eb91bf1c0312adbcd78cca568bdfed7f69b87f08b268ecbd437a3d4e6e4b5770

Analysis

max time kernel
134s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ccaa574520494925408d00ad162e4860.exe
Size

174KB
MD5

ccaa574520494925408d00ad162e4860
SHA1

1016088dade81f0e54a1a9a42a4c587a7a5be3b3
SHA256

eb91bf1c0312adbcd78cca568bdfed7f69b87f08b268ecbd437a3d4e6e4b5770
SHA512

edcf4001761bb9695e558f666833bd66055d8a483ff3c9601e078f8ffc6b784d61ddb893152f65f465c8a3b55e70d41b20f76b3773863d5a0472b74c37b8b83d
SSDEEP

3072:Pn08amQaf1uwjK56y+lLeAh7DxSvITW/cbFGS92TlTTtttSneicdq:88a/ouwjK565lSAdhCw92TlTTttt5D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.ccaa574520494925408d00ad162e4860.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnojho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojdgnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.ccaa574520494925408d00ad162e4860.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apodoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe

Executes dropped EXE 17 IoCs

pid	Process
4696	Nnojho32.exe
1880	Ojdgnn32.exe
5096	Ocohmc32.exe
5016	Phonha32.exe
4408	Paiogf32.exe
3632	Pfiddm32.exe
4028	Qobhkjdi.exe
912	Qdoacabq.exe
1884	Amjbbfgo.exe
2652	Apodoq32.exe
3180	Apaadpng.exe
4984	Bobabg32.exe
3432	Bhblllfo.exe
2480	Chiblk32.exe
4604	Cgnomg32.exe
208	Cnjdpaki.exe
4804	Dkqaoe32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bobabg32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Qobhkjdi.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Bhblllfo.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Ojdgnn32.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Apaadpng.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	NEAS.ccaa574520494925408d00ad162e4860.exe
File created	C:\Windows\SysWOW64\Eleqaiga.dll	NEAS.ccaa574520494925408d00ad162e4860.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Qobhkjdi.exe	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Phonha32.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Ojdgnn32.exe	Nnojho32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Apodoq32.exe	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Opcefi32.dll	Nnojho32.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Bhblllfo.exe
File opened for modification	C:\Windows\SysWOW64\Ojdgnn32.exe	Nnojho32.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bobabg32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Bbikhdcm.dll	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnjdpaki.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Phonha32.exe
File opened for modification	C:\Windows\SysWOW64\Pfiddm32.exe	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnojho32.exe	NEAS.ccaa574520494925408d00ad162e4860.exe
File opened for modification	C:\Windows\SysWOW64\Amjbbfgo.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Chiblk32.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Phonha32.exe
File created	C:\Windows\SysWOW64\Idaiki32.dll	Paiogf32.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Amjbbfgo.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Ocohmc32.exe	Ojdgnn32.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Ojdgnn32.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Phonha32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bobabg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4712	4804	WerFault.exe	106

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.ccaa574520494925408d00ad162e4860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.ccaa574520494925408d00ad162e4860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll"	NEAS.ccaa574520494925408d00ad162e4860.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Ojdgnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Paiogf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.ccaa574520494925408d00ad162e4860.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.ccaa574520494925408d00ad162e4860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.ccaa574520494925408d00ad162e4860.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qobhkjdi.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4696	5088	NEAS.ccaa574520494925408d00ad162e4860.exe	90
PID 5088 wrote to memory of 4696	5088	NEAS.ccaa574520494925408d00ad162e4860.exe	90
PID 5088 wrote to memory of 4696	5088	NEAS.ccaa574520494925408d00ad162e4860.exe	90
PID 4696 wrote to memory of 1880	4696	Nnojho32.exe	91
PID 4696 wrote to memory of 1880	4696	Nnojho32.exe	91
PID 4696 wrote to memory of 1880	4696	Nnojho32.exe	91
PID 1880 wrote to memory of 5096	1880	Ojdgnn32.exe	92
PID 1880 wrote to memory of 5096	1880	Ojdgnn32.exe	92
PID 1880 wrote to memory of 5096	1880	Ojdgnn32.exe	92
PID 5096 wrote to memory of 5016	5096	Ocohmc32.exe	93
PID 5096 wrote to memory of 5016	5096	Ocohmc32.exe	93
PID 5096 wrote to memory of 5016	5096	Ocohmc32.exe	93
PID 5016 wrote to memory of 4408	5016	Phonha32.exe	94
PID 5016 wrote to memory of 4408	5016	Phonha32.exe	94
PID 5016 wrote to memory of 4408	5016	Phonha32.exe	94
PID 4408 wrote to memory of 3632	4408	Paiogf32.exe	95
PID 4408 wrote to memory of 3632	4408	Paiogf32.exe	95
PID 4408 wrote to memory of 3632	4408	Paiogf32.exe	95
PID 3632 wrote to memory of 4028	3632	Pfiddm32.exe	96
PID 3632 wrote to memory of 4028	3632	Pfiddm32.exe	96
PID 3632 wrote to memory of 4028	3632	Pfiddm32.exe	96
PID 4028 wrote to memory of 912	4028	Qobhkjdi.exe	97
PID 4028 wrote to memory of 912	4028	Qobhkjdi.exe	97
PID 4028 wrote to memory of 912	4028	Qobhkjdi.exe	97
PID 912 wrote to memory of 1884	912	Qdoacabq.exe	98
PID 912 wrote to memory of 1884	912	Qdoacabq.exe	98
PID 912 wrote to memory of 1884	912	Qdoacabq.exe	98
PID 1884 wrote to memory of 2652	1884	Amjbbfgo.exe	99
PID 1884 wrote to memory of 2652	1884	Amjbbfgo.exe	99
PID 1884 wrote to memory of 2652	1884	Amjbbfgo.exe	99
PID 2652 wrote to memory of 3180	2652	Apodoq32.exe	100
PID 2652 wrote to memory of 3180	2652	Apodoq32.exe	100
PID 2652 wrote to memory of 3180	2652	Apodoq32.exe	100
PID 3180 wrote to memory of 4984	3180	Apaadpng.exe	101
PID 3180 wrote to memory of 4984	3180	Apaadpng.exe	101
PID 3180 wrote to memory of 4984	3180	Apaadpng.exe	101
PID 4984 wrote to memory of 3432	4984	Bobabg32.exe	102
PID 4984 wrote to memory of 3432	4984	Bobabg32.exe	102
PID 4984 wrote to memory of 3432	4984	Bobabg32.exe	102
PID 3432 wrote to memory of 2480	3432	Bhblllfo.exe	103
PID 3432 wrote to memory of 2480	3432	Bhblllfo.exe	103
PID 3432 wrote to memory of 2480	3432	Bhblllfo.exe	103
PID 2480 wrote to memory of 4604	2480	Chiblk32.exe	104
PID 2480 wrote to memory of 4604	2480	Chiblk32.exe	104
PID 2480 wrote to memory of 4604	2480	Chiblk32.exe	104
PID 4604 wrote to memory of 208	4604	Cgnomg32.exe	105
PID 4604 wrote to memory of 208	4604	Cgnomg32.exe	105
PID 4604 wrote to memory of 208	4604	Cgnomg32.exe	105
PID 208 wrote to memory of 4804	208	Cnjdpaki.exe	106
PID 208 wrote to memory of 4804	208	Cnjdpaki.exe	106
PID 208 wrote to memory of 4804	208	Cnjdpaki.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.ccaa574520494925408d00ad162e4860.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ccaa574520494925408d00ad162e4860.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\Nnojho32.exe
  C:\Windows\system32\Nnojho32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\Ojdgnn32.exe
    C:\Windows\system32\Ojdgnn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\SysWOW64\Ocohmc32.exe
      C:\Windows\system32\Ocohmc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        18⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 412
        19⤵
        Program crash
        
        PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4804 -ip 4804
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
174KB

MD5
6a939098e537ab0313ece7822d90230b

SHA1
d8bbb4d21845a1f2ae7bdc0ef5c4404b3b4c8ca8

SHA256
e1ffb206c83e03cb0d7c79d04325efb08b1406891e57d4de81d8adf794ba74a0

SHA512
731860c4609edef0711476593e80987caf9224ce38ff8c8c01a79fbeb1d75b7ef3aed2e676403f55668d4bfded97b4511d8a02172c7864d78aa501c9413c3b9e

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
174KB

MD5
6a939098e537ab0313ece7822d90230b

SHA1
d8bbb4d21845a1f2ae7bdc0ef5c4404b3b4c8ca8

SHA256
e1ffb206c83e03cb0d7c79d04325efb08b1406891e57d4de81d8adf794ba74a0

SHA512
731860c4609edef0711476593e80987caf9224ce38ff8c8c01a79fbeb1d75b7ef3aed2e676403f55668d4bfded97b4511d8a02172c7864d78aa501c9413c3b9e

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
174KB

MD5
be424bfb6c7edd23a0d7c1ff979d0def

SHA1
0d9b92fa4f74845908e56d16b74b674c14a934cd

SHA256
1aa2f247666db666dfe6fda7d9e93d95a5c1a852f34d0e91b59db380974c9ff7

SHA512
a61d21a6ed882335aa30dfca52310cc1ca730ceb15fac2a1ca4c7c3dd077ea74f4b7c0b9d20c19b0c3e6647f845c1dbfff23594127638c0cc595fa273d3df689

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
174KB

MD5
be424bfb6c7edd23a0d7c1ff979d0def

SHA1
0d9b92fa4f74845908e56d16b74b674c14a934cd

SHA256
1aa2f247666db666dfe6fda7d9e93d95a5c1a852f34d0e91b59db380974c9ff7

SHA512
a61d21a6ed882335aa30dfca52310cc1ca730ceb15fac2a1ca4c7c3dd077ea74f4b7c0b9d20c19b0c3e6647f845c1dbfff23594127638c0cc595fa273d3df689

Download Submit
C:\Windows\SysWOW64\Apgnjp32.dll

Filesize
7KB

MD5
ffcef494f75055fccde1ea9935bd25ab

SHA1
108af63780b6832808cbb699a31513d7de45f33a

SHA256
fa8a372bd38b4920614f91e4aaf4a78de88a6f6a65fdd2ea251cf1c3b8a5c247

SHA512
a02bae41dbe80157e2433adeda3f7fb3b24514f69d6ae30af8d4e42f26264c285932983390fbc65df0ede1f4ad9842e26be384f15874054b2f586ed3ab4748aa

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
174KB

MD5
d640a7c8c009deb05a2bf136a6a6cd79

SHA1
66c7fab10546dbf3c248ee6dba1dfe0a911f25d4

SHA256
5361a34b95f4dd0add0669071a8d32cdfb0facad871e8db5a6117b3499071aae

SHA512
1157ba2db709dd8bc8f2f3f82033c0f46e89603723224f8999dbf0cb22aa2617b5fe799a3eaf321e1339a3947e5fdc473b39d2dd2a33354de988cec64789a2a8

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
174KB

MD5
d640a7c8c009deb05a2bf136a6a6cd79

SHA1
66c7fab10546dbf3c248ee6dba1dfe0a911f25d4

SHA256
5361a34b95f4dd0add0669071a8d32cdfb0facad871e8db5a6117b3499071aae

SHA512
1157ba2db709dd8bc8f2f3f82033c0f46e89603723224f8999dbf0cb22aa2617b5fe799a3eaf321e1339a3947e5fdc473b39d2dd2a33354de988cec64789a2a8

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
174KB

MD5
c3a8da5a117f1af3d9f132b4e13e00af

SHA1
c482dce1039d40209434fa99340668a75b638cea

SHA256
18dd6a6063edff9cf26813a155492a523e148db36277ccc76100689516a00df1

SHA512
fe8ae5a666819229bd076f6aff853e63b8d69b484581dbcdfeaf294b4bcbeabb2460ae9d92a96a2ba85041281362743b11f32767603d93aaa368e225f76c0db1

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
174KB

MD5
c3a8da5a117f1af3d9f132b4e13e00af

SHA1
c482dce1039d40209434fa99340668a75b638cea

SHA256
18dd6a6063edff9cf26813a155492a523e148db36277ccc76100689516a00df1

SHA512
fe8ae5a666819229bd076f6aff853e63b8d69b484581dbcdfeaf294b4bcbeabb2460ae9d92a96a2ba85041281362743b11f32767603d93aaa368e225f76c0db1

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
174KB

MD5
08c190f891d4208266d9608c00d1f4e1

SHA1
b6ad0e731d8af526df3c74d9b3efabcdba389910

SHA256
2583a0b898d44ca23ecbc8cc2bd294bad29f2b0f8c13303c342ca14b6a09afa0

SHA512
ba8f2fb0e59cb066e913562cb350aef7152d855cadec381ea7641288df0f5869ee752f7cefaaa2ff266258c2d0420ac439e062ba44d74d1d856bbf25c287af29

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
174KB

MD5
08c190f891d4208266d9608c00d1f4e1

SHA1
b6ad0e731d8af526df3c74d9b3efabcdba389910

SHA256
2583a0b898d44ca23ecbc8cc2bd294bad29f2b0f8c13303c342ca14b6a09afa0

SHA512
ba8f2fb0e59cb066e913562cb350aef7152d855cadec381ea7641288df0f5869ee752f7cefaaa2ff266258c2d0420ac439e062ba44d74d1d856bbf25c287af29

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
174KB

MD5
55e4c4ab1bcf7cbcee8d34b6c4f67baa

SHA1
20ece3a34b038fd0a81c3d207e632094b359d3b7

SHA256
52a769854b797768ac0721b3ebec27e8c3a9b340853cb6c6b37e2f91e313d715

SHA512
89628d1adeb309741af7bbfd1fcfdbb9f1dd393c15d233aa7318e42f28ffb0e963dcacd4db672d04e6cf8c628a7c2a262336ec9239038412b6b8f19b23249b78

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
174KB

MD5
55e4c4ab1bcf7cbcee8d34b6c4f67baa

SHA1
20ece3a34b038fd0a81c3d207e632094b359d3b7

SHA256
52a769854b797768ac0721b3ebec27e8c3a9b340853cb6c6b37e2f91e313d715

SHA512
89628d1adeb309741af7bbfd1fcfdbb9f1dd393c15d233aa7318e42f28ffb0e963dcacd4db672d04e6cf8c628a7c2a262336ec9239038412b6b8f19b23249b78

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
174KB

MD5
485ec4da8f1cd34576bc84407d69d276

SHA1
55514f37e19095b5142e5af1a378481efd11932d

SHA256
c946de6824f2e3825d25d75e95241eb7e7e1efa7a60cfc2d77fcc409bb1b66cc

SHA512
d1f4f95f807f94d1a35a255e1750ea042706363d38e14f2b9362264be3dd8d41e62d89362f1af0c1ed06cb3a82ccc76472a8f57f625bad087c89b5383ce33044

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
174KB

MD5
485ec4da8f1cd34576bc84407d69d276

SHA1
55514f37e19095b5142e5af1a378481efd11932d

SHA256
c946de6824f2e3825d25d75e95241eb7e7e1efa7a60cfc2d77fcc409bb1b66cc

SHA512
d1f4f95f807f94d1a35a255e1750ea042706363d38e14f2b9362264be3dd8d41e62d89362f1af0c1ed06cb3a82ccc76472a8f57f625bad087c89b5383ce33044

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
174KB

MD5
55e4c4ab1bcf7cbcee8d34b6c4f67baa

SHA1
20ece3a34b038fd0a81c3d207e632094b359d3b7

SHA256
52a769854b797768ac0721b3ebec27e8c3a9b340853cb6c6b37e2f91e313d715

SHA512
89628d1adeb309741af7bbfd1fcfdbb9f1dd393c15d233aa7318e42f28ffb0e963dcacd4db672d04e6cf8c628a7c2a262336ec9239038412b6b8f19b23249b78

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
174KB

MD5
4edf45423a221091e55a8cdf44b94ca2

SHA1
7956a575d7cc711e07dc8c62d0a869f3c71eb8e5

SHA256
ba0559e65be43afddbcad3977b515f92e10db9262ea0e3e24742e22c19597f00

SHA512
9644d616811c631d0be359bd72720e20a131556a6586bf1fba00eaf5e561fcf0b0c0bf0d465fdcb5079751a01d76e176ceba047e3920076f1a75888fde583259

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
174KB

MD5
4edf45423a221091e55a8cdf44b94ca2

SHA1
7956a575d7cc711e07dc8c62d0a869f3c71eb8e5

SHA256
ba0559e65be43afddbcad3977b515f92e10db9262ea0e3e24742e22c19597f00

SHA512
9644d616811c631d0be359bd72720e20a131556a6586bf1fba00eaf5e561fcf0b0c0bf0d465fdcb5079751a01d76e176ceba047e3920076f1a75888fde583259

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
174KB

MD5
eae064c2741d86f65ea90dc006626a42

SHA1
81e97f411c237473abb6b264f36088793b0e7fce

SHA256
48b7906c8195e4c2780c8e81915b624ca98fa1edb4687df91e8c489e89c60b8e

SHA512
6fc2b2182eab71eb90806ff9b4af7dd4912d298566e91c9f7d2dd031522cc86643fa2c02fa1c0990cda2f74e91c6b901d53b03a214df4e5a517a697b88fde03a

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
174KB

MD5
eae064c2741d86f65ea90dc006626a42

SHA1
81e97f411c237473abb6b264f36088793b0e7fce

SHA256
48b7906c8195e4c2780c8e81915b624ca98fa1edb4687df91e8c489e89c60b8e

SHA512
6fc2b2182eab71eb90806ff9b4af7dd4912d298566e91c9f7d2dd031522cc86643fa2c02fa1c0990cda2f74e91c6b901d53b03a214df4e5a517a697b88fde03a

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
174KB

MD5
7bebe5e10b311e861a673bf9ac4e5fb9

SHA1
eeb07d183068f8f4f854c37d29a18125a83d1f02

SHA256
a763b03a9d7d3e4bf2f135e06b8541a1a5ac2fc60778512218e6ff0058a95f15

SHA512
8cc7238dc8829aefa6a80192e123aef8b3b0e8a2dd9740c8681be121df8c8772ad3de07b2965aee830b55f124836f0bf1461c66a5c54d621ba6bee299e4d6d06

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
174KB

MD5
7bebe5e10b311e861a673bf9ac4e5fb9

SHA1
eeb07d183068f8f4f854c37d29a18125a83d1f02

SHA256
a763b03a9d7d3e4bf2f135e06b8541a1a5ac2fc60778512218e6ff0058a95f15

SHA512
8cc7238dc8829aefa6a80192e123aef8b3b0e8a2dd9740c8681be121df8c8772ad3de07b2965aee830b55f124836f0bf1461c66a5c54d621ba6bee299e4d6d06

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
174KB

MD5
82369ed340048d660217c860cecbb138

SHA1
febba2331cc599929ac44a4243b50783242a8962

SHA256
a88ceb22bb2e5a239d7e7f0ece7aa0300ef0d266098e3529a1d6489ac46fa46f

SHA512
185c78bfbd786f04aa0ff6ee76ee38bb50de3f1c0de63a52f30b941a36d7b9abe2a730e61184fc22a249213f3b66d20b7c09da9997c517b68ba886b602f1e6ec

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
174KB

MD5
82369ed340048d660217c860cecbb138

SHA1
febba2331cc599929ac44a4243b50783242a8962

SHA256
a88ceb22bb2e5a239d7e7f0ece7aa0300ef0d266098e3529a1d6489ac46fa46f

SHA512
185c78bfbd786f04aa0ff6ee76ee38bb50de3f1c0de63a52f30b941a36d7b9abe2a730e61184fc22a249213f3b66d20b7c09da9997c517b68ba886b602f1e6ec

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
174KB

MD5
fa3107b0cda479e4d0ff2ff68b2a8594

SHA1
9154afc960c115c78bd709c2c61fa19e2d8f823c

SHA256
68996243c0d7c7e34b9514312b1628e20fd77b5489f22cce01f40bddd3a22b3d

SHA512
c0ad30170a5b576ccc25c5bbbc1040f19c230379d0c52b05fed31d0686602d72f42dc4fb58946a948fae0692843ef3f586b48b94baccbc113a3c1b98978e4f2e

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
174KB

MD5
fa3107b0cda479e4d0ff2ff68b2a8594

SHA1
9154afc960c115c78bd709c2c61fa19e2d8f823c

SHA256
68996243c0d7c7e34b9514312b1628e20fd77b5489f22cce01f40bddd3a22b3d

SHA512
c0ad30170a5b576ccc25c5bbbc1040f19c230379d0c52b05fed31d0686602d72f42dc4fb58946a948fae0692843ef3f586b48b94baccbc113a3c1b98978e4f2e

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
174KB

MD5
6be3e99dfc0b2b47432a272668e83b70

SHA1
5a0bf4c1561235e2424e85c1dc330a80bac43903

SHA256
fcea9f26e95f88ae56587219ea72000ae7170792f4e946a52d985a38a1fc6f52

SHA512
1d63d38d4a2dce7b2d9a3c330a7dc343f4bdc35a8f30c0dd5b4378326656272a590b1d169bf951f026958bdfa0d5112f569487a86e8b40040324b4efaffd0bec

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
174KB

MD5
6be3e99dfc0b2b47432a272668e83b70

SHA1
5a0bf4c1561235e2424e85c1dc330a80bac43903

SHA256
fcea9f26e95f88ae56587219ea72000ae7170792f4e946a52d985a38a1fc6f52

SHA512
1d63d38d4a2dce7b2d9a3c330a7dc343f4bdc35a8f30c0dd5b4378326656272a590b1d169bf951f026958bdfa0d5112f569487a86e8b40040324b4efaffd0bec

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
174KB

MD5
91acf7f3e6a6bb8cfb4a1ba36256f6fe

SHA1
caa6e92346c0455617ac9af3ca4df6973a2c973f

SHA256
997abebb6cfdffba6ba3c4023c4a81156066c73ae0d63fd5a2d36a163dc5fd3b

SHA512
6080996f57bcd450de8c5bb2b2830ba8e0e3daae9ffee53d523cff07a1b0315f6d830a315031b63943a9c2e5d03bab47d8627661dc96648e15325fffc72c58af

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
174KB

MD5
91acf7f3e6a6bb8cfb4a1ba36256f6fe

SHA1
caa6e92346c0455617ac9af3ca4df6973a2c973f

SHA256
997abebb6cfdffba6ba3c4023c4a81156066c73ae0d63fd5a2d36a163dc5fd3b

SHA512
6080996f57bcd450de8c5bb2b2830ba8e0e3daae9ffee53d523cff07a1b0315f6d830a315031b63943a9c2e5d03bab47d8627661dc96648e15325fffc72c58af

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
174KB

MD5
05df83e6a57e71e72df2ab036c6773ae

SHA1
1aa5b7c470eded264786c1cfa839fd73bb94c3be

SHA256
b56468d29b80c1caabb25fa727c75c4252ec4bb40a7c914fb21ed9983b1141e0

SHA512
4893a7e15b3ad0fa37e92847759e455ef6e5cd8c222c62a15fe73d56fc3fe1ceb571db5b2367eec1d7993882febe1dbf90876c7bf54dd33ad5a033d3b53dd6a0

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
174KB

MD5
05df83e6a57e71e72df2ab036c6773ae

SHA1
1aa5b7c470eded264786c1cfa839fd73bb94c3be

SHA256
b56468d29b80c1caabb25fa727c75c4252ec4bb40a7c914fb21ed9983b1141e0

SHA512
4893a7e15b3ad0fa37e92847759e455ef6e5cd8c222c62a15fe73d56fc3fe1ceb571db5b2367eec1d7993882febe1dbf90876c7bf54dd33ad5a033d3b53dd6a0

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
174KB

MD5
cc0868c9f2ee0474f837ec85c722af01

SHA1
733731b572e9b3cd96a2ba67dae4e04856697ae4

SHA256
8f2136ca40ac22d5494ea409533f57255b9371b59bb3accca5cb31af7663727b

SHA512
287d66d9ec8de7880b63e30897bd1816a72b1948810be6dac680215204573ab86e80e31c727d3236834883820ebc34220085b4d34c756220645b7843a759b429

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
174KB

MD5
cc0868c9f2ee0474f837ec85c722af01

SHA1
733731b572e9b3cd96a2ba67dae4e04856697ae4

SHA256
8f2136ca40ac22d5494ea409533f57255b9371b59bb3accca5cb31af7663727b

SHA512
287d66d9ec8de7880b63e30897bd1816a72b1948810be6dac680215204573ab86e80e31c727d3236834883820ebc34220085b4d34c756220645b7843a759b429

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
174KB

MD5
85b7846e64b696f54253ca7f3b4c815c

SHA1
c05504bd625fdccaf8511e9d4b70f3fd721d7f09

SHA256
6172d619aeceab276e0812c9f4f0cbbe432cf90c86795369ccfe4d38883ad9d9

SHA512
7e30212146db576c38fd8629dd79a36eaf987d0a41e62f2ca258221e7352f11fb14a4e9d279f12584a8e65aaaef653717affbe73a102d0a67dddaabb4bb9744f

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
174KB

MD5
85b7846e64b696f54253ca7f3b4c815c

SHA1
c05504bd625fdccaf8511e9d4b70f3fd721d7f09

SHA256
6172d619aeceab276e0812c9f4f0cbbe432cf90c86795369ccfe4d38883ad9d9

SHA512
7e30212146db576c38fd8629dd79a36eaf987d0a41e62f2ca258221e7352f11fb14a4e9d279f12584a8e65aaaef653717affbe73a102d0a67dddaabb4bb9744f

Download Submit
memory/208-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/208-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1880-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1880-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3180-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3180-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3432-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3432-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4984-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4984-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5016-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5016-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5088-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5088-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads