8f50093c40fc28044ffc1d0e131d10215e0f31e3407efd12e7fe2ca6d789184d

Analysis

max time kernel
43s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Size

80KB
MD5

cc889a69fd70ffcb11bc62eb404b3730
SHA1

97291f6d2b147d36c54f3442a30cc2da5e99dd9f
SHA256

8f50093c40fc28044ffc1d0e131d10215e0f31e3407efd12e7fe2ca6d789184d
SHA512

8c181fdf771fc2b1248d4178924fb373d85bd5260d5d820210dafa8038fb8bbc4ca83dea62b6f81f7567a06770643a47cb62effb2bc09d21f893265587ff5347
SSDEEP

1536:rfPbAx062SvKNHrPfvhR16OeV42ILe7e2LtZwfi+TjRC/6i:rfP85vvELXMjsLyzwf1TjYL

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlmegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiomnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miflehaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iheaqolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlbdba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agiahlkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljglnmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmmgae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlmegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dehgejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebnddn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capkim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnddn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihlahjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lihpdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmmgae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlbdba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agiahlkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dehgejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glngep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miflehaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjpkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbcjimda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlbllc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capkim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblgon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbggkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmbib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkofofbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lihpdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlbllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbggkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glngep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jchaoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jchaoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiomnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljglnmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbcjimda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akopoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eihlahjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmbib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmkbeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iheaqolo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkofofbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmkbeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akopoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjpkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eblgon32.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/4060-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/4060-1-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022ca9-7.dat	family_berbew
behavioral2/memory/4328-8-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022ca9-9.dat	family_berbew
behavioral2/files/0x0008000000022cac-15.dat	family_berbew
behavioral2/memory/1960-16-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022cac-17.dat	family_berbew
behavioral2/files/0x0008000000022cae-23.dat	family_berbew
behavioral2/files/0x0008000000022cae-24.dat	family_berbew
behavioral2/memory/5088-25-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0009000000022cb4-31.dat	family_berbew
behavioral2/memory/3528-32-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0009000000022cb4-33.dat	family_berbew
behavioral2/files/0x0007000000022cb6-39.dat	family_berbew
behavioral2/files/0x0007000000022cb6-41.dat	family_berbew
behavioral2/memory/3260-40-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cba-46.dat	family_berbew
behavioral2/memory/3996-48-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cba-49.dat	family_berbew
behavioral2/files/0x0006000000022cbc-55.dat	family_berbew
behavioral2/files/0x0006000000022cbc-57.dat	family_berbew
behavioral2/memory/3984-56-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cbe-63.dat	family_berbew
behavioral2/memory/432-64-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cbe-65.dat	family_berbew
behavioral2/files/0x0006000000022cc0-71.dat	family_berbew
behavioral2/memory/2272-72-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cc0-73.dat	family_berbew
behavioral2/files/0x0006000000022cc2-79.dat	family_berbew
behavioral2/files/0x0006000000022cc2-81.dat	family_berbew
behavioral2/memory/4060-80-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/2040-85-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cc4-88.dat	family_berbew
behavioral2/memory/2788-89-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cc4-90.dat	family_berbew
behavioral2/files/0x0006000000022cc6-96.dat	family_berbew
behavioral2/files/0x0006000000022cc6-98.dat	family_berbew
behavioral2/memory/3552-97-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cc8-104.dat	family_berbew
behavioral2/memory/1292-105-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cc8-106.dat	family_berbew
behavioral2/files/0x0006000000022cca-111.dat	family_berbew
behavioral2/memory/3416-113-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cca-114.dat	family_berbew
behavioral2/files/0x0006000000022ccc-115.dat	family_berbew
behavioral2/files/0x0006000000022ccc-120.dat	family_berbew
behavioral2/files/0x0006000000022ccc-122.dat	family_berbew
behavioral2/memory/648-121-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cce-130.dat	family_berbew
behavioral2/memory/4380-129-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cce-128.dat	family_berbew
behavioral2/files/0x00040000000220a1-136.dat	family_berbew
behavioral2/memory/2436-137-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x00040000000220a1-138.dat	family_berbew
behavioral2/files/0x00060000000213ba-144.dat	family_berbew
behavioral2/files/0x00060000000213ba-146.dat	family_berbew
behavioral2/memory/2836-145-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cd6-152.dat	family_berbew
behavioral2/memory/408-153-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cd6-154.dat	family_berbew
behavioral2/files/0x0006000000022cd8-160.dat	family_berbew
behavioral2/memory/720-161-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cd8-162.dat	family_berbew

Executes dropped EXE 26 IoCs

pid	Process
4328	Agiahlkf.exe
1960	Akopoi32.exe
5088	Bgeadjai.exe
3528	Bkjpkg32.exe
3260	Cejjdlap.exe
3996	Capkim32.exe
3984	Dlmegd32.exe
432	Dehgejep.exe
2272	Eblgon32.exe
2040	Ebnddn32.exe
2788	Eihlahjd.exe
3552	Fbggkl32.exe
1292	Ghmbib32.exe
3416	Glngep32.exe
648	Iheaqolo.exe
4380	Jchaoe32.exe
2436	Kiomnk32.exe
2836	Kkofofbb.exe
408	Lihpdj32.exe
720	Ljglnmdi.exe
1812	Lmkbeg32.exe
4448	Mlbllc32.exe
524	Miflehaf.exe
2164	Mbcjimda.exe
1528	Nmmgae32.exe
4264	Nlbdba32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cejjdlap.exe	Bkjpkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cejjdlap.exe	Bkjpkg32.exe
File opened for modification	C:\Windows\SysWOW64\Lmkbeg32.exe	Ljglnmdi.exe
File created	C:\Windows\SysWOW64\Kgnonhdl.dll	Mlbllc32.exe
File created	C:\Windows\SysWOW64\Ppehbl32.dll	Agiahlkf.exe
File opened for modification	C:\Windows\SysWOW64\Bgeadjai.exe	Akopoi32.exe
File created	C:\Windows\SysWOW64\Eblgon32.exe	Dehgejep.exe
File created	C:\Windows\SysWOW64\Deenhilj.dll	Dehgejep.exe
File created	C:\Windows\SysWOW64\Ebnddn32.exe	Eblgon32.exe
File opened for modification	C:\Windows\SysWOW64\Ljglnmdi.exe	Lihpdj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmmgae32.exe	Mbcjimda.exe
File created	C:\Windows\SysWOW64\Apjppniq.dll	Dlmegd32.exe
File created	C:\Windows\SysWOW64\Glngep32.exe	Ghmbib32.exe
File opened for modification	C:\Windows\SysWOW64\Jchaoe32.exe	Iheaqolo.exe
File opened for modification	C:\Windows\SysWOW64\Nleaha32.exe	Nlbdba32.exe
File opened for modification	C:\Windows\SysWOW64\Capkim32.exe	Cejjdlap.exe
File created	C:\Windows\SysWOW64\Dehgejep.exe	Dlmegd32.exe
File opened for modification	C:\Windows\SysWOW64\Iheaqolo.exe	Glngep32.exe
File created	C:\Windows\SysWOW64\Miflehaf.exe	Mlbllc32.exe
File opened for modification	C:\Windows\SysWOW64\Mbcjimda.exe	Miflehaf.exe
File created	C:\Windows\SysWOW64\Nmmgae32.exe	Mbcjimda.exe
File created	C:\Windows\SysWOW64\Mfomiaim.dll	Akopoi32.exe
File opened for modification	C:\Windows\SysWOW64\Fbggkl32.exe	Eihlahjd.exe
File created	C:\Windows\SysWOW64\Ijjgbqlh.dll	Glngep32.exe
File created	C:\Windows\SysWOW64\Kkofofbb.exe	Kiomnk32.exe
File created	C:\Windows\SysWOW64\Miikdm32.dll	Kkofofbb.exe
File opened for modification	C:\Windows\SysWOW64\Miflehaf.exe	Mlbllc32.exe
File created	C:\Windows\SysWOW64\Fnchgmkg.dll	Jchaoe32.exe
File created	C:\Windows\SysWOW64\Mlbllc32.exe	Lmkbeg32.exe
File created	C:\Windows\SysWOW64\Bkjpkg32.exe	Bgeadjai.exe
File created	C:\Windows\SysWOW64\Eihlahjd.exe	Ebnddn32.exe
File created	C:\Windows\SysWOW64\Lfpiamoj.dll	Ebnddn32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmbib32.exe	Fbggkl32.exe
File created	C:\Windows\SysWOW64\Edgccoai.dll	Iheaqolo.exe
File opened for modification	C:\Windows\SysWOW64\Kiomnk32.exe	Jchaoe32.exe
File opened for modification	C:\Windows\SysWOW64\Nlbdba32.exe	Nmmgae32.exe
File created	C:\Windows\SysWOW64\Lkcancmc.dll	Bkjpkg32.exe
File created	C:\Windows\SysWOW64\Fncbmpcd.dll	Ghmbib32.exe
File created	C:\Windows\SysWOW64\Lmkbeg32.exe	Ljglnmdi.exe
File created	C:\Windows\SysWOW64\Cpdcmkpj.dll	Nmmgae32.exe
File created	C:\Windows\SysWOW64\Niaekl32.dll	Nlbdba32.exe
File created	C:\Windows\SysWOW64\Imobclfe.dll	Kiomnk32.exe
File created	C:\Windows\SysWOW64\Cikqab32.dll	Mbcjimda.exe
File created	C:\Windows\SysWOW64\Akopoi32.exe	Agiahlkf.exe
File created	C:\Windows\SysWOW64\Bgeadjai.exe	Akopoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dlmegd32.exe	Capkim32.exe
File opened for modification	C:\Windows\SysWOW64\Eihlahjd.exe	Ebnddn32.exe
File created	C:\Windows\SysWOW64\Ghmbib32.exe	Fbggkl32.exe
File created	C:\Windows\SysWOW64\Kiomnk32.exe	Jchaoe32.exe
File opened for modification	C:\Windows\SysWOW64\Akopoi32.exe	Agiahlkf.exe
File created	C:\Windows\SysWOW64\Fbggkl32.exe	Eihlahjd.exe
File created	C:\Windows\SysWOW64\Lihpdj32.exe	Kkofofbb.exe
File created	C:\Windows\SysWOW64\Meimocmb.dll	Ljglnmdi.exe
File created	C:\Windows\SysWOW64\Nogoacbd.dll	Lmkbeg32.exe
File created	C:\Windows\SysWOW64\Fnghjd32.dll	Miflehaf.exe
File created	C:\Windows\SysWOW64\Jqhdfhck.dll	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
File created	C:\Windows\SysWOW64\Edcijq32.dll	Capkim32.exe
File opened for modification	C:\Windows\SysWOW64\Glngep32.exe	Ghmbib32.exe
File opened for modification	C:\Windows\SysWOW64\Kkofofbb.exe	Kiomnk32.exe
File created	C:\Windows\SysWOW64\Ggfcbi32.dll	Lihpdj32.exe
File opened for modification	C:\Windows\SysWOW64\Mlbllc32.exe	Lmkbeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjpkg32.exe	Bgeadjai.exe
File opened for modification	C:\Windows\SysWOW64\Eblgon32.exe	Dehgejep.exe
File opened for modification	C:\Windows\SysWOW64\Lihpdj32.exe	Kkofofbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiomnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlbllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlbllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edcijq32.dll"	Capkim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Capkim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dehgejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eblgon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glngep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjppniq.dll"	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glngep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlbdba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqhdfhck.dll"	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebnddn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iheaqolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljglnmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miflehaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbl32.dll"	Agiahlkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlmegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkofofbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfcbi32.dll"	Lihpdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmmgae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niaekl32.dll"	Nlbdba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmmgae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnghjd32.dll"	Miflehaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akopoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpiamoj.dll"	Ebnddn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eihlahjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogoacbd.dll"	Lmkbeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljglnmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjpkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcancmc.dll"	Bkjpkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deenhilj.dll"	Dehgejep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmbib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkofofbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikqab32.dll"	Mbcjimda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlbdba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akopoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhaop32.dll"	Eblgon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbggkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iheaqolo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmkbeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miflehaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbcjimda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjpkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eblgon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjgbqlh.dll"	Glngep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgccoai.dll"	Iheaqolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meimocmb.dll"	Ljglnmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agiahlkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jchaoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmkbeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcmkpj.dll"	Nmmgae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebnddn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agiahlkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbcmknk.dll"	Bgeadjai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capkim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbcjimda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4328	4060	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe	91
PID 4060 wrote to memory of 4328	4060	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe	91
PID 4060 wrote to memory of 4328	4060	NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe	91
PID 4328 wrote to memory of 1960	4328	Agiahlkf.exe	92
PID 4328 wrote to memory of 1960	4328	Agiahlkf.exe	92
PID 4328 wrote to memory of 1960	4328	Agiahlkf.exe	92
PID 1960 wrote to memory of 5088	1960	Akopoi32.exe	93
PID 1960 wrote to memory of 5088	1960	Akopoi32.exe	93
PID 1960 wrote to memory of 5088	1960	Akopoi32.exe	93
PID 5088 wrote to memory of 3528	5088	Bgeadjai.exe	94
PID 5088 wrote to memory of 3528	5088	Bgeadjai.exe	94
PID 5088 wrote to memory of 3528	5088	Bgeadjai.exe	94
PID 3528 wrote to memory of 3260	3528	Bkjpkg32.exe	95
PID 3528 wrote to memory of 3260	3528	Bkjpkg32.exe	95
PID 3528 wrote to memory of 3260	3528	Bkjpkg32.exe	95
PID 3260 wrote to memory of 3996	3260	Cejjdlap.exe	96
PID 3260 wrote to memory of 3996	3260	Cejjdlap.exe	96
PID 3260 wrote to memory of 3996	3260	Cejjdlap.exe	96
PID 3996 wrote to memory of 3984	3996	Capkim32.exe	97
PID 3996 wrote to memory of 3984	3996	Capkim32.exe	97
PID 3996 wrote to memory of 3984	3996	Capkim32.exe	97
PID 3984 wrote to memory of 432	3984	Dlmegd32.exe	98
PID 3984 wrote to memory of 432	3984	Dlmegd32.exe	98
PID 3984 wrote to memory of 432	3984	Dlmegd32.exe	98
PID 432 wrote to memory of 2272	432	Dehgejep.exe	99
PID 432 wrote to memory of 2272	432	Dehgejep.exe	99
PID 432 wrote to memory of 2272	432	Dehgejep.exe	99
PID 2272 wrote to memory of 2040	2272	Eblgon32.exe	100
PID 2272 wrote to memory of 2040	2272	Eblgon32.exe	100
PID 2272 wrote to memory of 2040	2272	Eblgon32.exe	100
PID 2040 wrote to memory of 2788	2040	Ebnddn32.exe	101
PID 2040 wrote to memory of 2788	2040	Ebnddn32.exe	101
PID 2040 wrote to memory of 2788	2040	Ebnddn32.exe	101
PID 2788 wrote to memory of 3552	2788	Eihlahjd.exe	102
PID 2788 wrote to memory of 3552	2788	Eihlahjd.exe	102
PID 2788 wrote to memory of 3552	2788	Eihlahjd.exe	102
PID 3552 wrote to memory of 1292	3552	Fbggkl32.exe	103
PID 3552 wrote to memory of 1292	3552	Fbggkl32.exe	103
PID 3552 wrote to memory of 1292	3552	Fbggkl32.exe	103
PID 1292 wrote to memory of 3416	1292	Ghmbib32.exe	105
PID 1292 wrote to memory of 3416	1292	Ghmbib32.exe	105
PID 1292 wrote to memory of 3416	1292	Ghmbib32.exe	105
PID 3416 wrote to memory of 648	3416	Glngep32.exe	106
PID 3416 wrote to memory of 648	3416	Glngep32.exe	106
PID 3416 wrote to memory of 648	3416	Glngep32.exe	106
PID 648 wrote to memory of 4380	648	Iheaqolo.exe	107
PID 648 wrote to memory of 4380	648	Iheaqolo.exe	107
PID 648 wrote to memory of 4380	648	Iheaqolo.exe	107
PID 4380 wrote to memory of 2436	4380	Jchaoe32.exe	108
PID 4380 wrote to memory of 2436	4380	Jchaoe32.exe	108
PID 4380 wrote to memory of 2436	4380	Jchaoe32.exe	108
PID 2436 wrote to memory of 2836	2436	Kiomnk32.exe	109
PID 2436 wrote to memory of 2836	2436	Kiomnk32.exe	109
PID 2436 wrote to memory of 2836	2436	Kiomnk32.exe	109
PID 2836 wrote to memory of 408	2836	Kkofofbb.exe	110
PID 2836 wrote to memory of 408	2836	Kkofofbb.exe	110
PID 2836 wrote to memory of 408	2836	Kkofofbb.exe	110
PID 408 wrote to memory of 720	408	Lihpdj32.exe	111
PID 408 wrote to memory of 720	408	Lihpdj32.exe	111
PID 408 wrote to memory of 720	408	Lihpdj32.exe	111
PID 720 wrote to memory of 1812	720	Ljglnmdi.exe	112
PID 720 wrote to memory of 1812	720	Ljglnmdi.exe	112
PID 720 wrote to memory of 1812	720	Ljglnmdi.exe	112
PID 1812 wrote to memory of 4448	1812	Lmkbeg32.exe	113

C:\Users\Admin\AppData\Local\Temp\NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cc889a69fd70ffcb11bc62eb404b3730.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\Agiahlkf.exe
  C:\Windows\system32\Agiahlkf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\Akopoi32.exe
    C:\Windows\system32\Akopoi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\Bgeadjai.exe
      C:\Windows\system32\Bgeadjai.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\SysWOW64\Bkjpkg32.exe
        
        C:\Windows\system32\Bkjpkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
      - C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Capkim32.exe
        
        C:\Windows\system32\Capkim32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Dehgejep.exe
        
        C:\Windows\system32\Dehgejep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ebnddn32.exe
        
        C:\Windows\system32\Ebnddn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Eihlahjd.exe
        
        C:\Windows\system32\Eihlahjd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Fbggkl32.exe
        
        C:\Windows\system32\Fbggkl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Ghmbib32.exe
        
        C:\Windows\system32\Ghmbib32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Glngep32.exe
        
        C:\Windows\system32\Glngep32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Iheaqolo.exe
        
        C:\Windows\system32\Iheaqolo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Jchaoe32.exe
        
        C:\Windows\system32\Jchaoe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Kiomnk32.exe
        
        C:\Windows\system32\Kiomnk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kkofofbb.exe
        
        C:\Windows\system32\Kkofofbb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Lihpdj32.exe
        
        C:\Windows\system32\Lihpdj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Ljglnmdi.exe
        
        C:\Windows\system32\Ljglnmdi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Lmkbeg32.exe
        
        C:\Windows\system32\Lmkbeg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Mlbllc32.exe
        
        C:\Windows\system32\Mlbllc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Miflehaf.exe
        
        C:\Windows\system32\Miflehaf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Mbcjimda.exe
        
        C:\Windows\system32\Mbcjimda.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Nmmgae32.exe
        
        C:\Windows\system32\Nmmgae32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Nlbdba32.exe
        
        C:\Windows\system32\Nlbdba32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agiahlkf.exe

Filesize
80KB

MD5
0724c3cf27b2f030e72c6ceb6c8407eb

SHA1
40a4b385c74db159a75217fa67ccd3aed7a1ac8c

SHA256
dce80cf8dc407781dfbd0d465bcb12b9da86f846687041a8bd1165a1adb10422

SHA512
25e2ab0117c1e0e398169c848e552c8145c135a192341c28096a1263ededcbbbf4015ada62b11c58b8edac2abbe514f186f770ca2de437ba3cf58b956e0ea40d

Download Submit
C:\Windows\SysWOW64\Agiahlkf.exe

Filesize
80KB

MD5
0724c3cf27b2f030e72c6ceb6c8407eb

SHA1
40a4b385c74db159a75217fa67ccd3aed7a1ac8c

SHA256
dce80cf8dc407781dfbd0d465bcb12b9da86f846687041a8bd1165a1adb10422

SHA512
25e2ab0117c1e0e398169c848e552c8145c135a192341c28096a1263ededcbbbf4015ada62b11c58b8edac2abbe514f186f770ca2de437ba3cf58b956e0ea40d

Download Submit
C:\Windows\SysWOW64\Akopoi32.exe

Filesize
80KB

MD5
df5c4e20dd509d511ec46f022b1aa1f2

SHA1
6575c320ec678da5a8da29b2ac74318be8458a90

SHA256
7654963001ebb20ae2f614b16a851b103395b61e2071787ee664f244ec2b689a

SHA512
219a591ccb4348d72c57ecb63f65f93d96c042b86a57f70fff40a2bee78102f7eeec9bb8f41c5e8d5b1e5ee6fa53f2d3f266f66dc847876a0193a32cd85cd017

Download Submit
C:\Windows\SysWOW64\Akopoi32.exe

Filesize
80KB

MD5
df5c4e20dd509d511ec46f022b1aa1f2

SHA1
6575c320ec678da5a8da29b2ac74318be8458a90

SHA256
7654963001ebb20ae2f614b16a851b103395b61e2071787ee664f244ec2b689a

SHA512
219a591ccb4348d72c57ecb63f65f93d96c042b86a57f70fff40a2bee78102f7eeec9bb8f41c5e8d5b1e5ee6fa53f2d3f266f66dc847876a0193a32cd85cd017

Download Submit
C:\Windows\SysWOW64\Bgeadjai.exe

Filesize
80KB

MD5
93e883325690fae37c9adf75ce8e12b7

SHA1
6f6835d4950191f5e783f940ee79c720f55fdb31

SHA256
7496a7d9d976d7e5f8f57f0bb0777972af6eaa1de921e566b7218e958b193212

SHA512
6ac17e1e97de8be1b2233f47b0b798d211f072af8742d01333792111afe9d04ac00acc6ceaa122f19997354c18bc722abbeb6469954ba38f963dcafc9b121d33

Download Submit
C:\Windows\SysWOW64\Bgeadjai.exe

Filesize
80KB

MD5
93e883325690fae37c9adf75ce8e12b7

SHA1
6f6835d4950191f5e783f940ee79c720f55fdb31

SHA256
7496a7d9d976d7e5f8f57f0bb0777972af6eaa1de921e566b7218e958b193212

SHA512
6ac17e1e97de8be1b2233f47b0b798d211f072af8742d01333792111afe9d04ac00acc6ceaa122f19997354c18bc722abbeb6469954ba38f963dcafc9b121d33

Download Submit
C:\Windows\SysWOW64\Bkjpkg32.exe

Filesize
80KB

MD5
93b3fc53d46619c5c95b5ee28d8bc52b

SHA1
bb9adc08b2617b4e5fcc9d1220c0e9ebb45f4de8

SHA256
f26d640a8801c9d2d50fadbcd0165d6655b2591c3de271d57b7d7f0b8a30f8a9

SHA512
bdf7912459cf36af1b2d2f3fab718e257d1a093bf623b835ff9f5ce8ef142fb02c29196d964250b4130726ec4e92104d16d5ec2238336d08d3d25370412b028c

Download Submit
C:\Windows\SysWOW64\Bkjpkg32.exe

Filesize
80KB

MD5
93b3fc53d46619c5c95b5ee28d8bc52b

SHA1
bb9adc08b2617b4e5fcc9d1220c0e9ebb45f4de8

SHA256
f26d640a8801c9d2d50fadbcd0165d6655b2591c3de271d57b7d7f0b8a30f8a9

SHA512
bdf7912459cf36af1b2d2f3fab718e257d1a093bf623b835ff9f5ce8ef142fb02c29196d964250b4130726ec4e92104d16d5ec2238336d08d3d25370412b028c

Download Submit
C:\Windows\SysWOW64\Capkim32.exe

Filesize
80KB

MD5
1de05f79fbd8aa65326ff41c7dc5f2b4

SHA1
9233788d476a7534bb40969131336fd5538682c3

SHA256
12cc86f3d2f3b16c133d761d3131913c4fde6f66ad6cdd89bb2ba4ace9cb0f18

SHA512
65fa4e2babd236e7c7e34e1f895c7b479c65634afaa074ba04096dc59130682b31d7944f3cdbfa66dd94f3016f07a62a3b6d43a13abff60f8ff34514eeb66502

Download Submit
C:\Windows\SysWOW64\Capkim32.exe

Filesize
80KB

MD5
1de05f79fbd8aa65326ff41c7dc5f2b4

SHA1
9233788d476a7534bb40969131336fd5538682c3

SHA256
12cc86f3d2f3b16c133d761d3131913c4fde6f66ad6cdd89bb2ba4ace9cb0f18

SHA512
65fa4e2babd236e7c7e34e1f895c7b479c65634afaa074ba04096dc59130682b31d7944f3cdbfa66dd94f3016f07a62a3b6d43a13abff60f8ff34514eeb66502

Download Submit
C:\Windows\SysWOW64\Cejjdlap.exe

Filesize
80KB

MD5
8c247b3abc8d354e0cde77fbb0fe5f18

SHA1
35ad3117a97cf1d989f501bf70c6efedc8005947

SHA256
79e9a620ff48ef1908d053fb97d98f715769a15765bce073f46d1a8ad4dc27a6

SHA512
b33615ef7d073afec0f30169e871cd4174019e2e86cae63f2cc9bdb902deebc66c63bdf0a88381e65036b4dedef9d486e990bc6a41df4dc47fe88ab9e616192a

Download Submit
C:\Windows\SysWOW64\Cejjdlap.exe

Filesize
80KB

MD5
8c247b3abc8d354e0cde77fbb0fe5f18

SHA1
35ad3117a97cf1d989f501bf70c6efedc8005947

SHA256
79e9a620ff48ef1908d053fb97d98f715769a15765bce073f46d1a8ad4dc27a6

SHA512
b33615ef7d073afec0f30169e871cd4174019e2e86cae63f2cc9bdb902deebc66c63bdf0a88381e65036b4dedef9d486e990bc6a41df4dc47fe88ab9e616192a

Download Submit
C:\Windows\SysWOW64\Dehgejep.exe

Filesize
80KB

MD5
008e67a86e7d9385997fdc58bd75b024

SHA1
707607928e11e7e6bf1807b56805b2ddce8a8719

SHA256
7f14b79989bbd409dceef617c9b17766c5582b4f171ed5aa51b9d9d470564d74

SHA512
21fdfe38b87bcc9cf1477cce3499cccd5018cfe7cbd972e7898d48762b87d3cc74de18c2a37482913a395b1da81e442d57e7ea336a7d238620605e92d70f7385

Download Submit
C:\Windows\SysWOW64\Dehgejep.exe

Filesize
80KB

MD5
008e67a86e7d9385997fdc58bd75b024

SHA1
707607928e11e7e6bf1807b56805b2ddce8a8719

SHA256
7f14b79989bbd409dceef617c9b17766c5582b4f171ed5aa51b9d9d470564d74

SHA512
21fdfe38b87bcc9cf1477cce3499cccd5018cfe7cbd972e7898d48762b87d3cc74de18c2a37482913a395b1da81e442d57e7ea336a7d238620605e92d70f7385

Download Submit
C:\Windows\SysWOW64\Dlmegd32.exe

Filesize
80KB

MD5
4fa51b3df9fb5251495f234608bc2b51

SHA1
0d943909110c74ab5f409e6c554194113e57db11

SHA256
91d33538705d6c95ce7a6eb0d7fc209c6fbbf534d7fac531a8a21cb2b24ef118

SHA512
b1987f905ae3bd0e39c72f713603115e00d8c01a9738f7372325d98b0df88802245dd787502962fdadcfd8329033ef7506f9cb75cc5216a759a92e6a0ec809ee

Download Submit
C:\Windows\SysWOW64\Dlmegd32.exe

Filesize
80KB

MD5
4fa51b3df9fb5251495f234608bc2b51

SHA1
0d943909110c74ab5f409e6c554194113e57db11

SHA256
91d33538705d6c95ce7a6eb0d7fc209c6fbbf534d7fac531a8a21cb2b24ef118

SHA512
b1987f905ae3bd0e39c72f713603115e00d8c01a9738f7372325d98b0df88802245dd787502962fdadcfd8329033ef7506f9cb75cc5216a759a92e6a0ec809ee

Download Submit
C:\Windows\SysWOW64\Eblgon32.exe

Filesize
80KB

MD5
f00597f39cf9a10725e569163d76e940

SHA1
3a0200c5c996b41ecbce3900b1e8b1b1179c384e

SHA256
4f30412a71b2b0f5d3261a8c318a478c00f5d226a180af8c1e01d885e2b30195

SHA512
055fc1e77e7eabf43d7415dd486cf92965b79124365a45f78ad110aad70d317575d7f4a05139535d783f46aae1ff12ff906264d55aa2ac238d81b72c1d76b751

Download Submit
C:\Windows\SysWOW64\Eblgon32.exe

Filesize
80KB

MD5
f00597f39cf9a10725e569163d76e940

SHA1
3a0200c5c996b41ecbce3900b1e8b1b1179c384e

SHA256
4f30412a71b2b0f5d3261a8c318a478c00f5d226a180af8c1e01d885e2b30195

SHA512
055fc1e77e7eabf43d7415dd486cf92965b79124365a45f78ad110aad70d317575d7f4a05139535d783f46aae1ff12ff906264d55aa2ac238d81b72c1d76b751

Download Submit
C:\Windows\SysWOW64\Ebnddn32.exe

Filesize
80KB

MD5
bd60ce3cf3c64f7b4323d1595ac331ba

SHA1
509bcc645488a38c9d14f6fe6063a2ae98675b36

SHA256
18446c2101b341b4649d70d14b71f39387f4d468f5dacc8f2a746dcb68c0650f

SHA512
6899f04bec0916945a98946d27ebb3ebe1aa1bda76c002a56f698f5d9da4516987ab44fe8e9ee5859862a2b5d8b627c34e6c67b14770636845582a5886666ebe

Download Submit
C:\Windows\SysWOW64\Ebnddn32.exe

Filesize
80KB

MD5
bd60ce3cf3c64f7b4323d1595ac331ba

SHA1
509bcc645488a38c9d14f6fe6063a2ae98675b36

SHA256
18446c2101b341b4649d70d14b71f39387f4d468f5dacc8f2a746dcb68c0650f

SHA512
6899f04bec0916945a98946d27ebb3ebe1aa1bda76c002a56f698f5d9da4516987ab44fe8e9ee5859862a2b5d8b627c34e6c67b14770636845582a5886666ebe

Download Submit
C:\Windows\SysWOW64\Eihlahjd.exe

Filesize
80KB

MD5
bdb19ddd39438613b9eaf5ec8c98c92f

SHA1
e156f14ea4c3e6915c858a9e376a8d17a40866f1

SHA256
639bd57c372fac6a59b48591146f0c4f5c9b2af9087381e28ee2abff2ab21990

SHA512
8582e240914aff8177bcad95d353632609267dc20d4f00dd461179bd042349c221f281ed51e3d6ef3fa86a2ec4f38564c84cb6d4a43225c2cb70bfa088bff015

Download Submit
C:\Windows\SysWOW64\Eihlahjd.exe

Filesize
80KB

MD5
bdb19ddd39438613b9eaf5ec8c98c92f

SHA1
e156f14ea4c3e6915c858a9e376a8d17a40866f1

SHA256
639bd57c372fac6a59b48591146f0c4f5c9b2af9087381e28ee2abff2ab21990

SHA512
8582e240914aff8177bcad95d353632609267dc20d4f00dd461179bd042349c221f281ed51e3d6ef3fa86a2ec4f38564c84cb6d4a43225c2cb70bfa088bff015

Download Submit
C:\Windows\SysWOW64\Fbggkl32.exe

Filesize
80KB

MD5
a3d5d58b0d6928deee4aa855a7053460

SHA1
0cc4667312df47e7c79d95f86d5091e89c86d5f8

SHA256
e5634d45c440c2fae18126f66d780594df636b05fe2ab5c5eb1dbdd1dd009ab9

SHA512
34e3cb6cc469da26a1635ed80a40545ca05dbc0f8cead88dbdfb270e1e09d718436fbfb282357ec30af60affe06b38fc6e57dce9a1b3f60a840be8b899353afc

Download Submit
C:\Windows\SysWOW64\Fbggkl32.exe

Filesize
80KB

MD5
a3d5d58b0d6928deee4aa855a7053460

SHA1
0cc4667312df47e7c79d95f86d5091e89c86d5f8

SHA256
e5634d45c440c2fae18126f66d780594df636b05fe2ab5c5eb1dbdd1dd009ab9

SHA512
34e3cb6cc469da26a1635ed80a40545ca05dbc0f8cead88dbdfb270e1e09d718436fbfb282357ec30af60affe06b38fc6e57dce9a1b3f60a840be8b899353afc

Download Submit
C:\Windows\SysWOW64\Ghmbib32.exe

Filesize
80KB

MD5
57e6d1c71886ca37a53ce723fc0a9378

SHA1
37969fe7e4e709a626e4814079ed8dc85eda596c

SHA256
153151eaa41e52e6df5d2ecfde59b347faa90110964de03dce0129348cda31c9

SHA512
f7884bd190958e4d33faa28dd835db7ab0c4372febcbb7f5d711df9639ae69ad9f90be372b223ef3ed063fd175a0a88863bc197267fdf3d6dc93dd42378db129

Download Submit
C:\Windows\SysWOW64\Ghmbib32.exe

Filesize
80KB

MD5
57e6d1c71886ca37a53ce723fc0a9378

SHA1
37969fe7e4e709a626e4814079ed8dc85eda596c

SHA256
153151eaa41e52e6df5d2ecfde59b347faa90110964de03dce0129348cda31c9

SHA512
f7884bd190958e4d33faa28dd835db7ab0c4372febcbb7f5d711df9639ae69ad9f90be372b223ef3ed063fd175a0a88863bc197267fdf3d6dc93dd42378db129

Download Submit
C:\Windows\SysWOW64\Glngep32.exe

Filesize
80KB

MD5
79818c9185ff45cf2e84aae0d4adb28e

SHA1
b3acb8c5e31c9b03aacd467c1394f9ba56d4362e

SHA256
866d8550de521e9a2bb36dc87556b3e6580b182ae61dabf25ad84083cc137cf1

SHA512
921e347ca1d684f04675388852f7eb0508027390f1fa2f114bdc0dc6a0665a26658ae588729b5a93bd858e31420c6120893906c83ac78e7840db3b34d8dd670e

Download Submit
C:\Windows\SysWOW64\Glngep32.exe

Filesize
80KB

MD5
79818c9185ff45cf2e84aae0d4adb28e

SHA1
b3acb8c5e31c9b03aacd467c1394f9ba56d4362e

SHA256
866d8550de521e9a2bb36dc87556b3e6580b182ae61dabf25ad84083cc137cf1

SHA512
921e347ca1d684f04675388852f7eb0508027390f1fa2f114bdc0dc6a0665a26658ae588729b5a93bd858e31420c6120893906c83ac78e7840db3b34d8dd670e

Download Submit
C:\Windows\SysWOW64\Iheaqolo.exe

Filesize
80KB

MD5
126b9f7ad53a8b473f794b8691f094df

SHA1
6fe5be3ab2d35492dc28e97af3808062296933f6

SHA256
95f37a3539873ecf3892d2b26b6f0e3f801a80c956001877a7f9fb852d9b71b1

SHA512
5138a6d9dd250db9b2bd7dccab403b5ddb928dbfd351d8a8f41cadb11ed5a2446a629ff4229aa443cbfeb80af558d185908c496e921d498a6fa7a50dd21ac016

Download Submit
C:\Windows\SysWOW64\Iheaqolo.exe

Filesize
80KB

MD5
126b9f7ad53a8b473f794b8691f094df

SHA1
6fe5be3ab2d35492dc28e97af3808062296933f6

SHA256
95f37a3539873ecf3892d2b26b6f0e3f801a80c956001877a7f9fb852d9b71b1

SHA512
5138a6d9dd250db9b2bd7dccab403b5ddb928dbfd351d8a8f41cadb11ed5a2446a629ff4229aa443cbfeb80af558d185908c496e921d498a6fa7a50dd21ac016

Download Submit
C:\Windows\SysWOW64\Iheaqolo.exe

Filesize
80KB

MD5
126b9f7ad53a8b473f794b8691f094df

SHA1
6fe5be3ab2d35492dc28e97af3808062296933f6

SHA256
95f37a3539873ecf3892d2b26b6f0e3f801a80c956001877a7f9fb852d9b71b1

SHA512
5138a6d9dd250db9b2bd7dccab403b5ddb928dbfd351d8a8f41cadb11ed5a2446a629ff4229aa443cbfeb80af558d185908c496e921d498a6fa7a50dd21ac016

Download Submit
C:\Windows\SysWOW64\Jchaoe32.exe

Filesize
80KB

MD5
d86634771166546d6502aecc810a6da7

SHA1
03d030fe64d7dd39862e70fa4c190d9efe593f65

SHA256
f2f0fbd195492938f5077a18260b63ad9838ca6073b0df1199af9b67ec7e316a

SHA512
15050dbfdd7ecb00fd4f35dba19fe7e5a4650dcdce607fb41d3bdd59a5c6293b3f3072e294943bdfe81e37aebde260b31868110ef611e63ff077545dc60ce1dd

Download Submit
C:\Windows\SysWOW64\Jchaoe32.exe

Filesize
80KB

MD5
d86634771166546d6502aecc810a6da7

SHA1
03d030fe64d7dd39862e70fa4c190d9efe593f65

SHA256
f2f0fbd195492938f5077a18260b63ad9838ca6073b0df1199af9b67ec7e316a

SHA512
15050dbfdd7ecb00fd4f35dba19fe7e5a4650dcdce607fb41d3bdd59a5c6293b3f3072e294943bdfe81e37aebde260b31868110ef611e63ff077545dc60ce1dd

Download Submit
C:\Windows\SysWOW64\Kiomnk32.exe

Filesize
80KB

MD5
aa7738f9108c541fa67bb440c0ab2e97

SHA1
b16d02b7629760277c5b5098e73a37e32955d7a1

SHA256
81fe70192c5498a6cf11d7ae3300771dbb3d451b0cb1d861454de58f66b20522

SHA512
8a60a9f3ba7d0bf278604827b31ea14fb93afc1b46132737eea876e7d176f963f740a3a719e91bd7c1924642443cb27b0357f20854c45d2aa4b47106acb5d8f7

Download Submit
C:\Windows\SysWOW64\Kiomnk32.exe

Filesize
80KB

MD5
aa7738f9108c541fa67bb440c0ab2e97

SHA1
b16d02b7629760277c5b5098e73a37e32955d7a1

SHA256
81fe70192c5498a6cf11d7ae3300771dbb3d451b0cb1d861454de58f66b20522

SHA512
8a60a9f3ba7d0bf278604827b31ea14fb93afc1b46132737eea876e7d176f963f740a3a719e91bd7c1924642443cb27b0357f20854c45d2aa4b47106acb5d8f7

Download Submit
C:\Windows\SysWOW64\Kkofofbb.exe

Filesize
80KB

MD5
347ac1fae414430e22817ee6ebee6294

SHA1
daea0fcdea46ba1108956ab44091ac79fe6835eb

SHA256
d24aa3801f4291e020af9f491d74667390184cb5f57d566d7aa879329f623603

SHA512
3dfbcc8db23d00276ff281e1c4bfa61ba989ea474a419f1e3b7e1cdc182402e0a1853f4102f60f9602ac04e90930c2d9119d676a81aec65a6e50b5a4b92a5187

Download Submit
C:\Windows\SysWOW64\Kkofofbb.exe

Filesize
80KB

MD5
347ac1fae414430e22817ee6ebee6294

SHA1
daea0fcdea46ba1108956ab44091ac79fe6835eb

SHA256
d24aa3801f4291e020af9f491d74667390184cb5f57d566d7aa879329f623603

SHA512
3dfbcc8db23d00276ff281e1c4bfa61ba989ea474a419f1e3b7e1cdc182402e0a1853f4102f60f9602ac04e90930c2d9119d676a81aec65a6e50b5a4b92a5187

Download Submit
C:\Windows\SysWOW64\Lihpdj32.exe

Filesize
80KB

MD5
b62a6e4a4921fff2ae80b63ef3d38c10

SHA1
dd014a3173c7c6d383deb5fb99db6d80f014e7c5

SHA256
1b6536f5c523407e5b743bacfc2def09caee3a51b0f042bf197431d7c74d4a3c

SHA512
601ba6339fe3149be7e6415d71170c83f61e97827641e7cfd80a2f055bb50da4c67a5faca28f3cb929b2abc90110d51e21f7e5f3d62d446f0a77af88b6eb69ce

Download Submit
C:\Windows\SysWOW64\Lihpdj32.exe

Filesize
80KB

MD5
b62a6e4a4921fff2ae80b63ef3d38c10

SHA1
dd014a3173c7c6d383deb5fb99db6d80f014e7c5

SHA256
1b6536f5c523407e5b743bacfc2def09caee3a51b0f042bf197431d7c74d4a3c

SHA512
601ba6339fe3149be7e6415d71170c83f61e97827641e7cfd80a2f055bb50da4c67a5faca28f3cb929b2abc90110d51e21f7e5f3d62d446f0a77af88b6eb69ce

Download Submit
C:\Windows\SysWOW64\Ljglnmdi.exe

Filesize
80KB

MD5
6da4986c2278cc66aea6fb786aad1f17

SHA1
f08284635ac2080d50e9f80504a9adeea4c6cec4

SHA256
dc5cd32754b70c7a6238e5bd2c4c8077a90f9a8a0bb030c5c532e7b0732b3ac5

SHA512
9907e642b59e93e55eac26d4d563042d576f91a2dacbab1e2cea45174e8f2d8ea9acc4eb0227dc28728b0b4a8c7d531f7d455bcd627dbb3953e09226532780ba

Download Submit
C:\Windows\SysWOW64\Ljglnmdi.exe

Filesize
80KB

MD5
6da4986c2278cc66aea6fb786aad1f17

SHA1
f08284635ac2080d50e9f80504a9adeea4c6cec4

SHA256
dc5cd32754b70c7a6238e5bd2c4c8077a90f9a8a0bb030c5c532e7b0732b3ac5

SHA512
9907e642b59e93e55eac26d4d563042d576f91a2dacbab1e2cea45174e8f2d8ea9acc4eb0227dc28728b0b4a8c7d531f7d455bcd627dbb3953e09226532780ba

Download Submit
C:\Windows\SysWOW64\Lmkbeg32.exe

Filesize
80KB

MD5
13c879c2a3fb93a648217948977fa971

SHA1
9d6a4ba70b4a73694a865fe57097b66e609f7f74

SHA256
a358d4022d8e85c74242ce22c126b3b81fc974660067aa0ada8e8de33b127545

SHA512
e9f58619eb986da9f6184603a0e9e39314bc48271c858a0be6f69b86d0b32668355f7f1121e8f845020c21af46d35f2b9099f1359c7f56e480c32068a242f63e

Download Submit
C:\Windows\SysWOW64\Lmkbeg32.exe

Filesize
80KB

MD5
13c879c2a3fb93a648217948977fa971

SHA1
9d6a4ba70b4a73694a865fe57097b66e609f7f74

SHA256
a358d4022d8e85c74242ce22c126b3b81fc974660067aa0ada8e8de33b127545

SHA512
e9f58619eb986da9f6184603a0e9e39314bc48271c858a0be6f69b86d0b32668355f7f1121e8f845020c21af46d35f2b9099f1359c7f56e480c32068a242f63e

Download Submit
C:\Windows\SysWOW64\Mbcjimda.exe

Filesize
80KB

MD5
4777fedcd5ef694805b19b5192aaa722

SHA1
c49638de7b7b127a56fa9a9855a2427a2a3c6eba

SHA256
684d9a861a0e2f9d3323f74acd895fa1f97619ac1764e02e16a9f4c533e1146d

SHA512
7f7e9f4a7044d403f06361e159f903efb9a07aa5fae0682f83ea7f73fe471b19b14652f6af8a27112cad9a3db6974dbb18e483abef63548f893e293e576467fb

Download Submit
C:\Windows\SysWOW64\Mbcjimda.exe

Filesize
80KB

MD5
4777fedcd5ef694805b19b5192aaa722

SHA1
c49638de7b7b127a56fa9a9855a2427a2a3c6eba

SHA256
684d9a861a0e2f9d3323f74acd895fa1f97619ac1764e02e16a9f4c533e1146d

SHA512
7f7e9f4a7044d403f06361e159f903efb9a07aa5fae0682f83ea7f73fe471b19b14652f6af8a27112cad9a3db6974dbb18e483abef63548f893e293e576467fb

Download Submit
C:\Windows\SysWOW64\Miflehaf.exe

Filesize
80KB

MD5
fda0d2cc4a8c2fa8a4f3e09e92bf6205

SHA1
25cf945ced1171cdf804d83b89e114985906fc66

SHA256
2017f70618cade01c26bff323379f85b7b7f6eb025f09e747502fe7c43ea39f0

SHA512
5c30a46f7b8f3ff36e4e045e7bec1f9cb6a4332cb3e0bdb41561de3b5af44dfdc4cd0047854a70416d945388fe59a6f031cdc51091cbd423bf8c13657cbc4aa3

Download Submit
C:\Windows\SysWOW64\Miflehaf.exe

Filesize
80KB

MD5
fda0d2cc4a8c2fa8a4f3e09e92bf6205

SHA1
25cf945ced1171cdf804d83b89e114985906fc66

SHA256
2017f70618cade01c26bff323379f85b7b7f6eb025f09e747502fe7c43ea39f0

SHA512
5c30a46f7b8f3ff36e4e045e7bec1f9cb6a4332cb3e0bdb41561de3b5af44dfdc4cd0047854a70416d945388fe59a6f031cdc51091cbd423bf8c13657cbc4aa3

Download Submit
C:\Windows\SysWOW64\Mlbllc32.exe

Filesize
80KB

MD5
c7e8763906bed47e4cfe69da69777fe4

SHA1
bc8f05aa736ae9b1f509a2948e5ba7e6347d1960

SHA256
ecdb138bd9a8c207f4b2822039369757d037ad9ea98bbf59410d17a70081409f

SHA512
30089897916ccd279b2d4b1bdc5c3c8ba3e045867268af00c3beafb0031aeb7afb9e810ccc984f12f2f57cb306f0e245f772f41d9f6251856939d7110a009dd5

Download Submit
C:\Windows\SysWOW64\Mlbllc32.exe

Filesize
80KB

MD5
c7e8763906bed47e4cfe69da69777fe4

SHA1
bc8f05aa736ae9b1f509a2948e5ba7e6347d1960

SHA256
ecdb138bd9a8c207f4b2822039369757d037ad9ea98bbf59410d17a70081409f

SHA512
30089897916ccd279b2d4b1bdc5c3c8ba3e045867268af00c3beafb0031aeb7afb9e810ccc984f12f2f57cb306f0e245f772f41d9f6251856939d7110a009dd5

Download Submit
C:\Windows\SysWOW64\Nlbdba32.exe

Filesize
80KB

MD5
161cee79e6c961f9c66b86100cd96898

SHA1
28c40f7d542d71e63e4450127d91bc1cc667fd70

SHA256
36dc0d671d043da8f27010537ad0380aa28942691f5fb5b04247a505b38f0bdd

SHA512
69041200f4831574a98e88af07223f66fb7f566a12ed3e0b180eb356dd38ea3efa0561f593407d646dc9bfd6281a446582b8903dcc6c6e90506f4324b8d57bde

Download Submit
C:\Windows\SysWOW64\Nlbdba32.exe

Filesize
80KB

MD5
161cee79e6c961f9c66b86100cd96898

SHA1
28c40f7d542d71e63e4450127d91bc1cc667fd70

SHA256
36dc0d671d043da8f27010537ad0380aa28942691f5fb5b04247a505b38f0bdd

SHA512
69041200f4831574a98e88af07223f66fb7f566a12ed3e0b180eb356dd38ea3efa0561f593407d646dc9bfd6281a446582b8903dcc6c6e90506f4324b8d57bde

Download Submit
C:\Windows\SysWOW64\Nleaha32.exe

Filesize
64KB

MD5
c89ec70a96b3d81edd9692829bf4e2cd

SHA1
1d31e173615edced0c31d79644fbe35011caf46d

SHA256
c72ecbb9ee3b586418d981f8fa14f491df37c04888a091bf065919f1407b26b7

SHA512
9dacec298a0659576ca26308dc4c918ff22c66366b812a778250256ba436c242d25c146d9078a9099b966ec25ee2b15e8345fc328035afefad7a9ca21340264e

Download Submit
C:\Windows\SysWOW64\Nmmgae32.exe

Filesize
80KB

MD5
c0071239a1f3f0b8c1986d2f43da6153

SHA1
2e5fb8949d10babaed901fc1109869fb9ec1c17b

SHA256
e55dcf667ccbb622704e216b18cdc8709cb8d0c0bdf57bafec7e6ff9e307d1a2

SHA512
83e3101312f7a5ee074eb066cd08d74de8db05b3cd1930386319ae013075689cc45ce911f8786da49fdbd510cc711a9e190a9b3f02810ae4dd428172027df898

Download Submit
C:\Windows\SysWOW64\Nmmgae32.exe

Filesize
80KB

MD5
c0071239a1f3f0b8c1986d2f43da6153

SHA1
2e5fb8949d10babaed901fc1109869fb9ec1c17b

SHA256
e55dcf667ccbb622704e216b18cdc8709cb8d0c0bdf57bafec7e6ff9e307d1a2

SHA512
83e3101312f7a5ee074eb066cd08d74de8db05b3cd1930386319ae013075689cc45ce911f8786da49fdbd510cc711a9e190a9b3f02810ae4dd428172027df898

Download Submit
memory/408-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/432-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/524-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/720-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4060-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4060-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4060-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads