649c0509de985663eb462916b46d72df945f6b7bd1d9796d82d11eb000111489

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 17:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Size

384KB
MD5

a0ea169e87404cc7f4022fe429aa5b20
SHA1

b591ca875b26a131ac8c181a08256636e31e70ec
SHA256

649c0509de985663eb462916b46d72df945f6b7bd1d9796d82d11eb000111489
SHA512

849cc4d9926feb56cf6375a09773894e11c962aef972a93769d8245afbbab4d174ab8ef81c025460df51bfb6c437785592ee3d020fda20ee575785f2a1e71a74
SSDEEP

3072:+3CEy0HgmOTDLVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWU:+JrHgPDLRs+HLlD0rN2ZwVht740PU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggnadib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe

Executes dropped EXE 29 IoCs

pid	Process
4048	Mogcihaj.exe
4452	Mnmmboed.exe
4728	Nggnadib.exe
4916	Nflkbanj.exe
3344	Nfohgqlg.exe
2776	Nfaemp32.exe
3800	Ngqagcag.exe
892	Ogcnmc32.exe
220	Ogekbb32.exe
2328	Ocohmc32.exe
640	Opeiadfg.exe
2540	Pagbaglh.exe
3272	Pfdjinjo.exe
2924	Pdhkcb32.exe
1688	Pdjgha32.exe
5016	Qhhpop32.exe
2788	Qdoacabq.exe
408	Qpeahb32.exe
3976	Aphnnafb.exe
552	Apjkcadp.exe
4980	Ahfmpnql.exe
2968	Bgkiaj32.exe
4176	Bdagpnbk.exe
3708	Bknlbhhe.exe
3948	Bgelgi32.exe
3588	Cdkifmjq.exe
4936	Cdmfllhn.exe
556	Caageq32.exe
4336	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nggnadib.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Ckkpjkai.dll	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Klbjgbff.dll	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Pagbaglh.exe	Opeiadfg.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Ogcnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Pfdjinjo.exe	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Jcgmgn32.dll	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Pdjgha32.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Pdhkcb32.exe	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Mlcdqdie.dll	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Dckajh32.dll	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
File opened for modification	C:\Windows\SysWOW64\Nfaemp32.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Ogekbb32.exe	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Mnmmboed.exe	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Ahfmpnql.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Nflkbanj.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Ogcnmc32.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Ocohmc32.exe	Ogekbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Ogekbb32.exe
File opened for modification	C:\Windows\SysWOW64\Pfdjinjo.exe	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Nfohgqlg.exe	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Nfaemp32.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Ngqagcag.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Jnfpnk32.dll	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Cdkifmjq.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Mnmmboed.exe	Mogcihaj.exe
File opened for modification	C:\Windows\SysWOW64\Nggnadib.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nfaemp32.exe
File opened for modification	C:\Windows\SysWOW64\Ogekbb32.exe	Ogcnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Pdhkcb32.exe	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Mogcihaj.exe	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
File created	C:\Windows\SysWOW64\Fcokoohi.dll	Nggnadib.exe
File created	C:\Windows\SysWOW64\Flhkmbmp.dll	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Apjkcadp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3388	4336	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll"	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggnadib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhkmbmp.dll"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 4048	1932	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe	91
PID 1932 wrote to memory of 4048	1932	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe	91
PID 1932 wrote to memory of 4048	1932	NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe	91
PID 4048 wrote to memory of 4452	4048	Mogcihaj.exe	92
PID 4048 wrote to memory of 4452	4048	Mogcihaj.exe	92
PID 4048 wrote to memory of 4452	4048	Mogcihaj.exe	92
PID 4452 wrote to memory of 4728	4452	Mnmmboed.exe	93
PID 4452 wrote to memory of 4728	4452	Mnmmboed.exe	93
PID 4452 wrote to memory of 4728	4452	Mnmmboed.exe	93
PID 4728 wrote to memory of 4916	4728	Nggnadib.exe	94
PID 4728 wrote to memory of 4916	4728	Nggnadib.exe	94
PID 4728 wrote to memory of 4916	4728	Nggnadib.exe	94
PID 4916 wrote to memory of 3344	4916	Nflkbanj.exe	95
PID 4916 wrote to memory of 3344	4916	Nflkbanj.exe	95
PID 4916 wrote to memory of 3344	4916	Nflkbanj.exe	95
PID 3344 wrote to memory of 2776	3344	Nfohgqlg.exe	96
PID 3344 wrote to memory of 2776	3344	Nfohgqlg.exe	96
PID 3344 wrote to memory of 2776	3344	Nfohgqlg.exe	96
PID 2776 wrote to memory of 3800	2776	Nfaemp32.exe	97
PID 2776 wrote to memory of 3800	2776	Nfaemp32.exe	97
PID 2776 wrote to memory of 3800	2776	Nfaemp32.exe	97
PID 3800 wrote to memory of 892	3800	Ngqagcag.exe	98
PID 3800 wrote to memory of 892	3800	Ngqagcag.exe	98
PID 3800 wrote to memory of 892	3800	Ngqagcag.exe	98
PID 892 wrote to memory of 220	892	Ogcnmc32.exe	99
PID 892 wrote to memory of 220	892	Ogcnmc32.exe	99
PID 892 wrote to memory of 220	892	Ogcnmc32.exe	99
PID 220 wrote to memory of 2328	220	Ogekbb32.exe	100
PID 220 wrote to memory of 2328	220	Ogekbb32.exe	100
PID 220 wrote to memory of 2328	220	Ogekbb32.exe	100
PID 2328 wrote to memory of 640	2328	Ocohmc32.exe	101
PID 2328 wrote to memory of 640	2328	Ocohmc32.exe	101
PID 2328 wrote to memory of 640	2328	Ocohmc32.exe	101
PID 640 wrote to memory of 2540	640	Opeiadfg.exe	114
PID 640 wrote to memory of 2540	640	Opeiadfg.exe	114
PID 640 wrote to memory of 2540	640	Opeiadfg.exe	114
PID 2540 wrote to memory of 3272	2540	Pagbaglh.exe	102
PID 2540 wrote to memory of 3272	2540	Pagbaglh.exe	102
PID 2540 wrote to memory of 3272	2540	Pagbaglh.exe	102
PID 3272 wrote to memory of 2924	3272	Pfdjinjo.exe	103
PID 3272 wrote to memory of 2924	3272	Pfdjinjo.exe	103
PID 3272 wrote to memory of 2924	3272	Pfdjinjo.exe	103
PID 2924 wrote to memory of 1688	2924	Pdhkcb32.exe	104
PID 2924 wrote to memory of 1688	2924	Pdhkcb32.exe	104
PID 2924 wrote to memory of 1688	2924	Pdhkcb32.exe	104
PID 1688 wrote to memory of 5016	1688	Pdjgha32.exe	105
PID 1688 wrote to memory of 5016	1688	Pdjgha32.exe	105
PID 1688 wrote to memory of 5016	1688	Pdjgha32.exe	105
PID 5016 wrote to memory of 2788	5016	Qhhpop32.exe	106
PID 5016 wrote to memory of 2788	5016	Qhhpop32.exe	106
PID 5016 wrote to memory of 2788	5016	Qhhpop32.exe	106
PID 2788 wrote to memory of 408	2788	Qdoacabq.exe	107
PID 2788 wrote to memory of 408	2788	Qdoacabq.exe	107
PID 2788 wrote to memory of 408	2788	Qdoacabq.exe	107
PID 408 wrote to memory of 3976	408	Qpeahb32.exe	109
PID 408 wrote to memory of 3976	408	Qpeahb32.exe	109
PID 408 wrote to memory of 3976	408	Qpeahb32.exe	109
PID 3976 wrote to memory of 552	3976	Aphnnafb.exe	108
PID 3976 wrote to memory of 552	3976	Aphnnafb.exe	108
PID 3976 wrote to memory of 552	3976	Aphnnafb.exe	108
PID 552 wrote to memory of 4980	552	Apjkcadp.exe	111
PID 552 wrote to memory of 4980	552	Apjkcadp.exe	111
PID 552 wrote to memory of 4980	552	Apjkcadp.exe	111
PID 4980 wrote to memory of 2968	4980	Ahfmpnql.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a0ea169e87404cc7f4022fe429aa5b20.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\Mogcihaj.exe
  C:\Windows\system32\Mogcihaj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\Mnmmboed.exe
    C:\Windows\system32\Mnmmboed.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\Nggnadib.exe
      C:\Windows\system32\Nggnadib.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540

C:\Windows\SysWOW64\Pfdjinjo.exe
C:\Windows\system32\Pfdjinjo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\SysWOW64\Pdhkcb32.exe
  C:\Windows\system32\Pdhkcb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\Pdjgha32.exe
    C:\Windows\system32\Pdjgha32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\Qhhpop32.exe
      C:\Windows\system32\Qhhpop32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976

C:\Windows\SysWOW64\Apjkcadp.exe
C:\Windows\system32\Apjkcadp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\Ahfmpnql.exe
  C:\Windows\system32\Ahfmpnql.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4980

C:\Windows\SysWOW64\Bgkiaj32.exe
C:\Windows\system32\Bgkiaj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2968
- C:\Windows\SysWOW64\Bdagpnbk.exe
  C:\Windows\system32\Bdagpnbk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4176

C:\Windows\SysWOW64\Bknlbhhe.exe
C:\Windows\system32\Bknlbhhe.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3708
- C:\Windows\SysWOW64\Bgelgi32.exe
  C:\Windows\system32\Bgelgi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3948

C:\Windows\SysWOW64\Cdkifmjq.exe
C:\Windows\system32\Cdkifmjq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3588
- C:\Windows\SysWOW64\Cdmfllhn.exe
  C:\Windows\system32\Cdmfllhn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4936
- - C:\Windows\SysWOW64\Caageq32.exe
    C:\Windows\system32\Caageq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:556

C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
1⤵
- Executes dropped EXE
PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 400
  2⤵
  - Program crash
  PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4336 -ip 4336
1⤵
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
384KB

MD5
583e1f4fc72a7d510b7666f032fd0105

SHA1
ce2f9214e2c2490b6ef0eb12c46fda2264a56cc4

SHA256
b1f9e0fd487c68fa36b2e74044d148eda3cd5530c31d5c7df5df7262c0fd58ab

SHA512
e7d1893ccf27940ef5a6c48cf1a66bc090fbe76b0ea414463d5ee2674a2338582bfb736c6209bd540d89faf2665fdb10c0bd8baf217e04d5b5da8749548600f0

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
384KB

MD5
583e1f4fc72a7d510b7666f032fd0105

SHA1
ce2f9214e2c2490b6ef0eb12c46fda2264a56cc4

SHA256
b1f9e0fd487c68fa36b2e74044d148eda3cd5530c31d5c7df5df7262c0fd58ab

SHA512
e7d1893ccf27940ef5a6c48cf1a66bc090fbe76b0ea414463d5ee2674a2338582bfb736c6209bd540d89faf2665fdb10c0bd8baf217e04d5b5da8749548600f0

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
384KB

MD5
42bc7cf8356abd329330426082deef14

SHA1
82fc7d92ad59b09222cc475f8505683ffd13f6ea

SHA256
3d74e6f097f8aedaa9d289aad3985ee6bf245208b38f37f8e3dd6f6b34cbcd5d

SHA512
b09db4e084a66ab442b7a8ec066d329075224bace334ee497c8477ac88260a6954763458bbdea325757f22ad277accd6c00a4505f41944f7f27078cf6ada4377

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
384KB

MD5
42bc7cf8356abd329330426082deef14

SHA1
82fc7d92ad59b09222cc475f8505683ffd13f6ea

SHA256
3d74e6f097f8aedaa9d289aad3985ee6bf245208b38f37f8e3dd6f6b34cbcd5d

SHA512
b09db4e084a66ab442b7a8ec066d329075224bace334ee497c8477ac88260a6954763458bbdea325757f22ad277accd6c00a4505f41944f7f27078cf6ada4377

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
384KB

MD5
4868bc8eaeeca0878116986047a2ae2a

SHA1
83203be1e52dab7f5aa6024cb040fcd1e7a00d2c

SHA256
5d3856c2c8278ad250393a8102b4754562056df9b62359656e710411e6c59dd2

SHA512
02404c2883661ea07a6f84dfa6fb9bbe3b445eb49efad40b28cc92e0c898078eeabff8cc01fceaee5323d793387255627c7684f9936b6e002849617a5cd82323

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
384KB

MD5
4868bc8eaeeca0878116986047a2ae2a

SHA1
83203be1e52dab7f5aa6024cb040fcd1e7a00d2c

SHA256
5d3856c2c8278ad250393a8102b4754562056df9b62359656e710411e6c59dd2

SHA512
02404c2883661ea07a6f84dfa6fb9bbe3b445eb49efad40b28cc92e0c898078eeabff8cc01fceaee5323d793387255627c7684f9936b6e002849617a5cd82323

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
384KB

MD5
4868bc8eaeeca0878116986047a2ae2a

SHA1
83203be1e52dab7f5aa6024cb040fcd1e7a00d2c

SHA256
5d3856c2c8278ad250393a8102b4754562056df9b62359656e710411e6c59dd2

SHA512
02404c2883661ea07a6f84dfa6fb9bbe3b445eb49efad40b28cc92e0c898078eeabff8cc01fceaee5323d793387255627c7684f9936b6e002849617a5cd82323

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
384KB

MD5
fcc4e143f65de2e13f0efe0aa0dcc2dc

SHA1
dff50582c6de56484d09c32a58421f3d6f8906e9

SHA256
25519564c6d03e1a4a18484ebce50317b09b041b42384985e5a9a37dba49e9bf

SHA512
9a3e5f17bbd075483e34e6846b2914c413508c84f844bd8bf078978b06b04f529e86996f03f24d30db8f99d4fb9561d18227963535bd1cc30aa35a41bff56ae4

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
384KB

MD5
fcc4e143f65de2e13f0efe0aa0dcc2dc

SHA1
dff50582c6de56484d09c32a58421f3d6f8906e9

SHA256
25519564c6d03e1a4a18484ebce50317b09b041b42384985e5a9a37dba49e9bf

SHA512
9a3e5f17bbd075483e34e6846b2914c413508c84f844bd8bf078978b06b04f529e86996f03f24d30db8f99d4fb9561d18227963535bd1cc30aa35a41bff56ae4

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
384KB

MD5
d184495fb78c34bc382999fd35ebc9cc

SHA1
6d47b9e12db92678ed4f29c6ca6f014821fa7590

SHA256
b651cb36ff15acf1916ff814aca5e708b99dc0b391f6f4f9ac46ed39395a7a5f

SHA512
282501a812d3f64470982704c73eab26199a77a954a7d95786434664f93fabec2ddecb2c5208343348bea00c07c88e0255ee8546b6d11bef4028c0c7d78b3bd0

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
384KB

MD5
a83750243a5c00b072514537cbd7baca

SHA1
0ad54af8b38b062fbbb81474a101c71c168bb3fe

SHA256
a2fa7af6a1239ac6e3f2a9d9856ca5d32eda778906cad10f2bc17f38e77b6dd5

SHA512
713faf8965ffeeb91e2ba05bf136a423fbfbfb52cfe047f3d521b5da07d4958fd4466bba92476700764b02d957c7815861dc833d60ca3cabbd6bb43406ad7d89

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
384KB

MD5
a83750243a5c00b072514537cbd7baca

SHA1
0ad54af8b38b062fbbb81474a101c71c168bb3fe

SHA256
a2fa7af6a1239ac6e3f2a9d9856ca5d32eda778906cad10f2bc17f38e77b6dd5

SHA512
713faf8965ffeeb91e2ba05bf136a423fbfbfb52cfe047f3d521b5da07d4958fd4466bba92476700764b02d957c7815861dc833d60ca3cabbd6bb43406ad7d89

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
384KB

MD5
9a8044aa232803a9c5eafebdbc19c0b0

SHA1
c7a49642691d8bcbd249203d47585fb265299101

SHA256
8def34b8990630d801847f359309eea135b01862cd24fc981d1907e9a1a42275

SHA512
577a013bb2c976ca4d5977920cb1ec85ae62d5bf956c2467a1c1547c3f75319aaf6f217fac4973934ab0d22990770e014bb2978dcae76087fa4b63e48ea295f5

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
384KB

MD5
9a8044aa232803a9c5eafebdbc19c0b0

SHA1
c7a49642691d8bcbd249203d47585fb265299101

SHA256
8def34b8990630d801847f359309eea135b01862cd24fc981d1907e9a1a42275

SHA512
577a013bb2c976ca4d5977920cb1ec85ae62d5bf956c2467a1c1547c3f75319aaf6f217fac4973934ab0d22990770e014bb2978dcae76087fa4b63e48ea295f5

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
384KB

MD5
d184495fb78c34bc382999fd35ebc9cc

SHA1
6d47b9e12db92678ed4f29c6ca6f014821fa7590

SHA256
b651cb36ff15acf1916ff814aca5e708b99dc0b391f6f4f9ac46ed39395a7a5f

SHA512
282501a812d3f64470982704c73eab26199a77a954a7d95786434664f93fabec2ddecb2c5208343348bea00c07c88e0255ee8546b6d11bef4028c0c7d78b3bd0

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
384KB

MD5
d184495fb78c34bc382999fd35ebc9cc

SHA1
6d47b9e12db92678ed4f29c6ca6f014821fa7590

SHA256
b651cb36ff15acf1916ff814aca5e708b99dc0b391f6f4f9ac46ed39395a7a5f

SHA512
282501a812d3f64470982704c73eab26199a77a954a7d95786434664f93fabec2ddecb2c5208343348bea00c07c88e0255ee8546b6d11bef4028c0c7d78b3bd0

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
384KB

MD5
5569aba9a51beb38585b2738857bf1f7

SHA1
04343f20e56f457c2e300d09bdef60371356a26c

SHA256
c5287f5315248a82369ecdd44014c7a9e07bc1db6cacab2194a1006fc04469eb

SHA512
5b3c1c0cbae4cc2a934b0fd07dc0d7efa3a5f785ee7cc4e3b8823a1f6f0c63b97ec6b5c53cbd4ccaa478320225ba85dc87d3f882bb90454c75efc614144754b6

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
384KB

MD5
5569aba9a51beb38585b2738857bf1f7

SHA1
04343f20e56f457c2e300d09bdef60371356a26c

SHA256
c5287f5315248a82369ecdd44014c7a9e07bc1db6cacab2194a1006fc04469eb

SHA512
5b3c1c0cbae4cc2a934b0fd07dc0d7efa3a5f785ee7cc4e3b8823a1f6f0c63b97ec6b5c53cbd4ccaa478320225ba85dc87d3f882bb90454c75efc614144754b6

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
384KB

MD5
9bac8d26fc0615e7f547c98dd0de240e

SHA1
da456009f8d655e31044f5604c52bd259a8c1c82

SHA256
128369cc54abdaf71d7701c1ff69dedc699c7da11b60a172c7ffe23e9d9c4d6f

SHA512
daa79dbc34cd97c1b9f4c9fc093b0bf3f36de48db0b1eab6f95153e944b6cc826bab41ca6633e73f46754ffbafb7e0b9552f299267f9bbf595bd451a77faab85

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
384KB

MD5
9bac8d26fc0615e7f547c98dd0de240e

SHA1
da456009f8d655e31044f5604c52bd259a8c1c82

SHA256
128369cc54abdaf71d7701c1ff69dedc699c7da11b60a172c7ffe23e9d9c4d6f

SHA512
daa79dbc34cd97c1b9f4c9fc093b0bf3f36de48db0b1eab6f95153e944b6cc826bab41ca6633e73f46754ffbafb7e0b9552f299267f9bbf595bd451a77faab85

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
384KB

MD5
043d3dd8565f06709b1cb64d8e4adc34

SHA1
9cc888cd17c75a9ee833b3e4e7ec30bb85c85003

SHA256
1bb610a7fe0d80fd9d9480361c569036255319d9217a4b069e09938c6f24be2d

SHA512
13cffd7b67bd24a178478c91c55c33447ff62f2c60ce608730fcb56e765e71e73742ee621459331140a38113bd59c386d59070eb5f0f7bee6aec70ce84b74677

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
384KB

MD5
043d3dd8565f06709b1cb64d8e4adc34

SHA1
9cc888cd17c75a9ee833b3e4e7ec30bb85c85003

SHA256
1bb610a7fe0d80fd9d9480361c569036255319d9217a4b069e09938c6f24be2d

SHA512
13cffd7b67bd24a178478c91c55c33447ff62f2c60ce608730fcb56e765e71e73742ee621459331140a38113bd59c386d59070eb5f0f7bee6aec70ce84b74677

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
384KB

MD5
5569aba9a51beb38585b2738857bf1f7

SHA1
04343f20e56f457c2e300d09bdef60371356a26c

SHA256
c5287f5315248a82369ecdd44014c7a9e07bc1db6cacab2194a1006fc04469eb

SHA512
5b3c1c0cbae4cc2a934b0fd07dc0d7efa3a5f785ee7cc4e3b8823a1f6f0c63b97ec6b5c53cbd4ccaa478320225ba85dc87d3f882bb90454c75efc614144754b6

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
384KB

MD5
220db39701fb6ee9511c1cfa9961e790

SHA1
0768372acf942b8da3be52d9fdef6e1dba1d8d49

SHA256
b97185231724115425fd4deba51ed4e0a0698873faa20404438ca8a614c43d5f

SHA512
b317c28273eb0a39e4d72177066fe2a91148d65c659274acd760f2627c83305981725104ab6d3ca6ab2762712c4c9c47a8088fa8dbd685723074964456f12b10

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
384KB

MD5
220db39701fb6ee9511c1cfa9961e790

SHA1
0768372acf942b8da3be52d9fdef6e1dba1d8d49

SHA256
b97185231724115425fd4deba51ed4e0a0698873faa20404438ca8a614c43d5f

SHA512
b317c28273eb0a39e4d72177066fe2a91148d65c659274acd760f2627c83305981725104ab6d3ca6ab2762712c4c9c47a8088fa8dbd685723074964456f12b10

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
384KB

MD5
eb6e9c350d3a35bad792b6ca56bafe19

SHA1
9a5ec660c466ad46e67c48141bc8082db836e78e

SHA256
bc9e2503e82a7f7a4490f8738938867edf357f75a25df5b26854f6046e93523c

SHA512
9dc7de110d965f0c3039d3f49ff9c37b01a65812d47d43f8d0bdb2fd25400d6a4a1367e1167182b1789e963d6c21e6e8ba1047e6c9df89d9714f1c2ecd8869cd

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
384KB

MD5
eb6e9c350d3a35bad792b6ca56bafe19

SHA1
9a5ec660c466ad46e67c48141bc8082db836e78e

SHA256
bc9e2503e82a7f7a4490f8738938867edf357f75a25df5b26854f6046e93523c

SHA512
9dc7de110d965f0c3039d3f49ff9c37b01a65812d47d43f8d0bdb2fd25400d6a4a1367e1167182b1789e963d6c21e6e8ba1047e6c9df89d9714f1c2ecd8869cd

Download Submit
C:\Windows\SysWOW64\Mogcihaj.exe

Filesize
384KB

MD5
e89d1e298dc230d841d7e91df2f39b0e

SHA1
8d5f9935f635529ef3815508ba923aa40da42cd4

SHA256
2b7d22119dff3bd1390f5101db2fd113174e046e74aab19abce69854160f3714

SHA512
52a0f0742db65587691119c04cbbcd3b829e8ca654ab7cea0206a91717c313beb3479c0619160fa8a6419118946152e778de1f1b1575e3ba5191911b03c20180

Download Submit
C:\Windows\SysWOW64\Mogcihaj.exe

Filesize
384KB

MD5
e89d1e298dc230d841d7e91df2f39b0e

SHA1
8d5f9935f635529ef3815508ba923aa40da42cd4

SHA256
2b7d22119dff3bd1390f5101db2fd113174e046e74aab19abce69854160f3714

SHA512
52a0f0742db65587691119c04cbbcd3b829e8ca654ab7cea0206a91717c313beb3479c0619160fa8a6419118946152e778de1f1b1575e3ba5191911b03c20180

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
384KB

MD5
87760501ac4acb9a9c3d3e4a281dc31d

SHA1
a741e3c1f72d2ee2ebb692a3fa3f5360cbcd2624

SHA256
41bef87b7e15828b54e02838dd37b65eb863bfa8e328d817d525b06bb0e060c2

SHA512
8a78c7d626fe7b352bdac67f2e581301a5c6607d2ec2c1ec374b51af7e6b1425c119bd79c4c9b1ad0126654fe8cbfcdca8dd6bf5af8807f3cdedf2f9ee344c6a

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
384KB

MD5
87760501ac4acb9a9c3d3e4a281dc31d

SHA1
a741e3c1f72d2ee2ebb692a3fa3f5360cbcd2624

SHA256
41bef87b7e15828b54e02838dd37b65eb863bfa8e328d817d525b06bb0e060c2

SHA512
8a78c7d626fe7b352bdac67f2e581301a5c6607d2ec2c1ec374b51af7e6b1425c119bd79c4c9b1ad0126654fe8cbfcdca8dd6bf5af8807f3cdedf2f9ee344c6a

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
384KB

MD5
e3574f6192bb81db3d81629c45ba22be

SHA1
0ea877da9cd623e79808a8e32368d1f6db38ba2b

SHA256
f002bb568d9d9b7e737d12d5df332dd5910e28155ab6561f31b68315429d79c7

SHA512
945c660cd595b35a1e5401351eabfde46a04731ecdc0174b0d93660a503edb8734da99ead7be311efe5e8cb44257ceaa90ab5704a75856ddb90496edc3500676

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
384KB

MD5
e3574f6192bb81db3d81629c45ba22be

SHA1
0ea877da9cd623e79808a8e32368d1f6db38ba2b

SHA256
f002bb568d9d9b7e737d12d5df332dd5910e28155ab6561f31b68315429d79c7

SHA512
945c660cd595b35a1e5401351eabfde46a04731ecdc0174b0d93660a503edb8734da99ead7be311efe5e8cb44257ceaa90ab5704a75856ddb90496edc3500676

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
384KB

MD5
9ba3ca5d2b44c860097169657dcddcdd

SHA1
f234828caad6c5a254bd6fdb00ff46091c12ee46

SHA256
4831a74ffb44e7f67c24197b36280097cfd4cc9e5f405ce3c738374387803e7c

SHA512
1323ddc42036b1523cdb957f9436bdbe7947af16ec82d0b467d503464b7bfd753f09a555a8572fe0de7123f7e6cd32f709df1b4a65b4183a1b1d4b5b7003f3fc

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
384KB

MD5
9ba3ca5d2b44c860097169657dcddcdd

SHA1
f234828caad6c5a254bd6fdb00ff46091c12ee46

SHA256
4831a74ffb44e7f67c24197b36280097cfd4cc9e5f405ce3c738374387803e7c

SHA512
1323ddc42036b1523cdb957f9436bdbe7947af16ec82d0b467d503464b7bfd753f09a555a8572fe0de7123f7e6cd32f709df1b4a65b4183a1b1d4b5b7003f3fc

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
384KB

MD5
d0c5f3304281b4c11c6b868864fdbe87

SHA1
1e2c25527567f2d04f529bb06877fdb74fe257dd

SHA256
70f7669f2a0e0e2839260b1b1c92d5abe5726aaa145362a41c5d1eed326327ab

SHA512
a37ecebf3fdbd8199e548dca2c6eaf54738c1e09551c5477113e5b6723b2ef91d26ee1b8709b7920176c27a2eeaff1a71b0568b9ef1419e8f4667bd4917c2545

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
384KB

MD5
d0c5f3304281b4c11c6b868864fdbe87

SHA1
1e2c25527567f2d04f529bb06877fdb74fe257dd

SHA256
70f7669f2a0e0e2839260b1b1c92d5abe5726aaa145362a41c5d1eed326327ab

SHA512
a37ecebf3fdbd8199e548dca2c6eaf54738c1e09551c5477113e5b6723b2ef91d26ee1b8709b7920176c27a2eeaff1a71b0568b9ef1419e8f4667bd4917c2545

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
384KB

MD5
3c8eb22b2105794c766e43de41292984

SHA1
40b287161908514855f666c7a47fd9100fe83a99

SHA256
dab851add792ed369878c17d29703c36b00d39573d460e8076a6e2c087996deb

SHA512
3ef90c19970ca3e86fb4fd6912d635d3c58b65079633bdc575b4e866adadd4ccb832191023e125f368b1856ef06ae0b0496393f2c6c4f61389a0f791aa5ba25b

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
384KB

MD5
3c8eb22b2105794c766e43de41292984

SHA1
40b287161908514855f666c7a47fd9100fe83a99

SHA256
dab851add792ed369878c17d29703c36b00d39573d460e8076a6e2c087996deb

SHA512
3ef90c19970ca3e86fb4fd6912d635d3c58b65079633bdc575b4e866adadd4ccb832191023e125f368b1856ef06ae0b0496393f2c6c4f61389a0f791aa5ba25b

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
384KB

MD5
c5bf8d3305ea110c52115c16d7479418

SHA1
238de974deb18ddd482532d55ff43ea0e133d2d9

SHA256
c8cb6d6cfded8225968eba3d080bf133a8d3e2529dfb148e5fd8b1f2c9d9f6c5

SHA512
1df863cf3cd8a03c30627c6e312e5f73f043a758be0cbb3f9c173a01268953b826ab230ad0adfe927bf9bd03e4c15167943d2612a0b4e8e5a61ca97f2c211245

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
384KB

MD5
c5bf8d3305ea110c52115c16d7479418

SHA1
238de974deb18ddd482532d55ff43ea0e133d2d9

SHA256
c8cb6d6cfded8225968eba3d080bf133a8d3e2529dfb148e5fd8b1f2c9d9f6c5

SHA512
1df863cf3cd8a03c30627c6e312e5f73f043a758be0cbb3f9c173a01268953b826ab230ad0adfe927bf9bd03e4c15167943d2612a0b4e8e5a61ca97f2c211245

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
384KB

MD5
b271936ebc1d652d67f8b37d918bae87

SHA1
033a72b4b7bf865101a8353c2d80fa379f7d3df4

SHA256
4a99356f159a6b7f51aed62398e29a15fe344ace41faccf765142ffab5b1227f

SHA512
02faf2284a0d9d96603182200b8021f58ec628da7ad4299a64bc69323d4cba925795c6515f3155918ae13769c1cc8a11a3f4ccaab7abf62ecd8ae6d6fefc6f2f

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
384KB

MD5
b271936ebc1d652d67f8b37d918bae87

SHA1
033a72b4b7bf865101a8353c2d80fa379f7d3df4

SHA256
4a99356f159a6b7f51aed62398e29a15fe344ace41faccf765142ffab5b1227f

SHA512
02faf2284a0d9d96603182200b8021f58ec628da7ad4299a64bc69323d4cba925795c6515f3155918ae13769c1cc8a11a3f4ccaab7abf62ecd8ae6d6fefc6f2f

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
384KB

MD5
b271936ebc1d652d67f8b37d918bae87

SHA1
033a72b4b7bf865101a8353c2d80fa379f7d3df4

SHA256
4a99356f159a6b7f51aed62398e29a15fe344ace41faccf765142ffab5b1227f

SHA512
02faf2284a0d9d96603182200b8021f58ec628da7ad4299a64bc69323d4cba925795c6515f3155918ae13769c1cc8a11a3f4ccaab7abf62ecd8ae6d6fefc6f2f

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
384KB

MD5
631b21abb2cbd8aee9e260f618040650

SHA1
96d048b3e7663ebcde5dc5db6b1480de4edfb7a2

SHA256
1d141af8bf30024dee72cbbf5b0634eeb8e51a3e41f4b80dfb7e4c409ef4abbc

SHA512
dbb02374e690b76dd6f6e4689cf31bc4a04436ef3c50653f0c024de659f0728fcadc9cdec72c5467af80ad6d603ec4996625d1836ae852aab73673a2b0bb48ac

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
384KB

MD5
631b21abb2cbd8aee9e260f618040650

SHA1
96d048b3e7663ebcde5dc5db6b1480de4edfb7a2

SHA256
1d141af8bf30024dee72cbbf5b0634eeb8e51a3e41f4b80dfb7e4c409ef4abbc

SHA512
dbb02374e690b76dd6f6e4689cf31bc4a04436ef3c50653f0c024de659f0728fcadc9cdec72c5467af80ad6d603ec4996625d1836ae852aab73673a2b0bb48ac

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
384KB

MD5
7af450365ce5da3229e2686bfdd67628

SHA1
118fcfd7d4c650b2a255fb87d46dd029521a0d6d

SHA256
4cfb790759041eb0146063bf754ce0b873e2530afa640d154d9f0f03b3a9a01e

SHA512
826b4037b51bddff84127ada6f32effbacffead14caeaee6f70911b17210fcd7c1ff76d6e1514609964366bd9f9d2d4adf0cd82a467a343e7d536398d28f6e68

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
384KB

MD5
7af450365ce5da3229e2686bfdd67628

SHA1
118fcfd7d4c650b2a255fb87d46dd029521a0d6d

SHA256
4cfb790759041eb0146063bf754ce0b873e2530afa640d154d9f0f03b3a9a01e

SHA512
826b4037b51bddff84127ada6f32effbacffead14caeaee6f70911b17210fcd7c1ff76d6e1514609964366bd9f9d2d4adf0cd82a467a343e7d536398d28f6e68

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
384KB

MD5
7af450365ce5da3229e2686bfdd67628

SHA1
118fcfd7d4c650b2a255fb87d46dd029521a0d6d

SHA256
4cfb790759041eb0146063bf754ce0b873e2530afa640d154d9f0f03b3a9a01e

SHA512
826b4037b51bddff84127ada6f32effbacffead14caeaee6f70911b17210fcd7c1ff76d6e1514609964366bd9f9d2d4adf0cd82a467a343e7d536398d28f6e68

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
384KB

MD5
76af7c46fce4e3e10f3d85d00361be5b

SHA1
63acf75613e8c8dc2054da02560a63e0f2ea9699

SHA256
43ab7170a069f248e639005214faeaa1661b686951186cbbdc60a29df8196e14

SHA512
0c65456c3e55d06974c250695b4497233401dd0a787307ee56badefc9ab8362da21081ab27fdfef7417ddb0fcad59eeb0b3c8fe4e1f43a87d6bf8257106612df

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
384KB

MD5
76af7c46fce4e3e10f3d85d00361be5b

SHA1
63acf75613e8c8dc2054da02560a63e0f2ea9699

SHA256
43ab7170a069f248e639005214faeaa1661b686951186cbbdc60a29df8196e14

SHA512
0c65456c3e55d06974c250695b4497233401dd0a787307ee56badefc9ab8362da21081ab27fdfef7417ddb0fcad59eeb0b3c8fe4e1f43a87d6bf8257106612df

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
384KB

MD5
ce800b77f7a7ce588447c1e2db356dab

SHA1
13cbe015f5cceb5501b5fa99f57a39ffaea80548

SHA256
325d98ef2b7c4c6fdd8682e64a59c71f91921da36c5ae0fa15ed84211afabfce

SHA512
d97f74604db24aa46db1c063335cb215a91f8a568e5af37056787cf82b4aed4683d3373b2e747f1ce7ba158b85f510841ae011a59c81abcbd832a904c31628b2

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
384KB

MD5
ce800b77f7a7ce588447c1e2db356dab

SHA1
13cbe015f5cceb5501b5fa99f57a39ffaea80548

SHA256
325d98ef2b7c4c6fdd8682e64a59c71f91921da36c5ae0fa15ed84211afabfce

SHA512
d97f74604db24aa46db1c063335cb215a91f8a568e5af37056787cf82b4aed4683d3373b2e747f1ce7ba158b85f510841ae011a59c81abcbd832a904c31628b2

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
384KB

MD5
ae1ba9e146bc32db76de4f373897f62d

SHA1
7492d02f3ed3272c5fb740450bf647dab5ae9efc

SHA256
5577b150188fc12d3cc7af27f29b34256dae06d5e2f4fef817fe573c4842bd85

SHA512
8305e96a37e67aebd87e8d33455529e71adcd1b1c080385bce1d1aac738918aa0e13efae39dd6b42362e6d3c7d2e85b5de7e8eb4eb8efc2c51df877966d38162

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
384KB

MD5
ae1ba9e146bc32db76de4f373897f62d

SHA1
7492d02f3ed3272c5fb740450bf647dab5ae9efc

SHA256
5577b150188fc12d3cc7af27f29b34256dae06d5e2f4fef817fe573c4842bd85

SHA512
8305e96a37e67aebd87e8d33455529e71adcd1b1c080385bce1d1aac738918aa0e13efae39dd6b42362e6d3c7d2e85b5de7e8eb4eb8efc2c51df877966d38162

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
384KB

MD5
c69cbd3154cd2ba536a842d791c0255a

SHA1
cb03659177541a3466c83b4e99405521559775bb

SHA256
dad97c04f6c1c753a3287ba7772cee6e29ad1b5c7b26de528e501a9d2d2ab0b5

SHA512
52b9c37bbc301719cdbf8c43c0e5070a4e2365903cc88c9ddefa64d27fd59ce7d56f583e6e77aa3dcb272ca655add990ce0a89d1f24e3b71a4f2570b64dee679

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
384KB

MD5
c69cbd3154cd2ba536a842d791c0255a

SHA1
cb03659177541a3466c83b4e99405521559775bb

SHA256
dad97c04f6c1c753a3287ba7772cee6e29ad1b5c7b26de528e501a9d2d2ab0b5

SHA512
52b9c37bbc301719cdbf8c43c0e5070a4e2365903cc88c9ddefa64d27fd59ce7d56f583e6e77aa3dcb272ca655add990ce0a89d1f24e3b71a4f2570b64dee679

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
384KB

MD5
b47d78f8be23c9de840eb043667b096f

SHA1
17a1c46aed60a55711c8aefbb453d1ef3d707eba

SHA256
b00c04d9ab9133b6f71552e4cdf1e3321b568358294f4f0986030fc4b16501c8

SHA512
b158934df4b694081b4fba1960f9b21c6219934f27ddffe8e26f873619a5d7681662ff0dbbac7f00bdeac127f062fa088f7dccc938cfce40669c019d5c5d534a

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
384KB

MD5
b47d78f8be23c9de840eb043667b096f

SHA1
17a1c46aed60a55711c8aefbb453d1ef3d707eba

SHA256
b00c04d9ab9133b6f71552e4cdf1e3321b568358294f4f0986030fc4b16501c8

SHA512
b158934df4b694081b4fba1960f9b21c6219934f27ddffe8e26f873619a5d7681662ff0dbbac7f00bdeac127f062fa088f7dccc938cfce40669c019d5c5d534a

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
384KB

MD5
e3682512b0f39cd2b6c4d11838d2a0e8

SHA1
294f99f5ad5d94ac9edeba95131e739f06c7f2fa

SHA256
42a6ba4f415e14b7e30e70ea32a0b562db877d9e5d65a4bf08840c48a088923c

SHA512
1d4fb289095e55b83600575140c15456b5dcad3b07fd47b0c5afe4f9ad4872a7933ec1c238fb34b7d01931462b256c78a7312f50c7d04b2df548da650258586b

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
384KB

MD5
e3682512b0f39cd2b6c4d11838d2a0e8

SHA1
294f99f5ad5d94ac9edeba95131e739f06c7f2fa

SHA256
42a6ba4f415e14b7e30e70ea32a0b562db877d9e5d65a4bf08840c48a088923c

SHA512
1d4fb289095e55b83600575140c15456b5dcad3b07fd47b0c5afe4f9ad4872a7933ec1c238fb34b7d01931462b256c78a7312f50c7d04b2df548da650258586b

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
384KB

MD5
bf59a243bfcbafa6d60412d1299f2e31

SHA1
28e655cfc8b8cca204c693370d221ad55071068c

SHA256
fc9d8cfaa84fbdc4193bf5eb637e4b649b1c28c121af7311fd99b76c7d165f6a

SHA512
c0991e754a691917aab9e84d716090357185566259327a669e4c2844221dfe261ac9d1fbd090cdf38a1ddf14c7aa6806361d489e4cafa09639d005281622ed21

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
384KB

MD5
bf59a243bfcbafa6d60412d1299f2e31

SHA1
28e655cfc8b8cca204c693370d221ad55071068c

SHA256
fc9d8cfaa84fbdc4193bf5eb637e4b649b1c28c121af7311fd99b76c7d165f6a

SHA512
c0991e754a691917aab9e84d716090357185566259327a669e4c2844221dfe261ac9d1fbd090cdf38a1ddf14c7aa6806361d489e4cafa09639d005281622ed21

Download Submit
memory/220-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads