd52bfb0e86ee53e63de0c00dafa

SHA1
7df3cbfff098528ee2cc08b06bb04a3a311dbc1e

SHA256
5997fd8dc9d7d3d2f0bb26b61764207e1531a0d9223e782cc5b9f91b0d8c08c5

SHA512
a615f03bc9cb37d8ea5b32b641aa6ea18e96e54a402a992053c058e985dc0baccbc6c10acdaedeef8959670e023b7604ebc5c6ac31ab945b93409f1169d00134

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
87KB

MD5
8fc046abda075ed4cac87d21f1bb3e11

SHA1
6589df99274a519527f209ce2b75b20775ea58e4

SHA256
1d47e15e1eb1c2d3174e008c2c8993fb8088096ac3b60976f28edefb181d1cb5

SHA512
4ad8c97fb74369db2dde6bbaea81af7f47e9d0edc087ba306563580259d799c23de990c3bf2391122b492b93db874bdd1c9c265dbc01131fd1acf6d97958d9a2

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
87KB

MD5
8fc046abda075ed4cac87d21f1bb3e11

SHA1
6589df99274a519527f209ce2b75b20775ea58e4

SHA256
1d47e15e1eb1c2d3174e008c2c8993fb8088096ac3b60976f28edefb181d1cb5

SHA512
4ad8c97fb74369db2dde6bbaea81af7f47e9d0edc087ba306563580259d799c23de990c3bf2391122b492b93db874bdd1c9c265dbc01131fd1acf6d97958d9a2

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
87KB

MD5
525fd2f7d2de73684c5011d596d41c55

SHA1
e1e98ef3bb4af96d48ba55d124dbd5fe98e4390b

SHA256
cb71b6424ace18c3857be9078206cfe6a6350e8ffb4bb8965ac7f85a46e4ffcf

SHA512
70e82585cf793b74ae62d586727152d4ed0258ca898bdf840a430e949ec22cec20f170ffe2f2064c566984bd0dddc0c023e56521b6c503d0e6df2502eb6c713f

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
87KB

MD5
525fd2f7d2de73684c5011d596d41c55

SHA1
e1e98ef3bb4af96d48ba55d124dbd5fe98e4390b

SHA256
cb71b6424ace18c3857be9078206cfe6a6350e8ffb4bb8965ac7f85a46e4ffcf

SHA512
70e82585cf793b74ae62d586727152d4ed0258ca898bdf840a430e949ec22cec20f170ffe2f2064c566984bd0dddc0c023e56521b6c503d0e6df2502eb6c713f

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
87KB

MD5
c6c4d9a7f903aa061cc8d8dacf30ca01

SHA1
b70f0697208ba92e4bac4159d6a63c4fa1dfc9a5

SHA256
ee400a5043fd3b158e4e1694294df60400190a42bccfe5cd501b15578e5fc7c5

SHA512
19cd121650beada56bc5476e309bea964474ca7904b6c1e2c991e448fc6b3880464e0d905d61908c2e5b55655791b57889a4afc8c00ec713ca7536c793dc4ce6

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
87KB

MD5
c6c4d9a7f903aa061cc8d8dacf30ca01

SHA1
b70f0697208ba92e4bac4159d6a63c4fa1dfc9a5

SHA256
ee400a5043fd3b158e4e1694294df60400190a42bccfe5cd501b15578e5fc7c5

SHA512
19cd121650beada56bc5476e309bea964474ca7904b6c1e2c991e448fc6b3880464e0d905d61908c2e5b55655791b57889a4afc8c00ec713ca7536c793dc4ce6

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
87KB

MD5
f9f18862928aadfcdabeb3c931f22319

SHA1
0f9d2b7c4543403627c3b734252bacd096e6962a

SHA256
e6ced0af90468f444bc8de78d023e6b81601759cbaa3230ac5cd57ab271ba541

SHA512
a0b28315564f376d5adf223af604b2c070478ef932502988a2fc8091048fb1d2c8ca0c4ee6b415e9e37b2b03284e754b23bc9d1028fef40812585e0cd85cdf5e

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
87KB

MD5
f9f18862928aadfcdabeb3c931f22319

SHA1
0f9d2b7c4543403627c3b734252bacd096e6962a

SHA256
e6ced0af90468f444bc8de78d023e6b81601759cbaa3230ac5cd57ab271ba541

SHA512
a0b28315564f376d5adf223af604b2c070478ef932502988a2fc8091048fb1d2c8ca0c4ee6b415e9e37b2b03284e754b23bc9d1028fef40812585e0cd85cdf5e

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
87KB

MD5
da05c1c706000e3af5c9b7497faf15ef

SHA1
40fe2acbff9d3ccac3384297bd251605e7b079cd

SHA256
7f49c62fb75b3ecf8c8c762ce3147f0099baef08718f65729b7664ad6c9e84d3

SHA512
6314e244492591db1d7526973bd9a9f2342c3b2eeea60a658b2c5db425be90079d6e124de4287091bc0fad329eff26edfa7749f635deac9817169d3cf61919b1

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
87KB

MD5
da05c1c706000e3af5c9b7497faf15ef

SHA1
40fe2acbff9d3ccac3384297bd251605e7b079cd

SHA256
7f49c62fb75b3ecf8c8c762ce3147f0099baef08718f65729b7664ad6c9e84d3

SHA512
6314e244492591db1d7526973bd9a9f2342c3b2eeea60a658b2c5db425be90079d6e124de4287091bc0fad329eff26edfa7749f635deac9817169d3cf61919b1

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
87KB

MD5
5179eaca65c3fd9f6acc024d98d6729b

SHA1
50ae1b010139c20ebdd4a0f0f3bad7a072ff5a9d

SHA256
4426fb9026a60c1697c7da7806fc0bd0d414582bfa3c59970f7792443e85aa9e

SHA512
3087945c3ed9ad5bbd283298d9c4a0e83fed9ceceda4c984c11d262f99e69e62d882cbc89a1ff1727a924c4e7973b5a2bdd4885d4b4f1102724025528d83f308

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
87KB

MD5
5179eaca65c3fd9f6acc024d98d6729b

SHA1
50ae1b010139c20ebdd4a0f0f3bad7a072ff5a9d

SHA256
4426fb9026a60c1697c7da7806fc0bd0d414582bfa3c59970f7792443e85aa9e

SHA512
3087945c3ed9ad5bbd283298d9c4a0e83fed9ceceda4c984c11d262f99e69e62d882cbc89a1ff1727a924c4e7973b5a2bdd4885d4b4f1102724025528d83f308

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
87KB

MD5
d5ad6dcb0d4424c31c3cef2c61fbd568

SHA1
439e95f0324fef7a24916e8329b5eb9941b08405

SHA256
1b3668de6b85a4543a9120e2465c745d01151d135eaf4c4bed9b1a83f6f5954c

SHA512
a8b85cfb359955966f7b1f369b4c5780158775003a889077692165ac7c3922096abd628f3523ac7476a4f60ed0a5458a7307a916c1b89e5d839c718eca29725f

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
87KB

MD5
d5ad6dcb0d4424c31c3cef2c61fbd568

SHA1
439e95f0324fef7a24916e8329b5eb9941b08405

SHA256
1b3668de6b85a4543a9120e2465c745d01151d135eaf4c4bed9b1a83f6f5954c

SHA512
a8b85cfb359955966f7b1f369b4c5780158775003a889077692165ac7c3922096abd628f3523ac7476a4f60ed0a5458a7307a916c1b89e5d839c718eca29725f

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
87KB

MD5
9b684dd68d705986a78c4a9d5d36c67d

SHA1
f471c7785c042ba71ad7e17be178ae2c2ebc8dd8

SHA256
12c77c5eee320cd0ce5e1e3b661bc8184d6835aaa566aff357b7ff4f2df040f9

SHA512
5a5883dfa14a01bcd7d5afdf4d853cc1f8ed003c3286cc462a15d3ff3c9be4170fdb9a9d7e2491a0f5acc917609f014ec056e7eeb17add5abd4cf84e2925303a

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
87KB

MD5
9b684dd68d705986a78c4a9d5d36c67d

SHA1
f471c7785c042ba71ad7e17be178ae2c2ebc8dd8

SHA256
12c77c5eee320cd0ce5e1e3b661bc8184d6835aaa566aff357b7ff4f2df040f9

SHA512
5a5883dfa14a01bcd7d5afdf4d853cc1f8ed003c3286cc462a15d3ff3c9be4170fdb9a9d7e2491a0f5acc917609f014ec056e7eeb17add5abd4cf84e2925303a

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
87KB

MD5
5248e728dc0ab15e9f1b657fb3510fe6

SHA1
249b090ddccb966512deb80436478b960f4b2901

SHA256
b531338815f3fc8e22e8ec42615b88867e7007eeda5482b2156945a8c1592e1f

SHA512
d42fa30dfaf8b455486c24ae3910e0299554a3e1e587507a3ffc62c152fd441fa6afab648c8e1e5a895c66805b33fcbfd7054575c47148112b23677aefdc333e

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
87KB

MD5
5248e728dc0ab15e9f1b657fb3510fe6

SHA1
249b090ddccb966512deb80436478b960f4b2901

SHA256
b531338815f3fc8e22e8ec42615b88867e7007eeda5482b2156945a8c1592e1f

SHA512
d42fa30dfaf8b455486c24ae3910e0299554a3e1e587507a3ffc62c152fd441fa6afab648c8e1e5a895c66805b33fcbfd7054575c47148112b23677aefdc333e

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
87KB

MD5
e254246e020536348b41764b80260bec

SHA1
6e8834047c8473a7e359f9030f699fea8b1aa245

SHA256
95e4461d17500c1ec0bcb7d865cc11c385fdad3e3af5fe024874f7b3021bd21f

SHA512
fc6acde29e207a2da0e310f30d940a9ef56eb679f2511da9e1565235ddfa3ea7dd95092e5c180d6cb6b70c2621fcc6b4a32088f2e52f0b7b8ec09b030309ffec

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
87KB

MD5
e254246e020536348b41764b80260bec

SHA1
6e8834047c8473a7e359f9030f699fea8b1aa245

SHA256
95e4461d17500c1ec0bcb7d865cc11c385fdad3e3af5fe024874f7b3021bd21f

SHA512
fc6acde29e207a2da0e310f30d940a9ef56eb679f2511da9e1565235ddfa3ea7dd95092e5c180d6cb6b70c2621fcc6b4a32088f2e52f0b7b8ec09b030309ffec

Download Submit
C:\Windows\SysWOW64\Mkfefigf.dll

Filesize
7KB

MD5
8f4220a40da6eeea3a4147172093fac6

SHA1
6ca97be89b7ad09fb6ed3a133865260c41ceed5f

SHA256
cc96468aac7c7bc7ec839eced2e47c2d49dc1bd2516ff602b83cda8f16dfbc72

SHA512
0ae2f2bd8c24a8e9097f8966278c3113105e059d0e640decb2bd20070a5019ce6c0a4983faf3c895667bdb694786f63dcf948e9c7638d02c729715cca70baf9c

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
87KB

MD5
78c57a41989628d572d02b66037bd09a

SHA1
50e716080e57779880e53d1c507eb0ea24f87362

SHA256
23ad8d0b74bf25bdf6cc0b0c9fb167020ce8a9bc3531c18d10867cbe6b6da20a

SHA512
473fbbc4a6f4ee04f2af6a0b52f378926e680a915385ca23f370611b14df3cdbe66802e629716ee6398a625d251d3a7a4d7195d5fb3d63a7b8a0210135b5f8d7

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
87KB

MD5
78c57a41989628d572d02b66037bd09a

SHA1
50e716080e57779880e53d1c507eb0ea24f87362

SHA256
23ad8d0b74bf25bdf6cc0b0c9fb167020ce8a9bc3531c18d10867cbe6b6da20a

SHA512
473fbbc4a6f4ee04f2af6a0b52f378926e680a915385ca23f370611b14df3cdbe66802e629716ee6398a625d251d3a7a4d7195d5fb3d63a7b8a0210135b5f8d7

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
87KB

MD5
fe7456eafddc20446c8eb7d6967287ad

SHA1
779f443f54d878c055e48b0b60b4bd22ded9c985

SHA256
91025fd163978f55866ecbfe8b3540612f529d9a46f67f13596017e01e61e150

SHA512
a2fd181f98cd0784146c313db565dd00941240248d945e5b01eb18a1b5b1c7fe1815bc523546c1553c07644750ce2033d810a0d935f18c91ef694bd4978f4df0

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
87KB

MD5
fe7456eafddc20446c8eb7d6967287ad

SHA1
779f443f54d878c055e48b0b60b4bd22ded9c985

SHA256
91025fd163978f55866ecbfe8b3540612f529d9a46f67f13596017e01e61e150

SHA512
a2fd181f98cd0784146c313db565dd00941240248d945e5b01eb18a1b5b1c7fe1815bc523546c1553c07644750ce2033d810a0d935f18c91ef694bd4978f4df0

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
87KB

MD5
0d2ca5c43bcb1b3a26f22ee8888d1228

SHA1
c194940373142df9eaf6510b8e629714857c083a

SHA256
cbe7f1bf6821861e8e40ac3f3a891bf923fe4be34af658bf20ec11f15ec20578

SHA512
079a5367289611aaecec18b652886c68c947e507fa6943362fa481f4ec472e07620af7d1c866a0030ce0f0b7b80deba4cb14a9ea2d3da18aad0d3443aeb540b7

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
87KB

MD5
0d2ca5c43bcb1b3a26f22ee8888d1228

SHA1
c194940373142df9eaf6510b8e629714857c083a

SHA256
cbe7f1bf6821861e8e40ac3f3a891bf923fe4be34af658bf20ec11f15ec20578

SHA512
079a5367289611aaecec18b652886c68c947e507fa6943362fa481f4ec472e07620af7d1c866a0030ce0f0b7b80deba4cb14a9ea2d3da18aad0d3443aeb540b7

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
87KB

MD5
e0b6d3218703caca8c3e1eff5558b0fd

SHA1
af5e32795351d8d4cc5fa26893d0a278326f1b50

SHA256
82ae7ca42814ad15f6ad71d224af2985d9c03f09a9e23368b601ad2fd3e5bfec

SHA512
a51f8b301be48f70e43f1ef072aece14efa24b32601acaac46f899db8c28d6dcef5a4596fe1592fb396fa3793dc0c4194bafc4bd0172a8773f72929cd91ab645

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
87KB

MD5
e0b6d3218703caca8c3e1eff5558b0fd

SHA1
af5e32795351d8d4cc5fa26893d0a278326f1b50

SHA256
82ae7ca42814ad15f6ad71d224af2985d9c03f09a9e23368b601ad2fd3e5bfec

SHA512
a51f8b301be48f70e43f1ef072aece14efa24b32601acaac46f899db8c28d6dcef5a4596fe1592fb396fa3793dc0c4194bafc4bd0172a8773f72929cd91ab645

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
87KB

MD5
6566b49309f541fe47dd5c408327b9df

SHA1
685283be6baf143d0bcbdc43211eae080d905f10

SHA256
773f1d65bdcb8d317e2ed5323908802c56d8b8ed8a622f54bb6c43a1655a3c1f

SHA512
dbdf9be94a6952744d87fb53a7c5ccef662a8fd83da1f3d6f5800de10f84e5779e1942e9363375d6d69ecfaf74ccf2ef24abbd8c10394130afab7a8b6ed95777

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
87KB

MD5
6566b49309f541fe47dd5c408327b9df

SHA1
685283be6baf143d0bcbdc43211eae080d905f10

SHA256
773f1d65bdcb8d317e2ed5323908802c56d8b8ed8a622f54bb6c43a1655a3c1f

SHA512
dbdf9be94a6952744d87fb53a7c5ccef662a8fd83da1f3d6f5800de10f84e5779e1942e9363375d6d69ecfaf74ccf2ef24abbd8c10394130afab7a8b6ed95777

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
87KB

MD5
cbd731c95d3177066b52cbc1f96279eb

SHA1
a4f812deb94d408fce27dffb4e9a4efd9a6c32de

SHA256
ae4042822dbb308cae9c6debb4d1a3f1407d13cd1c3321869168f7657e6e208b

SHA512
87dc16475185fafcbe90994c1c464b15745f021950b8bbc5a7a5a65db5ed80b4c9aa2c9e683f6a79dfe167c0e5f3f1a892f2d225c130ce8d7fdbe02c4213ed48

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
87KB

MD5
cbd731c95d3177066b52cbc1f96279eb

SHA1
a4f812deb94d408fce27dffb4e9a4efd9a6c32de

SHA256
ae4042822dbb308cae9c6debb4d1a3f1407d13cd1c3321869168f7657e6e208b

SHA512
87dc16475185fafcbe90994c1c464b15745f021950b8bbc5a7a5a65db5ed80b4c9aa2c9e683f6a79dfe167c0e5f3f1a892f2d225c130ce8d7fdbe02c4213ed48

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
87KB

MD5
eb53c8e528070c37dc1a95e6fb40837f

SHA1
308fe685e7a069113510f11cadd5772895b16eda

SHA256
ecdcbd878de8c2ed5a04e222a00baaaf88e36484e92aa2635e72858265c5b89b

SHA512
3a57eabb260397bfe8bcf74b629c11310ee4dc6cbe299ee64f6cb1a8dbbbde312ee91cfc1a57d215db3bb50b97a0912d7c1a1084c73debf978fb6a9405313b3a

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
87KB

MD5
eb53c8e528070c37dc1a95e6fb40837f

SHA1
308fe685e7a069113510f11cadd5772895b16eda

SHA256
ecdcbd878de8c2ed5a04e222a00baaaf88e36484e92aa2635e72858265c5b89b

SHA512
3a57eabb260397bfe8bcf74b629c11310ee4dc6cbe299ee64f6cb1a8dbbbde312ee91cfc1a57d215db3bb50b97a0912d7c1a1084c73debf978fb6a9405313b3a

Download Submit
memory/216-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/368-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/368-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads