b78be520ae5df807c229593f81da15c23bd009bb8ca39d6449968d22ec4613bf

Analysis

max time kernel
134s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d6b7833325f47ee76a1ab916393459b0.exe
Size

398KB
MD5

d6b7833325f47ee76a1ab916393459b0
SHA1

3127b61cf042e0b053e999416710a9fa73f8000b
SHA256

b78be520ae5df807c229593f81da15c23bd009bb8ca39d6449968d22ec4613bf
SHA512

e25872385a702998767d278a5e14f362a0461f471520a564bc4d589d538789eb83a1b52df593e3b7e0dcbd37f2f372d39022dd7a8858016a9baf566bb2066a71
SSDEEP

12288:W2VOXS6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:ROXS6t3XGpvr4B9f01ZmQvrimipWf0Aq

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afappe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbnnn32.exe

Malware Backdoor - Berbew 57 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0006000000022cee-6.dat	family_berbew
behavioral2/files/0x0006000000022cee-7.dat	family_berbew
behavioral2/files/0x0006000000022cf0-16.dat	family_berbew
behavioral2/files/0x0006000000022cf0-14.dat	family_berbew
behavioral2/files/0x0006000000022cf2-23.dat	family_berbew
behavioral2/files/0x0006000000022cf2-22.dat	family_berbew
behavioral2/files/0x0006000000022cf4-30.dat	family_berbew
behavioral2/files/0x0006000000022cf4-32.dat	family_berbew
behavioral2/files/0x0006000000022cf6-38.dat	family_berbew
behavioral2/files/0x0006000000022cf6-39.dat	family_berbew
behavioral2/files/0x0006000000022cf6-33.dat	family_berbew
behavioral2/files/0x0006000000022cfc-46.dat	family_berbew
behavioral2/files/0x0006000000022cfc-48.dat	family_berbew
behavioral2/files/0x0006000000022cff-54.dat	family_berbew
behavioral2/files/0x0006000000022cff-56.dat	family_berbew
behavioral2/files/0x0006000000022d01-62.dat	family_berbew
behavioral2/files/0x0006000000022d01-64.dat	family_berbew
behavioral2/files/0x0007000000022cf8-70.dat	family_berbew
behavioral2/files/0x0007000000022cf8-72.dat	family_berbew
behavioral2/files/0x0007000000022cfa-78.dat	family_berbew
behavioral2/files/0x0007000000022cfa-80.dat	family_berbew
behavioral2/files/0x0009000000022d04-86.dat	family_berbew
behavioral2/files/0x0009000000022d04-88.dat	family_berbew
behavioral2/files/0x0006000000022d08-104.dat	family_berbew
behavioral2/files/0x0006000000022d08-102.dat	family_berbew
behavioral2/files/0x0006000000022d06-96.dat	family_berbew
behavioral2/files/0x0006000000022d06-94.dat	family_berbew
behavioral2/files/0x0006000000022d0a-110.dat	family_berbew
behavioral2/files/0x0006000000022d0a-111.dat	family_berbew
behavioral2/files/0x0006000000022d0c-120.dat	family_berbew
behavioral2/files/0x0006000000022d0c-118.dat	family_berbew
behavioral2/files/0x0006000000022d0e-128.dat	family_berbew
behavioral2/files/0x0006000000022d0e-126.dat	family_berbew
behavioral2/files/0x0006000000022d10-134.dat	family_berbew
behavioral2/files/0x0006000000022d10-136.dat	family_berbew
behavioral2/files/0x0006000000022d12-137.dat	family_berbew
behavioral2/files/0x0006000000022d12-144.dat	family_berbew
behavioral2/files/0x0006000000022d12-142.dat	family_berbew
behavioral2/files/0x0006000000022d14-150.dat	family_berbew
behavioral2/files/0x0006000000022d14-152.dat	family_berbew
behavioral2/files/0x0006000000022d16-158.dat	family_berbew
behavioral2/files/0x0006000000022d16-159.dat	family_berbew
behavioral2/files/0x0006000000022d18-162.dat	family_berbew
behavioral2/files/0x0006000000022d18-168.dat	family_berbew
behavioral2/files/0x0006000000022d18-166.dat	family_berbew
behavioral2/files/0x0006000000022d1a-174.dat	family_berbew
behavioral2/files/0x0006000000022d1a-176.dat	family_berbew
behavioral2/files/0x0006000000022d1c-182.dat	family_berbew
behavioral2/files/0x0006000000022d1c-184.dat	family_berbew
behavioral2/files/0x0006000000022d1e-190.dat	family_berbew
behavioral2/files/0x0006000000022d1e-192.dat	family_berbew
behavioral2/files/0x0006000000022d20-193.dat	family_berbew
behavioral2/files/0x0006000000022d20-198.dat	family_berbew
behavioral2/files/0x0006000000022d20-200.dat	family_berbew
behavioral2/files/0x0006000000022d22-206.dat	family_berbew
behavioral2/files/0x0006000000022d22-207.dat	family_berbew
behavioral2/files/0x0006000000022d22-202.dat	family_berbew

Executes dropped EXE 26 IoCs

pid	Process
4596	Lckboblp.exe
1364	Mhjhmhhd.exe
3004	Mfpell32.exe
2548	Mhanngbl.exe
4056	Njbgmjgl.exe
2176	Nmcpoedn.exe
3488	Ojcpdg32.exe
2120	Ppdbgncl.exe
3996	Ppikbm32.exe
4680	Pmphaaln.exe
4472	Qcnjijoe.exe
3436	Afappe32.exe
3956	Adgmoigj.exe
5008	Bmbnnn32.exe
812	Bdeiqgkj.exe
3776	Cmbgdl32.exe
3760	Cpcpfg32.exe
3632	Dgpeha32.exe
4428	Dpmcmf32.exe
1008	Dkedonpo.exe
4668	Ejlnfjbd.exe
2924	Eqkondfl.exe
4652	Fnffhgon.exe
348	Fnhbmgmk.exe
3352	Gqkhda32.exe
4316	Gbmadd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Cmbgdl32.exe
File opened for modification	C:\Windows\SysWOW64\Dpmcmf32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Eqkondfl.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Mhanngbl.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
File created	C:\Windows\SysWOW64\Mhanngbl.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Njbgmjgl.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Lckboblp.exe	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bmbnnn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Iplfokdm.dll	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Adgmoigj.exe	Afappe32.exe
File created	C:\Windows\SysWOW64\Mlmadjhb.dll	Ppikbm32.exe
File opened for modification	C:\Windows\SysWOW64\Afappe32.exe	Qcnjijoe.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Kkcghg32.dll	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Eqkondfl.exe
File opened for modification	C:\Windows\SysWOW64\Fnffhgon.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Ceohefin.dll	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Jjgkan32.dll	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Pafpga32.dll	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Bmbnnn32.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbgncl.exe	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Ncmkcc32.dll	Qcnjijoe.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Afappe32.exe	Qcnjijoe.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlnfjbd.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Bepjbf32.dll	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Paenokbf.dll	Afappe32.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Qcnjijoe.exe	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnnn32.exe	Adgmoigj.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Nmcpoedn.exe	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Qcnjijoe.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Amcpgoem.dll	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
File created	C:\Windows\SysWOW64\Ahhjomjk.dll	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Ojcpdg32.exe	Nmcpoedn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2532	4316	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcghg32.dll"	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afappe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmkcc32.dll"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafpga32.dll"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejeak32.dll"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpgoem.dll"	NEAS.d6b7833325f47ee76a1ab916393459b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afappe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alapqh32.dll"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqkhda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4596	2932	NEAS.d6b7833325f47ee76a1ab916393459b0.exe	89
PID 2932 wrote to memory of 4596	2932	NEAS.d6b7833325f47ee76a1ab916393459b0.exe	89
PID 2932 wrote to memory of 4596	2932	NEAS.d6b7833325f47ee76a1ab916393459b0.exe	89
PID 4596 wrote to memory of 1364	4596	Lckboblp.exe	90
PID 4596 wrote to memory of 1364	4596	Lckboblp.exe	90
PID 4596 wrote to memory of 1364	4596	Lckboblp.exe	90
PID 1364 wrote to memory of 3004	1364	Mhjhmhhd.exe	91
PID 1364 wrote to memory of 3004	1364	Mhjhmhhd.exe	91
PID 1364 wrote to memory of 3004	1364	Mhjhmhhd.exe	91
PID 3004 wrote to memory of 2548	3004	Mfpell32.exe	92
PID 3004 wrote to memory of 2548	3004	Mfpell32.exe	92
PID 3004 wrote to memory of 2548	3004	Mfpell32.exe	92
PID 2548 wrote to memory of 4056	2548	Mhanngbl.exe	93
PID 2548 wrote to memory of 4056	2548	Mhanngbl.exe	93
PID 2548 wrote to memory of 4056	2548	Mhanngbl.exe	93
PID 4056 wrote to memory of 2176	4056	Njbgmjgl.exe	95
PID 4056 wrote to memory of 2176	4056	Njbgmjgl.exe	95
PID 4056 wrote to memory of 2176	4056	Njbgmjgl.exe	95
PID 2176 wrote to memory of 3488	2176	Nmcpoedn.exe	96
PID 2176 wrote to memory of 3488	2176	Nmcpoedn.exe	96
PID 2176 wrote to memory of 3488	2176	Nmcpoedn.exe	96
PID 3488 wrote to memory of 2120	3488	Ojcpdg32.exe	97
PID 3488 wrote to memory of 2120	3488	Ojcpdg32.exe	97
PID 3488 wrote to memory of 2120	3488	Ojcpdg32.exe	97
PID 2120 wrote to memory of 3996	2120	Ppdbgncl.exe	98
PID 2120 wrote to memory of 3996	2120	Ppdbgncl.exe	98
PID 2120 wrote to memory of 3996	2120	Ppdbgncl.exe	98
PID 3996 wrote to memory of 4680	3996	Ppikbm32.exe	99
PID 3996 wrote to memory of 4680	3996	Ppikbm32.exe	99
PID 3996 wrote to memory of 4680	3996	Ppikbm32.exe	99
PID 4680 wrote to memory of 4472	4680	Pmphaaln.exe	100
PID 4680 wrote to memory of 4472	4680	Pmphaaln.exe	100
PID 4680 wrote to memory of 4472	4680	Pmphaaln.exe	100
PID 4472 wrote to memory of 3436	4472	Qcnjijoe.exe	102
PID 4472 wrote to memory of 3436	4472	Qcnjijoe.exe	102
PID 4472 wrote to memory of 3436	4472	Qcnjijoe.exe	102
PID 3436 wrote to memory of 3956	3436	Afappe32.exe	101
PID 3436 wrote to memory of 3956	3436	Afappe32.exe	101
PID 3436 wrote to memory of 3956	3436	Afappe32.exe	101
PID 3956 wrote to memory of 5008	3956	Adgmoigj.exe	103
PID 3956 wrote to memory of 5008	3956	Adgmoigj.exe	103
PID 3956 wrote to memory of 5008	3956	Adgmoigj.exe	103
PID 5008 wrote to memory of 812	5008	Bmbnnn32.exe	104
PID 5008 wrote to memory of 812	5008	Bmbnnn32.exe	104
PID 5008 wrote to memory of 812	5008	Bmbnnn32.exe	104
PID 812 wrote to memory of 3776	812	Bdeiqgkj.exe	105
PID 812 wrote to memory of 3776	812	Bdeiqgkj.exe	105
PID 812 wrote to memory of 3776	812	Bdeiqgkj.exe	105
PID 3776 wrote to memory of 3760	3776	Cmbgdl32.exe	106
PID 3776 wrote to memory of 3760	3776	Cmbgdl32.exe	106
PID 3776 wrote to memory of 3760	3776	Cmbgdl32.exe	106
PID 3760 wrote to memory of 3632	3760	Cpcpfg32.exe	107
PID 3760 wrote to memory of 3632	3760	Cpcpfg32.exe	107
PID 3760 wrote to memory of 3632	3760	Cpcpfg32.exe	107
PID 3632 wrote to memory of 4428	3632	Dgpeha32.exe	108
PID 3632 wrote to memory of 4428	3632	Dgpeha32.exe	108
PID 3632 wrote to memory of 4428	3632	Dgpeha32.exe	108
PID 4428 wrote to memory of 1008	4428	Dpmcmf32.exe	109
PID 4428 wrote to memory of 1008	4428	Dpmcmf32.exe	109
PID 4428 wrote to memory of 1008	4428	Dpmcmf32.exe	109
PID 1008 wrote to memory of 4668	1008	Dkedonpo.exe	110
PID 1008 wrote to memory of 4668	1008	Dkedonpo.exe	110
PID 1008 wrote to memory of 4668	1008	Dkedonpo.exe	110
PID 4668 wrote to memory of 2924	4668	Ejlnfjbd.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.d6b7833325f47ee76a1ab916393459b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d6b7833325f47ee76a1ab916393459b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Lckboblp.exe
  C:\Windows\system32\Lckboblp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\Mhjhmhhd.exe
    C:\Windows\system32\Mhjhmhhd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\Mfpell32.exe
      C:\Windows\system32\Mfpell32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436

C:\Windows\SysWOW64\Adgmoigj.exe
C:\Windows\system32\Adgmoigj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\SysWOW64\Bmbnnn32.exe
  C:\Windows\system32\Bmbnnn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\Bdeiqgkj.exe
    C:\Windows\system32\Bdeiqgkj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\Cmbgdl32.exe
      C:\Windows\system32\Cmbgdl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352

C:\Windows\SysWOW64\Gbmadd32.exe
C:\Windows\system32\Gbmadd32.exe
1⤵
- Executes dropped EXE
PID:4316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 420
  2⤵
  - Program crash
  PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4316 -ip 4316
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgmoigj.exe

Filesize
398KB

MD5
035ea4a17ef6b0714bee1486d6dd82ea

SHA1
b8b8ede87cdf4cdabf6d8a75f44d19a1c0f1426a

SHA256
24bfbde96f0a014a1cad2373496444d9e6d4b0745a8c59ccd257caea819b1264

SHA512
7b58e50c34a119bc3f9d5753a383e56322f7758019259eadf88ad828cf605893cc820cc65a367c7c1e136d4221d32269a385f9baa579ad011070d326a0a057d3

Download Submit
C:\Windows\SysWOW64\Adgmoigj.exe

Filesize
398KB

MD5
035ea4a17ef6b0714bee1486d6dd82ea

SHA1
b8b8ede87cdf4cdabf6d8a75f44d19a1c0f1426a

SHA256
24bfbde96f0a014a1cad2373496444d9e6d4b0745a8c59ccd257caea819b1264

SHA512
7b58e50c34a119bc3f9d5753a383e56322f7758019259eadf88ad828cf605893cc820cc65a367c7c1e136d4221d32269a385f9baa579ad011070d326a0a057d3

Download Submit
C:\Windows\SysWOW64\Afappe32.exe

Filesize
398KB

MD5
2dd43a97fcc5c66ff08bc5949578c14c

SHA1
544b26c22549ddd14eff6db19aaa40fc6e20206b

SHA256
15412e96a8f65372efa4e09b0b2376ca060c725ac78cb0d8aca2bc889e7dba6a

SHA512
1ca3c45662d9a969c4873a88dd0a247dbb28ba029c94677d9669aa5cbfb25fc119790748fa1f2efdf5d3b61b07c9afe1a9fda5f225f2fffb5772b120ca5c3094

Download Submit
C:\Windows\SysWOW64\Afappe32.exe

Filesize
398KB

MD5
2dd43a97fcc5c66ff08bc5949578c14c

SHA1
544b26c22549ddd14eff6db19aaa40fc6e20206b

SHA256
15412e96a8f65372efa4e09b0b2376ca060c725ac78cb0d8aca2bc889e7dba6a

SHA512
1ca3c45662d9a969c4873a88dd0a247dbb28ba029c94677d9669aa5cbfb25fc119790748fa1f2efdf5d3b61b07c9afe1a9fda5f225f2fffb5772b120ca5c3094

Download Submit
C:\Windows\SysWOW64\Alapqh32.dll

Filesize
7KB

MD5
282788ceb1f4e8b783e6aaa9459c2a8a

SHA1
334c660a2808a69b5a9c7ff24206cdf33b9f44c4

SHA256
af2d45f96d329aa09cff2ef3eaae8155e83f37a1861144181d164ed08ec25096

SHA512
0c659a7deb1ac732af2d2b2def431df963d6e9436ff15f789fd2f940915d0fb7c82679062886e4f5ae936366c65ae2e5e13da97ddf3e179792fbbbfeabed82a8

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
398KB

MD5
89a656518519465e8e70e18641d67e32

SHA1
5982bb7a5b9da280145615963e3709e90dd6148a

SHA256
7baad4595332bdc537e1c6aaef9bdce789db183db3307bdd7c5e79fa0e2470bb

SHA512
86dfdbe8f48aa55bafa1988d6068f51f62599228316d0707da3ce431e9d218ded5eef4b57cf17e1edccfdd6df88707ed0a2e75047638f5316a06af000e2805a4

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
398KB

MD5
89a656518519465e8e70e18641d67e32

SHA1
5982bb7a5b9da280145615963e3709e90dd6148a

SHA256
7baad4595332bdc537e1c6aaef9bdce789db183db3307bdd7c5e79fa0e2470bb

SHA512
86dfdbe8f48aa55bafa1988d6068f51f62599228316d0707da3ce431e9d218ded5eef4b57cf17e1edccfdd6df88707ed0a2e75047638f5316a06af000e2805a4

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
398KB

MD5
e2039a9c37315d99e16e515bcf2c385a

SHA1
787c2743697ccb5d09e7b7982897a5ebe6f066a3

SHA256
0ddcaa7344b7db17e291fe9121a050e9d85b4481ebbb579257a8afb8189fae78

SHA512
428ecc0301dac715517f83131facb4546b84e6c7fd95d889ac37a07946b97d7a5d00a73e0e80bdbcf2dde76b9a6d94d0ec52931d5d43f0a6d1459c704190a5e5

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
398KB

MD5
e2039a9c37315d99e16e515bcf2c385a

SHA1
787c2743697ccb5d09e7b7982897a5ebe6f066a3

SHA256
0ddcaa7344b7db17e291fe9121a050e9d85b4481ebbb579257a8afb8189fae78

SHA512
428ecc0301dac715517f83131facb4546b84e6c7fd95d889ac37a07946b97d7a5d00a73e0e80bdbcf2dde76b9a6d94d0ec52931d5d43f0a6d1459c704190a5e5

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
398KB

MD5
b333629aabf51f470bc4ee7e4887d0db

SHA1
61a101ffd2ea664f243ee84b9b4ca3d9460e7989

SHA256
cd5e6407be063815d547dc1e46c39452301c103727026b300069410a2c7773ec

SHA512
024ba704caba7f6f75c6fa00c6182cd6eaee57bdbf4f8250d4ef7248a2f5d3ba2ef5306f6cf9da791136f9f438f641c6e431fedcf89292c8e9d1098f38386b2d

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
398KB

MD5
b333629aabf51f470bc4ee7e4887d0db

SHA1
61a101ffd2ea664f243ee84b9b4ca3d9460e7989

SHA256
cd5e6407be063815d547dc1e46c39452301c103727026b300069410a2c7773ec

SHA512
024ba704caba7f6f75c6fa00c6182cd6eaee57bdbf4f8250d4ef7248a2f5d3ba2ef5306f6cf9da791136f9f438f641c6e431fedcf89292c8e9d1098f38386b2d

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
398KB

MD5
df6d3e4e5b8dc7da1adf097a80cbc608

SHA1
e12ba844ce06834729b2c410f976b7f91bb5caf8

SHA256
7de783af35b388e0fa313b5baf1396067a4eabdd02e286b9426ef5e051953973

SHA512
1cb996543429ff32671a686fe044199ac3997a00d9765e48cddea83d9077d230a400e35b78f692eb9cc1715543fb89f45d50c916a7c1b5923dc84f3a9f888513

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
398KB

MD5
df6d3e4e5b8dc7da1adf097a80cbc608

SHA1
e12ba844ce06834729b2c410f976b7f91bb5caf8

SHA256
7de783af35b388e0fa313b5baf1396067a4eabdd02e286b9426ef5e051953973

SHA512
1cb996543429ff32671a686fe044199ac3997a00d9765e48cddea83d9077d230a400e35b78f692eb9cc1715543fb89f45d50c916a7c1b5923dc84f3a9f888513

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
398KB

MD5
ef5f8887a53cc2d43efee4b1fcc4a8b5

SHA1
569156fdf9dd31dbbc7ca028f556f17821fce3b9

SHA256
7b4cb4ba19378f7a5375c6c32f24f01f5c4772707fd4a3c62cadecaf76a78eac

SHA512
f7a0a02a28619412b278d628e25feed8128a9d9f6ea1032cc3401e138bee94133e6862b9fa7ae3fa0ff72b1441a83325900976927a52aeaefcb8b7c587902be0

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
398KB

MD5
82e1fe1748788dd64994310976a6e298

SHA1
f1ec50236b5261dac56f8c2e47cbfa490b1cc6e9

SHA256
9a704b8c8e01fd6a39a0195132094ed13792bfd71cdc35eff30d93624ec71756

SHA512
39675f00e4b589fed55ea87c08add3999a76fb948bbcb718a32c1a3a8dac6a1b050963b0e3524ca97c8c895bc9ad2c7dced78fc46c64adf20b15a14c10c1b2a0

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
398KB

MD5
82e1fe1748788dd64994310976a6e298

SHA1
f1ec50236b5261dac56f8c2e47cbfa490b1cc6e9

SHA256
9a704b8c8e01fd6a39a0195132094ed13792bfd71cdc35eff30d93624ec71756

SHA512
39675f00e4b589fed55ea87c08add3999a76fb948bbcb718a32c1a3a8dac6a1b050963b0e3524ca97c8c895bc9ad2c7dced78fc46c64adf20b15a14c10c1b2a0

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
398KB

MD5
09d94e2fcf40b701e873df960db6dd6f

SHA1
cc4156973b01de11f8f976da985cd161b56a1100

SHA256
4f6323f2a8a481f90f34dfaad6e0831f599c5c646b50fbd673ce797a11dd9c17

SHA512
c11708784cf66398a6b1695ece3755e53764387a541ed932ef4cfd44a500b52c6e9046ba5de49a935b266cc68043171d2f40f335eaa6a35b6c776e9a493968aa

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
398KB

MD5
09d94e2fcf40b701e873df960db6dd6f

SHA1
cc4156973b01de11f8f976da985cd161b56a1100

SHA256
4f6323f2a8a481f90f34dfaad6e0831f599c5c646b50fbd673ce797a11dd9c17

SHA512
c11708784cf66398a6b1695ece3755e53764387a541ed932ef4cfd44a500b52c6e9046ba5de49a935b266cc68043171d2f40f335eaa6a35b6c776e9a493968aa

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
398KB

MD5
5faf2a9d6a2e06a975a10aa474868420

SHA1
de384f76efb46a2f4c9976474cc78c9d2bdd2b52

SHA256
162f48616430a42f7615843695368bb6db348a1504c7accb144d3d3c9dac3509

SHA512
d67e85b9ce5edf5e0d396ddae273782b85727f29492eb3547b4307466e6425f59de4a7c9e13d2c4d8a7a91271f5a0efc673d480dc5c114992c7b9cafbb406122

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
398KB

MD5
5faf2a9d6a2e06a975a10aa474868420

SHA1
de384f76efb46a2f4c9976474cc78c9d2bdd2b52

SHA256
162f48616430a42f7615843695368bb6db348a1504c7accb144d3d3c9dac3509

SHA512
d67e85b9ce5edf5e0d396ddae273782b85727f29492eb3547b4307466e6425f59de4a7c9e13d2c4d8a7a91271f5a0efc673d480dc5c114992c7b9cafbb406122

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
398KB

MD5
2fef029362a5f9b4f528a542bda69060

SHA1
fc47a71d83fb5e09844a930b4644b7928b76de1b

SHA256
d7b99ee4731e8b644bcdf5e47380c825775a336528e4342d6bea5b9265c9cfd5

SHA512
08dc7e4fc48c026b4ef15a4322ab40698df0c020e2368049df2039f00d2ba9bf49d6e14440acef593c2f4ea30a9d00e930355a5529bd352a685f6c661492a173

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
398KB

MD5
aaff7dc7b43bee1fecba4cae83229982

SHA1
e57419d22d544f2c25981c0aa23d9df757e3fb18

SHA256
0f16510dd065c83242f779132b8cc58542b210e84e9cf440b1ed7a3cb478a48d

SHA512
c78a8df93eb80107d5b091d2d6eb949defb30e1c7f8c6f7a69adc9c25c09619e14c08d4a01aaf6ca152283282854a1ec1679f557873ec6325415afb5d186c995

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
398KB

MD5
aaff7dc7b43bee1fecba4cae83229982

SHA1
e57419d22d544f2c25981c0aa23d9df757e3fb18

SHA256
0f16510dd065c83242f779132b8cc58542b210e84e9cf440b1ed7a3cb478a48d

SHA512
c78a8df93eb80107d5b091d2d6eb949defb30e1c7f8c6f7a69adc9c25c09619e14c08d4a01aaf6ca152283282854a1ec1679f557873ec6325415afb5d186c995

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
398KB

MD5
4033b7af1f2ef23b01db7847b9fddab0

SHA1
9d6ffd791f791a4b56e7e772a4a12ffb54f7de09

SHA256
2af381b5cbdd77d4e93f4ccd145a8b47a56c2ed9c8ec60747ddad102a1b709cb

SHA512
4edeecebb2e22cd8a24a75dad62ca3366d69ab313c0a9cf46f1a1e30a9872af69f7f4b3922091545b74f490c957bc496fccdd9a6ea6cd0ab79f8169744b8b552

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
398KB

MD5
4033b7af1f2ef23b01db7847b9fddab0

SHA1
9d6ffd791f791a4b56e7e772a4a12ffb54f7de09

SHA256
2af381b5cbdd77d4e93f4ccd145a8b47a56c2ed9c8ec60747ddad102a1b709cb

SHA512
4edeecebb2e22cd8a24a75dad62ca3366d69ab313c0a9cf46f1a1e30a9872af69f7f4b3922091545b74f490c957bc496fccdd9a6ea6cd0ab79f8169744b8b552

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
398KB

MD5
a9ed92e4007d9d800541a63311ca9cbe

SHA1
1633e546dd26732285820acf3e892a218958f2d9

SHA256
ba89c693169c3dd3d69d8c8b453c4d94ccc68829579012f4b30ee3adf3beb770

SHA512
4e7bd7ee9bc42044609948b959f8ddef4b7a00a66db6e28ae1789b6b5fbc0ec574950e839c24fcd42c3d97c8974924a34c36f4da3270c2cfd5d3182565d3af01

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
398KB

MD5
a9ed92e4007d9d800541a63311ca9cbe

SHA1
1633e546dd26732285820acf3e892a218958f2d9

SHA256
ba89c693169c3dd3d69d8c8b453c4d94ccc68829579012f4b30ee3adf3beb770

SHA512
4e7bd7ee9bc42044609948b959f8ddef4b7a00a66db6e28ae1789b6b5fbc0ec574950e839c24fcd42c3d97c8974924a34c36f4da3270c2cfd5d3182565d3af01

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
398KB

MD5
3a672a0c209879f348f5abf5723069c9

SHA1
22bfeb853533ef528b3876be560167e61ffa4e7f

SHA256
3c13f2c7eac5971b3c7430d9c4205b640e991fdf4171415dd98e17ca8640e4da

SHA512
11831c6f74afaadf44b980b2be6c21207e61eda4abee93467eb131c56e233b030f959963bd279d167031d9e281ff848440e1ebb273b1881aa29252b6c6db4f35

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
398KB

MD5
3a672a0c209879f348f5abf5723069c9

SHA1
22bfeb853533ef528b3876be560167e61ffa4e7f

SHA256
3c13f2c7eac5971b3c7430d9c4205b640e991fdf4171415dd98e17ca8640e4da

SHA512
11831c6f74afaadf44b980b2be6c21207e61eda4abee93467eb131c56e233b030f959963bd279d167031d9e281ff848440e1ebb273b1881aa29252b6c6db4f35

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
398KB

MD5
ce15f9e4eb487b974a667fc589833921

SHA1
49f3c72c210c0d27b4b91d5e693b2776e2dc63e1

SHA256
5e6a75ee39594bde83808de63adff64a57d6b03c7e7f1eb512525abbc8a1e71d

SHA512
c2b5e379dcc74e6a4b1e8c3456763fc4029ceaab23fb8545f1ecfaf00286117d5e13bb64345028110135812b0d5b4aa82be376b4fb3cd135cc79522cb970bb59

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
398KB

MD5
ce15f9e4eb487b974a667fc589833921

SHA1
49f3c72c210c0d27b4b91d5e693b2776e2dc63e1

SHA256
5e6a75ee39594bde83808de63adff64a57d6b03c7e7f1eb512525abbc8a1e71d

SHA512
c2b5e379dcc74e6a4b1e8c3456763fc4029ceaab23fb8545f1ecfaf00286117d5e13bb64345028110135812b0d5b4aa82be376b4fb3cd135cc79522cb970bb59

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
398KB

MD5
ce15f9e4eb487b974a667fc589833921

SHA1
49f3c72c210c0d27b4b91d5e693b2776e2dc63e1

SHA256
5e6a75ee39594bde83808de63adff64a57d6b03c7e7f1eb512525abbc8a1e71d

SHA512
c2b5e379dcc74e6a4b1e8c3456763fc4029ceaab23fb8545f1ecfaf00286117d5e13bb64345028110135812b0d5b4aa82be376b4fb3cd135cc79522cb970bb59

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
398KB

MD5
77b58ddfbe954230463af21b1bec61fd

SHA1
f0ccbfb11a77ef6d073cfca96e409bb9a756671a

SHA256
ca9c54d8c5ae4277c7ec042012d57426a1fef426846f2058f5bf545e823aa6e6

SHA512
15d8ca6be4ae7fa15918e84df4ccafd92781f0f1ffc69ac711ff8d90babb25985a770de1cf2d5b5090f2e58ac18c1c2dd08bfb34515906ee8fa4d20af3f3d82a

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
398KB

MD5
eeee60631534e429120b8812cd8e47f0

SHA1
dcb19af16606a8f1c7ee5f82ac7dc05897c9cf33

SHA256
11b4a7e80cd5cf7e7a97e05626c3369993162815553f808f137421aa897f3706

SHA512
50972779d964893e043322e570280810db3cfe79be574c266afd38b115b03a910b5f722871e0679e079783c066f83347b1bc558007c9b5042c644fbad355488b

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
398KB

MD5
eeee60631534e429120b8812cd8e47f0

SHA1
dcb19af16606a8f1c7ee5f82ac7dc05897c9cf33

SHA256
11b4a7e80cd5cf7e7a97e05626c3369993162815553f808f137421aa897f3706

SHA512
50972779d964893e043322e570280810db3cfe79be574c266afd38b115b03a910b5f722871e0679e079783c066f83347b1bc558007c9b5042c644fbad355488b

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
398KB

MD5
2c74e8f4f7a489c6142132d3d9f3250e

SHA1
1d40038b6d007b2ef0342a04b35fec2484e1f0fb

SHA256
cd2cc676e75f254132f3aea7cc6290d7a19e258aac11a621b40616f7bf4ca6bd

SHA512
0f79c156f4ff9f3054ba2f58113cf54b8b82d125804bf940390bf8c8099a63fc6580ad245e98ead65cf84923adedc23f16e30cf5b2cfad0505d74826dfcb340a

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
398KB

MD5
2c74e8f4f7a489c6142132d3d9f3250e

SHA1
1d40038b6d007b2ef0342a04b35fec2484e1f0fb

SHA256
cd2cc676e75f254132f3aea7cc6290d7a19e258aac11a621b40616f7bf4ca6bd

SHA512
0f79c156f4ff9f3054ba2f58113cf54b8b82d125804bf940390bf8c8099a63fc6580ad245e98ead65cf84923adedc23f16e30cf5b2cfad0505d74826dfcb340a

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
398KB

MD5
a9db9fa8047bbb32dc679a818f77023c

SHA1
0a15f93fce12971739925d4c15683fc2321507aa

SHA256
d90cbf3fb965e59a00a1d193beb8b85cb2b4c0537f50cb96ecf63864bc1c48ca

SHA512
69a836ef96ab8db0347605759a8228402df9d576c755d6a5d96594b02dbcf24b95de8983db0b80475eb1107d4d36e33be1959590a43aa96fb2b94e982c5b6383

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
398KB

MD5
a9db9fa8047bbb32dc679a818f77023c

SHA1
0a15f93fce12971739925d4c15683fc2321507aa

SHA256
d90cbf3fb965e59a00a1d193beb8b85cb2b4c0537f50cb96ecf63864bc1c48ca

SHA512
69a836ef96ab8db0347605759a8228402df9d576c755d6a5d96594b02dbcf24b95de8983db0b80475eb1107d4d36e33be1959590a43aa96fb2b94e982c5b6383

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
398KB

MD5
93d32c2be1cb6637abf8c27d96189273

SHA1
f1be0a636cde09c4c628ed57d3faa155a4580d89

SHA256
a9e0fac14c719677d3daa039cd2561a8ccce49a7bce55de4bcafe62532da8557

SHA512
e2d5899a9dc882848596e6c768681a3d6542939e9da30cf4d07c11fb2f1802d51ed0017c75c6b8965420795b92ab2df88acfd0f931e0861f332ad9c76cfb8408

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
398KB

MD5
93d32c2be1cb6637abf8c27d96189273

SHA1
f1be0a636cde09c4c628ed57d3faa155a4580d89

SHA256
a9e0fac14c719677d3daa039cd2561a8ccce49a7bce55de4bcafe62532da8557

SHA512
e2d5899a9dc882848596e6c768681a3d6542939e9da30cf4d07c11fb2f1802d51ed0017c75c6b8965420795b92ab2df88acfd0f931e0861f332ad9c76cfb8408

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
398KB

MD5
9fe5487da7513faadc162a31a6a69353

SHA1
3ce9747d50dca9e0a564e36887e61b075ee15a52

SHA256
9a96313a6468213d2d68b3cfab0067cbd06e1811ea7d8de0a470525d31fb8590

SHA512
431284357966e7e3cef7134c26007c7191098c39015f8a3cddb867b56c14cbb0ff865158b8d6c8be7383d20dd07873d85be1e6b035524821931644ef05e6e962

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
398KB

MD5
9fe5487da7513faadc162a31a6a69353

SHA1
3ce9747d50dca9e0a564e36887e61b075ee15a52

SHA256
9a96313a6468213d2d68b3cfab0067cbd06e1811ea7d8de0a470525d31fb8590

SHA512
431284357966e7e3cef7134c26007c7191098c39015f8a3cddb867b56c14cbb0ff865158b8d6c8be7383d20dd07873d85be1e6b035524821931644ef05e6e962

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
398KB

MD5
895ca1e8d6f0a307370ebdf7576dfe4a

SHA1
9a6920eb6227fa1846b1569c58e69c6ffeb45459

SHA256
71da0c6b2df509f8e96bfcb61fae507f53ea9218dbedc0017c4f987c85083098

SHA512
a7719337d8e650a4e55b76692727577ee6a7ab2d55f27432ff16918b6f57c2004047340f34437f6f7ba6ea9e7835589866d6bafa6aab7b983be8a4a51ef35e94

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
398KB

MD5
895ca1e8d6f0a307370ebdf7576dfe4a

SHA1
9a6920eb6227fa1846b1569c58e69c6ffeb45459

SHA256
71da0c6b2df509f8e96bfcb61fae507f53ea9218dbedc0017c4f987c85083098

SHA512
a7719337d8e650a4e55b76692727577ee6a7ab2d55f27432ff16918b6f57c2004047340f34437f6f7ba6ea9e7835589866d6bafa6aab7b983be8a4a51ef35e94

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
398KB

MD5
895ca1e8d6f0a307370ebdf7576dfe4a

SHA1
9a6920eb6227fa1846b1569c58e69c6ffeb45459

SHA256
71da0c6b2df509f8e96bfcb61fae507f53ea9218dbedc0017c4f987c85083098

SHA512
a7719337d8e650a4e55b76692727577ee6a7ab2d55f27432ff16918b6f57c2004047340f34437f6f7ba6ea9e7835589866d6bafa6aab7b983be8a4a51ef35e94

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
398KB

MD5
4e3391520b25f79e2317baefc0a15720

SHA1
ffef5546ea563b2658cb88bdf0aa89db2a36870e

SHA256
ee6b85572e65dd193e9d9f207f04f07bc361b364ecc173e7f828f41eb2258119

SHA512
1238aba374d5b7e33d6783a480e6f174d9b323f136ae4c4db558206fa459b1c4399c7ca7e99dbead106d3a8d5c84e510db88887a31bee85e0fa99308ff80d976

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
398KB

MD5
4e3391520b25f79e2317baefc0a15720

SHA1
ffef5546ea563b2658cb88bdf0aa89db2a36870e

SHA256
ee6b85572e65dd193e9d9f207f04f07bc361b364ecc173e7f828f41eb2258119

SHA512
1238aba374d5b7e33d6783a480e6f174d9b323f136ae4c4db558206fa459b1c4399c7ca7e99dbead106d3a8d5c84e510db88887a31bee85e0fa99308ff80d976

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
398KB

MD5
86de8c15a85ae89dc78f5e8c9615fed7

SHA1
bc6c5d1016baa8b1c0aa32528c28599744d83733

SHA256
364c81fc8289dd76a2fc157075e2e2b20cf726a08d9233c1f5a1796dceae0266

SHA512
8053aa0734cb0e6dac8bed2a4fcd91cea5ac7e5035d8ce71fb44eb13050449521fcb2e1adc1e10d3e171493f5a8ab91bbbb2642490d5f82c64724657dce6de42

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
398KB

MD5
86de8c15a85ae89dc78f5e8c9615fed7

SHA1
bc6c5d1016baa8b1c0aa32528c28599744d83733

SHA256
364c81fc8289dd76a2fc157075e2e2b20cf726a08d9233c1f5a1796dceae0266

SHA512
8053aa0734cb0e6dac8bed2a4fcd91cea5ac7e5035d8ce71fb44eb13050449521fcb2e1adc1e10d3e171493f5a8ab91bbbb2642490d5f82c64724657dce6de42

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
398KB

MD5
0197bf6987e3ad1a5d134d3c1eda271c

SHA1
69500701623ff928cd4403a692231a14f0b154e3

SHA256
260decd0d2ce03b04edcca35b4eea767998b4d5c9b7a484f1c7773b1e569adee

SHA512
b45684d04a11e94e1eafaad0aa68c00a1878ac490dad258975d9c93a41998d681ddfa5548a2a16dca7ea046c9ce28602435b30ea8c08ac033b1c2252195e3f76

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
398KB

MD5
0197bf6987e3ad1a5d134d3c1eda271c

SHA1
69500701623ff928cd4403a692231a14f0b154e3

SHA256
260decd0d2ce03b04edcca35b4eea767998b4d5c9b7a484f1c7773b1e569adee

SHA512
b45684d04a11e94e1eafaad0aa68c00a1878ac490dad258975d9c93a41998d681ddfa5548a2a16dca7ea046c9ce28602435b30ea8c08ac033b1c2252195e3f76

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
398KB

MD5
09a34b72eb329ffadf29441b669c2ab6

SHA1
cb22928ddda600692ce71ffa0bdd806a4f809126

SHA256
5818cb446dbbdf7da86947fb8393aeefad13fadd044ff95498fc744204e4e325

SHA512
8841af7aece8ade0efcf116f0c888015d0538eabde7a798bfb2fe3d684fdb28d735f81acc0160565fbf238e609f0af33f8d6a47c1d7c042ccc86464648fcdb13

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
398KB

MD5
09a34b72eb329ffadf29441b669c2ab6

SHA1
cb22928ddda600692ce71ffa0bdd806a4f809126

SHA256
5818cb446dbbdf7da86947fb8393aeefad13fadd044ff95498fc744204e4e325

SHA512
8841af7aece8ade0efcf116f0c888015d0538eabde7a798bfb2fe3d684fdb28d735f81acc0160565fbf238e609f0af33f8d6a47c1d7c042ccc86464648fcdb13

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
398KB

MD5
f9e7b9d0b981f99ffa27985caa80ad85

SHA1
b863f35d1db9f488de60c012db7fdd7c1cf5d690

SHA256
e5d58333b6b93ade212ff2c8179a5203270d63ea82d04da8be33f06b1c348735

SHA512
967a93daa643ad503022d90eca9ac90381b3300295425b7f769cc415d8aa104550ed61a29196767d421ef6c8738d8640e3e6a10410e4ed4886d2c168af21f225

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
398KB

MD5
f9e7b9d0b981f99ffa27985caa80ad85

SHA1
b863f35d1db9f488de60c012db7fdd7c1cf5d690

SHA256
e5d58333b6b93ade212ff2c8179a5203270d63ea82d04da8be33f06b1c348735

SHA512
967a93daa643ad503022d90eca9ac90381b3300295425b7f769cc415d8aa104550ed61a29196767d421ef6c8738d8640e3e6a10410e4ed4886d2c168af21f225

Download Submit
C:\Windows\SysWOW64\Qcnjijoe.exe

Filesize
398KB

MD5
e64e6c9f5ac9b14bc3d36ca68e9a810c

SHA1
32b2a2dcdc89b07df44118174c906f91d403a58e

SHA256
a0e3e95ac4dc345063ccd259477cf3e8b7dcbbd0ffaefc51b2964f32001c063f

SHA512
1e5eb7a6277e8bb536b2adcd4ffb8f8a4d30d5f317a45dbcce50e0c57d950ce6016c8eade1a037c2f320f0c3057ea620e459b78ad56ccf04fe9caba041879232

Download Submit
C:\Windows\SysWOW64\Qcnjijoe.exe

Filesize
398KB

MD5
e64e6c9f5ac9b14bc3d36ca68e9a810c

SHA1
32b2a2dcdc89b07df44118174c906f91d403a58e

SHA256
a0e3e95ac4dc345063ccd259477cf3e8b7dcbbd0ffaefc51b2964f32001c063f

SHA512
1e5eb7a6277e8bb536b2adcd4ffb8f8a4d30d5f317a45dbcce50e0c57d950ce6016c8eade1a037c2f320f0c3057ea620e459b78ad56ccf04fe9caba041879232

Download Submit
memory/348-211-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/348-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/812-220-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/812-119-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1008-215-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1008-160-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1364-233-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1364-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2120-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2120-227-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2176-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2176-229-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2548-31-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2548-232-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2924-214-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2924-175-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2932-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2932-234-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3004-231-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3004-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-210-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-199-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3436-95-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3436-223-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3488-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3488-228-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3632-143-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3632-217-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3760-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3760-218-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3776-127-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3776-219-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3956-103-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3956-222-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3996-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3996-226-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4056-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4056-230-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4316-209-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4316-208-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4428-151-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4428-216-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4472-224-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4472-87-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4596-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4596-235-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4652-212-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4652-183-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4668-213-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4668-167-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4680-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4680-225-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5008-112-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5008-221-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads