7ea73093448f5bf87ce8e4f023c805a0ad275c2a22365803d0b04a5730d9136e

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d7702411356e06b0e6a26e9a86471270.exe
Size

414KB
MD5

d7702411356e06b0e6a26e9a86471270
SHA1

31de4657b3bca2cf2e5e35b56f6e19e9bfc9e2d9
SHA256

7ea73093448f5bf87ce8e4f023c805a0ad275c2a22365803d0b04a5730d9136e
SHA512

e9bea5f0831eb616f0fcab71bac242baae1363cf6989f35cbdf57434f8a6b08241afe4cfbc933e6d08183a4fe27b89a561bb0b6b09bdd48c8e11ecb14a67eda2
SSDEEP

6144:xFI9cfTCndOGeKTame6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZO5k:xFIIedOGeKTaPkY660fIaDZkY660ffL

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhlgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgccinoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jglklggl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnpfop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaehljpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkjlic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihnomjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjola32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnfjbdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmcdffmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gklnjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iggaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkcfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgclpkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gklnjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Milidebi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkalplel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjlkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijogmdqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lejgch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldgccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Madjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgghjjid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbpkkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkalplel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkeekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgaokl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lobjni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnngpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjola32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdbhkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdemd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkkmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Malpia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhflnpoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmcdffmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnnbqnjn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgccinoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijogmdqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdbhkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Milidebi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggldm32.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/1784-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1f-6.dat	family_berbew
behavioral2/files/0x0006000000022e1f-7.dat	family_berbew
behavioral2/memory/3048-12-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e21-14.dat	family_berbew
behavioral2/memory/4040-15-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e21-16.dat	family_berbew
behavioral2/files/0x0008000000022e13-17.dat	family_berbew
behavioral2/files/0x0008000000022e13-22.dat	family_berbew
behavioral2/memory/4820-23-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e13-24.dat	family_berbew
behavioral2/memory/2044-31-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e24-32.dat	family_berbew
behavioral2/files/0x0006000000022e24-30.dat	family_berbew
behavioral2/files/0x0006000000022e27-38.dat	family_berbew
behavioral2/memory/2260-39-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e27-40.dat	family_berbew
behavioral2/files/0x0006000000022e29-46.dat	family_berbew
behavioral2/memory/2580-47-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e29-48.dat	family_berbew
behavioral2/memory/2012-56-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e2e-62.dat	family_berbew
behavioral2/files/0x0006000000022e2b-55.dat	family_berbew
behavioral2/files/0x0006000000022e2b-54.dat	family_berbew
behavioral2/files/0x0006000000022e2e-63.dat	family_berbew
behavioral2/memory/3864-64-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e30-65.dat	family_berbew
behavioral2/files/0x0006000000022e30-70.dat	family_berbew
behavioral2/files/0x0006000000022e30-71.dat	family_berbew
behavioral2/memory/4432-72-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e32-78.dat	family_berbew
behavioral2/memory/2112-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e32-79.dat	family_berbew
behavioral2/memory/4980-88-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e34-87.dat	family_berbew
behavioral2/files/0x0006000000022e34-86.dat	family_berbew
behavioral2/files/0x0006000000022e36-94.dat	family_berbew
behavioral2/files/0x0006000000022e36-95.dat	family_berbew
behavioral2/memory/4144-96-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e38-102.dat	family_berbew
behavioral2/files/0x0006000000022e38-103.dat	family_berbew
behavioral2/memory/1200-104-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e3a-110.dat	family_berbew
behavioral2/files/0x0006000000022e3a-111.dat	family_berbew
behavioral2/memory/3712-112-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e3c-118.dat	family_berbew
behavioral2/files/0x0006000000022e3c-119.dat	family_berbew
behavioral2/memory/2840-123-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e3e-126.dat	family_berbew
behavioral2/files/0x0006000000022e3e-128.dat	family_berbew
behavioral2/memory/1744-127-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d3c-134.dat	family_berbew
behavioral2/files/0x0007000000022d3c-136.dat	family_berbew
behavioral2/files/0x0006000000022e41-143.dat	family_berbew
behavioral2/memory/2688-146-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e43-150.dat	family_berbew
behavioral2/files/0x0006000000022e43-151.dat	family_berbew
behavioral2/memory/1100-152-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/2532-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e45-158.dat	family_berbew
behavioral2/files/0x0006000000022e45-159.dat	family_berbew
behavioral2/files/0x0006000000022e41-142.dat	family_berbew
behavioral2/memory/4720-135-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/3444-168-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3048	Fhflnpoi.exe
4040	Gmcdffmq.exe
4820	Gaamlecg.exe
2044	Gacjadad.exe
2260	Gklnjj32.exe
2580	Gnlgleef.exe
2012	Hnodaecc.exe
3864	Hgghjjid.exe
4432	Hpomcp32.exe
2112	Hhiajmod.exe
4980	Hnfjbdmk.exe
4144	Hjlkge32.exe
1200	Ijogmdqm.exe
3712	Iggaah32.exe
2840	Jglklggl.exe
1744	Jhlgfj32.exe
4720	Jdbhkk32.exe
2688	Jbfheo32.exe
1100	Jnmijq32.exe
2532	Jnpfop32.exe
3444	Kkcfid32.exe
1508	Kbpkkn32.exe
4308	Kjkpoq32.exe
1940	Kaehljpj.exe
380	Kkjlic32.exe
1308	Lnnbqnjn.exe
456	Licfngjd.exe
4848	Lejgch32.exe
3396	Lndham32.exe
1124	Milidebi.exe
3852	Lgccinoe.exe
1860	Ldgccb32.exe
4612	Lkalplel.exe
4684	Lggldm32.exe
4620	Lmdemd32.exe
4440	Lkeekk32.exe
2304	Madjhb32.exe
2652	Mgobel32.exe
3972	Mmkkmc32.exe
4996	Mgaokl32.exe
3432	Mmnhcb32.exe
3928	Mgclpkac.exe
3820	Malpia32.exe
4028	Fihnomjp.exe
384	Kcmmhj32.exe
3120	Kncaec32.exe
1644	Kodnmkap.exe
4172	Kfnfjehl.exe
4340	Kpcjgnhb.exe
2584	Kgnbdh32.exe
400	Kngkqbgl.exe
1288	Lnjgfb32.exe
4448	Lcgpni32.exe
3240	Lqkqhm32.exe
3776	Lgdidgjg.exe
4784	Lnoaaaad.exe
688	Lqmmmmph.exe
4836	Ljeafb32.exe
3836	Lobjni32.exe
4316	Lncjlq32.exe
1888	Modgdicm.exe
3556	Mjjkaabc.exe
2592	Mogcihaj.exe
1312	Mfqlfb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lmdemd32.exe	Lggldm32.exe
File created	C:\Windows\SysWOW64\Hemikcpm.dll	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Jcemmf32.dll	Gklnjj32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjlic32.exe	Kaehljpj.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Jnmijq32.exe	Jbfheo32.exe
File created	C:\Windows\SysWOW64\Dnngpj32.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Kpcjgnhb.exe	Kfnfjehl.exe
File created	C:\Windows\SysWOW64\Iblhpckf.dll	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Fedbbjgh.dll	Mgobel32.exe
File created	C:\Windows\SysWOW64\Pgpecj32.dll	Kcmmhj32.exe
File created	C:\Windows\SysWOW64\Lqkqhm32.exe	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Bkncfepb.dll	Modgdicm.exe
File created	C:\Windows\SysWOW64\Nbgqin32.dll	Nfjola32.exe
File opened for modification	C:\Windows\SysWOW64\Ijogmdqm.exe	Hjlkge32.exe
File created	C:\Windows\SysWOW64\Mgaokl32.exe	Mmkkmc32.exe
File created	C:\Windows\SysWOW64\Malpia32.exe	Mgclpkac.exe
File created	C:\Windows\SysWOW64\Lnnbqnjn.exe	Kkjlic32.exe
File opened for modification	C:\Windows\SysWOW64\Milidebi.exe	Lndham32.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdnne32.exe	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Ldjcfk32.dll	Fihnomjp.exe
File created	C:\Windows\SysWOW64\Fgeaiknl.dll	Kncaec32.exe
File created	C:\Windows\SysWOW64\Mmnhcb32.exe	Mgaokl32.exe
File created	C:\Windows\SysWOW64\Fdllgpbm.dll	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Ngqagcag.exe	Nncccnol.exe
File opened for modification	C:\Windows\SysWOW64\Gnlgleef.exe	Gklnjj32.exe
File opened for modification	C:\Windows\SysWOW64\Hgghjjid.exe	Hnodaecc.exe
File created	C:\Windows\SysWOW64\Mgobel32.exe	Madjhb32.exe
File created	C:\Windows\SysWOW64\Pdnjmc32.dll	Milidebi.exe
File opened for modification	C:\Windows\SysWOW64\Lgdidgjg.exe	Lqkqhm32.exe
File created	C:\Windows\SysWOW64\Hnodaecc.exe	Gnlgleef.exe
File created	C:\Windows\SysWOW64\Hhiajmod.exe	Hpomcp32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfheo32.exe	Jdbhkk32.exe
File created	C:\Windows\SysWOW64\Qfglbe32.dll	Lkalplel.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Cibncf32.dll	Fhflnpoi.exe
File opened for modification	C:\Windows\SysWOW64\Gaamlecg.exe	Gmcdffmq.exe
File created	C:\Windows\SysWOW64\Hjlkge32.exe	Hnfjbdmk.exe
File created	C:\Windows\SysWOW64\Eemeqinf.dll	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Paedlhhc.dll	Mmnhcb32.exe
File created	C:\Windows\SysWOW64\Mqkiok32.exe	Mqfpckhm.exe
File opened for modification	C:\Windows\SysWOW64\Lqkqhm32.exe	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Modgdicm.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Dckajh32.dll	Mjjkaabc.exe
File opened for modification	C:\Windows\SysWOW64\Nqpcjj32.exe	Nfjola32.exe
File opened for modification	C:\Windows\SysWOW64\Dnngpj32.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Licfngjd.exe	Lnnbqnjn.exe
File opened for modification	C:\Windows\SysWOW64\Malpia32.exe	Mgclpkac.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fcekfnkb.exe
File opened for modification	C:\Windows\SysWOW64\Ldgccb32.exe	Lgccinoe.exe
File created	C:\Windows\SysWOW64\Kncaec32.exe	Kcmmhj32.exe
File opened for modification	C:\Windows\SysWOW64\Kngkqbgl.exe	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Lejgch32.exe	Licfngjd.exe
File opened for modification	C:\Windows\SysWOW64\Lejgch32.exe	Licfngjd.exe
File opened for modification	C:\Windows\SysWOW64\Lcgpni32.exe	Lnjgfb32.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nncccnol.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nncccnol.exe
File opened for modification	C:\Windows\SysWOW64\Hnodaecc.exe	Gnlgleef.exe
File created	C:\Windows\SysWOW64\Gmemic32.dll	Hjlkge32.exe
File created	C:\Windows\SysWOW64\Fihgkk32.dll	Ljeafb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5216	6076	WerFault.exe	181

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jglklggl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgjhf32.dll"	Gacjadad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gacjadad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldgccb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnnbqnjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll"	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgqin32.dll"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnfjbdmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jglklggl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjlkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgaokl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmcdffmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bildbk32.dll"	Gaamlecg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjkpoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll"	Malpia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll"	Lqkqhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll"	Modgdicm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgclpkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll"	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lejgch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgaokl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdcj32.dll"	Mgclpkac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaehljpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lggldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedbbjgh.dll"	Mgobel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemic32.dll"	Hjlkge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnnbqnjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpf32.dll"	Jnmijq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkalplel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paedlhhc.dll"	Mmnhcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gklnjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmkkmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lndham32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnpfop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbhpb32.dll"	Kbpkkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglbe32.dll"	Lkalplel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iggaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklcfhik.dll"	Jnpfop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedohked.dll"	Hgghjjid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmcdffmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Milidebi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnjmc32.dll"	Milidebi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onkidm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 3048	1784	NEAS.d7702411356e06b0e6a26e9a86471270.exe	89
PID 1784 wrote to memory of 3048	1784	NEAS.d7702411356e06b0e6a26e9a86471270.exe	89
PID 1784 wrote to memory of 3048	1784	NEAS.d7702411356e06b0e6a26e9a86471270.exe	89
PID 3048 wrote to memory of 4040	3048	Fhflnpoi.exe	90
PID 3048 wrote to memory of 4040	3048	Fhflnpoi.exe	90
PID 3048 wrote to memory of 4040	3048	Fhflnpoi.exe	90
PID 4040 wrote to memory of 4820	4040	Gmcdffmq.exe	91
PID 4040 wrote to memory of 4820	4040	Gmcdffmq.exe	91
PID 4040 wrote to memory of 4820	4040	Gmcdffmq.exe	91
PID 4820 wrote to memory of 2044	4820	Gaamlecg.exe	92
PID 4820 wrote to memory of 2044	4820	Gaamlecg.exe	92
PID 4820 wrote to memory of 2044	4820	Gaamlecg.exe	92
PID 2044 wrote to memory of 2260	2044	Gacjadad.exe	93
PID 2044 wrote to memory of 2260	2044	Gacjadad.exe	93
PID 2044 wrote to memory of 2260	2044	Gacjadad.exe	93
PID 2260 wrote to memory of 2580	2260	Gklnjj32.exe	94
PID 2260 wrote to memory of 2580	2260	Gklnjj32.exe	94
PID 2260 wrote to memory of 2580	2260	Gklnjj32.exe	94
PID 2580 wrote to memory of 2012	2580	Gnlgleef.exe	95
PID 2580 wrote to memory of 2012	2580	Gnlgleef.exe	95
PID 2580 wrote to memory of 2012	2580	Gnlgleef.exe	95
PID 2012 wrote to memory of 3864	2012	Hnodaecc.exe	96
PID 2012 wrote to memory of 3864	2012	Hnodaecc.exe	96
PID 2012 wrote to memory of 3864	2012	Hnodaecc.exe	96
PID 3864 wrote to memory of 4432	3864	Hgghjjid.exe	97
PID 3864 wrote to memory of 4432	3864	Hgghjjid.exe	97
PID 3864 wrote to memory of 4432	3864	Hgghjjid.exe	97
PID 4432 wrote to memory of 2112	4432	Hpomcp32.exe	98
PID 4432 wrote to memory of 2112	4432	Hpomcp32.exe	98
PID 4432 wrote to memory of 2112	4432	Hpomcp32.exe	98
PID 2112 wrote to memory of 4980	2112	Hhiajmod.exe	99
PID 2112 wrote to memory of 4980	2112	Hhiajmod.exe	99
PID 2112 wrote to memory of 4980	2112	Hhiajmod.exe	99
PID 4980 wrote to memory of 4144	4980	Hnfjbdmk.exe	100
PID 4980 wrote to memory of 4144	4980	Hnfjbdmk.exe	100
PID 4980 wrote to memory of 4144	4980	Hnfjbdmk.exe	100
PID 4144 wrote to memory of 1200	4144	Hjlkge32.exe	102
PID 4144 wrote to memory of 1200	4144	Hjlkge32.exe	102
PID 4144 wrote to memory of 1200	4144	Hjlkge32.exe	102
PID 1200 wrote to memory of 3712	1200	Ijogmdqm.exe	103
PID 1200 wrote to memory of 3712	1200	Ijogmdqm.exe	103
PID 1200 wrote to memory of 3712	1200	Ijogmdqm.exe	103
PID 3712 wrote to memory of 2840	3712	Iggaah32.exe	104
PID 3712 wrote to memory of 2840	3712	Iggaah32.exe	104
PID 3712 wrote to memory of 2840	3712	Iggaah32.exe	104
PID 2840 wrote to memory of 1744	2840	Jglklggl.exe	105
PID 2840 wrote to memory of 1744	2840	Jglklggl.exe	105
PID 2840 wrote to memory of 1744	2840	Jglklggl.exe	105
PID 1744 wrote to memory of 4720	1744	Jhlgfj32.exe	106
PID 1744 wrote to memory of 4720	1744	Jhlgfj32.exe	106
PID 1744 wrote to memory of 4720	1744	Jhlgfj32.exe	106
PID 4720 wrote to memory of 2688	4720	Jdbhkk32.exe	107
PID 4720 wrote to memory of 2688	4720	Jdbhkk32.exe	107
PID 4720 wrote to memory of 2688	4720	Jdbhkk32.exe	107
PID 2688 wrote to memory of 1100	2688	Jbfheo32.exe	108
PID 2688 wrote to memory of 1100	2688	Jbfheo32.exe	108
PID 2688 wrote to memory of 1100	2688	Jbfheo32.exe	108
PID 1100 wrote to memory of 2532	1100	Jnmijq32.exe	109
PID 1100 wrote to memory of 2532	1100	Jnmijq32.exe	109
PID 1100 wrote to memory of 2532	1100	Jnmijq32.exe	109
PID 2532 wrote to memory of 3444	2532	Jnpfop32.exe	110
PID 2532 wrote to memory of 3444	2532	Jnpfop32.exe	110
PID 2532 wrote to memory of 3444	2532	Jnpfop32.exe	110
PID 3444 wrote to memory of 1508	3444	Kkcfid32.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.d7702411356e06b0e6a26e9a86471270.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d7702411356e06b0e6a26e9a86471270.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\Fhflnpoi.exe
  C:\Windows\system32\Fhflnpoi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\Gmcdffmq.exe
    C:\Windows\system32\Gmcdffmq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\Gaamlecg.exe
      C:\Windows\system32\Gaamlecg.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\Gacjadad.exe
        
        C:\Windows\system32\Gacjadad.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\SysWOW64\Gklnjj32.exe
        
        C:\Windows\system32\Gklnjj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Gnlgleef.exe
        
        C:\Windows\system32\Gnlgleef.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Hnodaecc.exe
        
        C:\Windows\system32\Hnodaecc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Hgghjjid.exe
        
        C:\Windows\system32\Hgghjjid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Hpomcp32.exe
        
        C:\Windows\system32\Hpomcp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Hhiajmod.exe
        
        C:\Windows\system32\Hhiajmod.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Hnfjbdmk.exe
        
        C:\Windows\system32\Hnfjbdmk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Hjlkge32.exe
        
        C:\Windows\system32\Hjlkge32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ijogmdqm.exe
        
        C:\Windows\system32\Ijogmdqm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Iggaah32.exe
        
        C:\Windows\system32\Iggaah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Jglklggl.exe
        
        C:\Windows\system32\Jglklggl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Jhlgfj32.exe
        
        C:\Windows\system32\Jhlgfj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Jbfheo32.exe
        
        C:\Windows\system32\Jbfheo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Jnpfop32.exe
        
        C:\Windows\system32\Jnpfop32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Kkcfid32.exe
        
        C:\Windows\system32\Kkcfid32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Kbpkkn32.exe
        
        C:\Windows\system32\Kbpkkn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Kjkpoq32.exe
        
        C:\Windows\system32\Kjkpoq32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Kaehljpj.exe
        
        C:\Windows\system32\Kaehljpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940

C:\Windows\SysWOW64\Kkjlic32.exe
C:\Windows\system32\Kkjlic32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:380
- C:\Windows\SysWOW64\Lnnbqnjn.exe
  C:\Windows\system32\Lnnbqnjn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1308
- - C:\Windows\SysWOW64\Licfngjd.exe
    C:\Windows\system32\Licfngjd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:456
  - - C:\Windows\SysWOW64\Lejgch32.exe
      C:\Windows\system32\Lejgch32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:4848
    - - C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
      - C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Lgccinoe.exe
        
        C:\Windows\system32\Lgccinoe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612

C:\Windows\SysWOW64\Lggldm32.exe
C:\Windows\system32\Lggldm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4684
- C:\Windows\SysWOW64\Lmdemd32.exe
  C:\Windows\system32\Lmdemd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:4620
- - C:\Windows\SysWOW64\Lkeekk32.exe
    C:\Windows\system32\Lkeekk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:4440
  - - C:\Windows\SysWOW64\Madjhb32.exe
      C:\Windows\system32\Madjhb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      PID:2304
    - - C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
      - C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Mgaokl32.exe
        
        C:\Windows\system32\Mgaokl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Malpia32.exe
        
        C:\Windows\system32\Malpia32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1644

C:\Windows\SysWOW64\Kfnfjehl.exe
C:\Windows\system32\Kfnfjehl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4172
- C:\Windows\SysWOW64\Kpcjgnhb.exe
  C:\Windows\system32\Kpcjgnhb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:4340
- - C:\Windows\SysWOW64\Kgnbdh32.exe
    C:\Windows\system32\Kgnbdh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:2584
  - - C:\Windows\SysWOW64\Kngkqbgl.exe
      C:\Windows\system32\Kngkqbgl.exe
      4⤵
      Executes dropped EXE
      PID:400
    - - C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
      - C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        9⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        21⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        23⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        26⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688

C:\Windows\SysWOW64\Fcpakn32.exe
C:\Windows\system32\Fcpakn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5832
- C:\Windows\SysWOW64\Fnffhgon.exe
  C:\Windows\system32\Fnffhgon.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:5880
- - C:\Windows\SysWOW64\Fbdnne32.exe
    C:\Windows\system32\Fbdnne32.exe
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\Fcekfnkb.exe
      C:\Windows\system32\Fcekfnkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      PID:5988
    - - C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
      - C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        6⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 420
        7⤵
        Program crash
        
        PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6076 -ip 6076
1⤵
PID:6112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfgjhf32.dll

Filesize
7KB

MD5
8879f7bfc2bb72f2111f4c06533e518b

SHA1
470d1ccb3a26600e6f191432d6d86776bef0a229

SHA256
c40a474078f5051d9b2f1f67abf9ef4c10d31688d5a1509dab510f693759507a

SHA512
f3d1d25fc3d2d98ede289683945b633484fe13ee8a1f215c668d66c3c568e0effadd6abaa1d424d4273bb0c6b050bb305ef011c63a2dad9695d8d0a6ae5eab15

Download Submit
C:\Windows\SysWOW64\Fhflnpoi.exe

Filesize
414KB

MD5
05b1a89c3cfea78fce707375e1583a96

SHA1
721cf98d2ae5e7c20ea10b3fa9999083484b81bb

SHA256
3db13d74466a33656e79b0d85089cf84a646a61cedf7546e8d24771414e99c9f

SHA512
d16d917c591d269b3c757cfa9dee2280df9f0ece8657571f1aa25633cd1f3513d7598b797814a0294db6e8923c773595e9cd1b45f5e4e6e985dd61fbdaa939cd

Download Submit
C:\Windows\SysWOW64\Fhflnpoi.exe

Filesize
414KB

MD5
05b1a89c3cfea78fce707375e1583a96

SHA1
721cf98d2ae5e7c20ea10b3fa9999083484b81bb

SHA256
3db13d74466a33656e79b0d85089cf84a646a61cedf7546e8d24771414e99c9f

SHA512
d16d917c591d269b3c757cfa9dee2280df9f0ece8657571f1aa25633cd1f3513d7598b797814a0294db6e8923c773595e9cd1b45f5e4e6e985dd61fbdaa939cd

Download Submit
C:\Windows\SysWOW64\Gaamlecg.exe

Filesize
414KB

MD5
12c999b995ec8891d5394180744f3468

SHA1
45c62f843e5b3f4d642842546c2402bb2f791507

SHA256
b26df00cd1292b49797aaf769eedc080964c5132bf232898e3aeefcaf9dd0d02

SHA512
43ecb664bf4015d3c5dcc6dce7e269e9ac805bb55705ba6ed24fd84c710be57f4b9b17a4deac0ecad4d65cdb9c12738b347101fa4ee28a81e9bc4b1253b5905c

Download Submit
C:\Windows\SysWOW64\Gaamlecg.exe

Filesize
414KB

MD5
9d6d2f97577a4d6aa57eadbe58d950e7

SHA1
641316d1f9e94b0054e64dde701488d91ea65353

SHA256
e94859a2332200070f105d66728fad93e9c8ac7a198a0e27d0489f8be25d1d55

SHA512
5392b33c7c52bf0a4c0f91bbc58a08054ccbe23244d7454a0dc2e6cb667f41a964b4bdcaeedfa594a7254026ab34ed118cbf469186abca647bedd5701634d0c8

Download Submit
C:\Windows\SysWOW64\Gaamlecg.exe

Filesize
414KB

MD5
9d6d2f97577a4d6aa57eadbe58d950e7

SHA1
641316d1f9e94b0054e64dde701488d91ea65353

SHA256
e94859a2332200070f105d66728fad93e9c8ac7a198a0e27d0489f8be25d1d55

SHA512
5392b33c7c52bf0a4c0f91bbc58a08054ccbe23244d7454a0dc2e6cb667f41a964b4bdcaeedfa594a7254026ab34ed118cbf469186abca647bedd5701634d0c8

Download Submit
C:\Windows\SysWOW64\Gacjadad.exe

Filesize
414KB

MD5
d745a4bb9bece2d7dcc3797603d3464e

SHA1
0b74928d87cb953306df8ff08ba8e3e3431294dd

SHA256
ea5862d855affc6980c9b789e659befd1215b60bdff8fb06a2fea5086c4e3d6d

SHA512
239014904df7c153b11baebc5f0bbf11e93101398efcbac77074a8c58669835505432caf41aee31c5c511746b2f16eedc115f627aac19c957bf1a55e7b360e57

Download Submit
C:\Windows\SysWOW64\Gacjadad.exe

Filesize
414KB

MD5
d745a4bb9bece2d7dcc3797603d3464e

SHA1
0b74928d87cb953306df8ff08ba8e3e3431294dd

SHA256
ea5862d855affc6980c9b789e659befd1215b60bdff8fb06a2fea5086c4e3d6d

SHA512
239014904df7c153b11baebc5f0bbf11e93101398efcbac77074a8c58669835505432caf41aee31c5c511746b2f16eedc115f627aac19c957bf1a55e7b360e57

Download Submit
C:\Windows\SysWOW64\Gklnjj32.exe

Filesize
414KB

MD5
b47ae2d6d9fdd991a4099d3e75920d38

SHA1
a18753c65d2b7795c0c08b2c96b8f2e7d5d2d28b

SHA256
a80fecc5e1e3f2f3598cbe87cc7409010bbd9fcbadf0a77d054e83344c4b9785

SHA512
dda33cf4e100543f0f7728d7b0fd1cc68817254708c7efaa27f4716c712495b0737d34f3148df88f015c6a653f6ddf5b9485c1ad6aa34b9345af245bf1552086

Download Submit
C:\Windows\SysWOW64\Gklnjj32.exe

Filesize
414KB

MD5
b47ae2d6d9fdd991a4099d3e75920d38

SHA1
a18753c65d2b7795c0c08b2c96b8f2e7d5d2d28b

SHA256
a80fecc5e1e3f2f3598cbe87cc7409010bbd9fcbadf0a77d054e83344c4b9785

SHA512
dda33cf4e100543f0f7728d7b0fd1cc68817254708c7efaa27f4716c712495b0737d34f3148df88f015c6a653f6ddf5b9485c1ad6aa34b9345af245bf1552086

Download Submit
C:\Windows\SysWOW64\Gmcdffmq.exe

Filesize
414KB

MD5
12c999b995ec8891d5394180744f3468

SHA1
45c62f843e5b3f4d642842546c2402bb2f791507

SHA256
b26df00cd1292b49797aaf769eedc080964c5132bf232898e3aeefcaf9dd0d02

SHA512
43ecb664bf4015d3c5dcc6dce7e269e9ac805bb55705ba6ed24fd84c710be57f4b9b17a4deac0ecad4d65cdb9c12738b347101fa4ee28a81e9bc4b1253b5905c

Download Submit
C:\Windows\SysWOW64\Gmcdffmq.exe

Filesize
414KB

MD5
12c999b995ec8891d5394180744f3468

SHA1
45c62f843e5b3f4d642842546c2402bb2f791507

SHA256
b26df00cd1292b49797aaf769eedc080964c5132bf232898e3aeefcaf9dd0d02

SHA512
43ecb664bf4015d3c5dcc6dce7e269e9ac805bb55705ba6ed24fd84c710be57f4b9b17a4deac0ecad4d65cdb9c12738b347101fa4ee28a81e9bc4b1253b5905c

Download Submit
C:\Windows\SysWOW64\Gnlgleef.exe

Filesize
64KB

MD5
1af369d00cb54d4cb0465134efee1b38

SHA1
ddc04d28db4cc09f5c5e5f8d68af88ced0a4cb25

SHA256
a70b9ac0b594b91d26ac8d92fa64c83044a25aff4229cb99f12f8ab9663d5975

SHA512
9fd3fc1046807b5c1c11e3ab7402f4c7792512e0ff3a108a5d11577267089d56a536d5f5659dc03dec31daadae5304197da8a415c86c2d8678205692c1b83ee6

Download Submit
C:\Windows\SysWOW64\Gnlgleef.exe

Filesize
414KB

MD5
c539ab78fbaa3ac5c3d56fdcb24f94cd

SHA1
1225becef149e35079c961d2aa393517247248c1

SHA256
c0f4fa2836d1be92822242e2d4ddd25c586b04b605ace4571b1c73aa76d34baf

SHA512
ffe3a4c1f77bd7bb57d5abb9a39317143da2892794385dd79f96598a993d61814b5457141785ef30770b9ad374611f0c8d9273c97c651c9feeffacfe1db924f9

Download Submit
C:\Windows\SysWOW64\Gnlgleef.exe

Filesize
414KB

MD5
c539ab78fbaa3ac5c3d56fdcb24f94cd

SHA1
1225becef149e35079c961d2aa393517247248c1

SHA256
c0f4fa2836d1be92822242e2d4ddd25c586b04b605ace4571b1c73aa76d34baf

SHA512
ffe3a4c1f77bd7bb57d5abb9a39317143da2892794385dd79f96598a993d61814b5457141785ef30770b9ad374611f0c8d9273c97c651c9feeffacfe1db924f9

Download Submit
C:\Windows\SysWOW64\Hgghjjid.exe

Filesize
414KB

MD5
0af06edf18b332ce45ef79c301e2d5da

SHA1
7479f680cb3b6037b4d452b706778ac68ab23dd8

SHA256
0004d5c7bf4ddf784cba5ebf8e6a62252412ba3c216e0ab07da9f8d7cee1b8e6

SHA512
ca8bb0fa7e89196ebb4f394b18bec06573cb74b19ca3dd2696aa6f6e18ee9e717878901058bae66b07c562f18b5eed9ae5646bf7a5a790b6923887bbb1a142dd

Download Submit
C:\Windows\SysWOW64\Hgghjjid.exe

Filesize
414KB

MD5
0af06edf18b332ce45ef79c301e2d5da

SHA1
7479f680cb3b6037b4d452b706778ac68ab23dd8

SHA256
0004d5c7bf4ddf784cba5ebf8e6a62252412ba3c216e0ab07da9f8d7cee1b8e6

SHA512
ca8bb0fa7e89196ebb4f394b18bec06573cb74b19ca3dd2696aa6f6e18ee9e717878901058bae66b07c562f18b5eed9ae5646bf7a5a790b6923887bbb1a142dd

Download Submit
C:\Windows\SysWOW64\Hhiajmod.exe

Filesize
414KB

MD5
c38d06d2964774cfd65389947196bf6f

SHA1
224707b3971ccc437de9904a0229b37d5c42a13f

SHA256
2eed8c473a4e2ac01501bbd6c1b308a418865a80b7107f4c57d08c8df1313f3c

SHA512
f62d3f1ab1246df590ce0252c2ec90362abb17651119104d012bee19165d04ef18e1f7fdb173faf2b29a3611e5e56177acc6c48f71cabceb165a0006a3210584

Download Submit
C:\Windows\SysWOW64\Hhiajmod.exe

Filesize
414KB

MD5
c38d06d2964774cfd65389947196bf6f

SHA1
224707b3971ccc437de9904a0229b37d5c42a13f

SHA256
2eed8c473a4e2ac01501bbd6c1b308a418865a80b7107f4c57d08c8df1313f3c

SHA512
f62d3f1ab1246df590ce0252c2ec90362abb17651119104d012bee19165d04ef18e1f7fdb173faf2b29a3611e5e56177acc6c48f71cabceb165a0006a3210584

Download Submit
C:\Windows\SysWOW64\Hjlkge32.exe

Filesize
414KB

MD5
14bba6f3f058e0557e4211d2c5350666

SHA1
1f8460f82ff415f96723e0c220ee0890bb76b20a

SHA256
2c0f49e440ded9eaf95ad4e45fcf698edddd96063e0ffc03957f293e4a97bb44

SHA512
4381290b647e7d35e02b59ca561d9177f8c006dec5ac1b5ee9f7cad5a057c54d0c537c226839a1dbf60147085c95d9dfd58757b5f707a65b6391bfaf4e8dba53

Download Submit
C:\Windows\SysWOW64\Hjlkge32.exe

Filesize
414KB

MD5
14bba6f3f058e0557e4211d2c5350666

SHA1
1f8460f82ff415f96723e0c220ee0890bb76b20a

SHA256
2c0f49e440ded9eaf95ad4e45fcf698edddd96063e0ffc03957f293e4a97bb44

SHA512
4381290b647e7d35e02b59ca561d9177f8c006dec5ac1b5ee9f7cad5a057c54d0c537c226839a1dbf60147085c95d9dfd58757b5f707a65b6391bfaf4e8dba53

Download Submit
C:\Windows\SysWOW64\Hnfjbdmk.exe

Filesize
414KB

MD5
d92ae301af64d740e979815e40cc2cb7

SHA1
57f7f553c9b90c5775dcf44177b67643b89f4938

SHA256
090adde33d1ea59fe6e791833c89b94e5a6600229d2d2fdb53c98cfa61aaec3d

SHA512
36eee5c5d6b84a823d84f72c5bdf8c91960d615047dfd0ad62b85aedbe62d39fc8d137687be0fd63fe8701e56d366705c0f987f93c5efbd43599562aa364614c

Download Submit
C:\Windows\SysWOW64\Hnfjbdmk.exe

Filesize
414KB

MD5
d92ae301af64d740e979815e40cc2cb7

SHA1
57f7f553c9b90c5775dcf44177b67643b89f4938

SHA256
090adde33d1ea59fe6e791833c89b94e5a6600229d2d2fdb53c98cfa61aaec3d

SHA512
36eee5c5d6b84a823d84f72c5bdf8c91960d615047dfd0ad62b85aedbe62d39fc8d137687be0fd63fe8701e56d366705c0f987f93c5efbd43599562aa364614c

Download Submit
C:\Windows\SysWOW64\Hnodaecc.exe

Filesize
414KB

MD5
2a356c47086fd6bbb9bb58f148e9a17e

SHA1
f5f8ee7915d382bc29ed56de1c7975dd168e6d04

SHA256
0af2ce2eb1df4e89abed495009de4af29ef0b8da6b8e35ca69e0cbc85e4872ec

SHA512
37255efc9fd76c4657c0345b4669b6f52f86dd2fc7be7388df0e1b53f295c8233bb1230e1abddf3feb0ebf6a1208690f8b1905599ee89c2551abfe2c3e8050a7

Download Submit
C:\Windows\SysWOW64\Hnodaecc.exe

Filesize
414KB

MD5
2a356c47086fd6bbb9bb58f148e9a17e

SHA1
f5f8ee7915d382bc29ed56de1c7975dd168e6d04

SHA256
0af2ce2eb1df4e89abed495009de4af29ef0b8da6b8e35ca69e0cbc85e4872ec

SHA512
37255efc9fd76c4657c0345b4669b6f52f86dd2fc7be7388df0e1b53f295c8233bb1230e1abddf3feb0ebf6a1208690f8b1905599ee89c2551abfe2c3e8050a7

Download Submit
C:\Windows\SysWOW64\Hpomcp32.exe

Filesize
414KB

MD5
0b54394a6f8340c6806feade25c5493d

SHA1
273da0154cf98ce02eeaec86d2b86bc5c49b907b

SHA256
3f1825e7a38899105aad79d601f2b51d56259070854962ab9ed095a72ef12d3a

SHA512
630f751aede9d1d4dcb9ef3575244db30f9e592616466aebd4b05c08644126bb8eb1b054a8ebd294003c0c9fb91c4c8f7041ad2ba8c3fd1f2fc5927a5f71e8b5

Download Submit
C:\Windows\SysWOW64\Hpomcp32.exe

Filesize
414KB

MD5
24f95d4a7197827e5321bda4b53ed9f6

SHA1
e1b9040bb934d772fc88ea2dd0e64f29a1b50d74

SHA256
3595768a5414239fc1b829c347a44bb1517a9bf00ac387662357e15cdeb391c6

SHA512
3452f94e8ed86370d7771a320b477d4ab068315c94e05a9a185de14efe46b2ff06827569a37a5850e0bd9c42aaaa31c292ba10eabc83ba01ee9996613b1ecf72

Download Submit
C:\Windows\SysWOW64\Hpomcp32.exe

Filesize
414KB

MD5
24f95d4a7197827e5321bda4b53ed9f6

SHA1
e1b9040bb934d772fc88ea2dd0e64f29a1b50d74

SHA256
3595768a5414239fc1b829c347a44bb1517a9bf00ac387662357e15cdeb391c6

SHA512
3452f94e8ed86370d7771a320b477d4ab068315c94e05a9a185de14efe46b2ff06827569a37a5850e0bd9c42aaaa31c292ba10eabc83ba01ee9996613b1ecf72

Download Submit
C:\Windows\SysWOW64\Iggaah32.exe

Filesize
414KB

MD5
a74784cbcf2ab48124c90cf587157cbb

SHA1
d9c9366721ed718fba0cdabe9f401b3be11f86c0

SHA256
768a3501cee5f166e4c1a657b3e47bb6118feb8a84df8e3d5a22f0f84db554ba

SHA512
44a6835f95971e4eaf85b6ad80d90d623f1dc86ff1b480cb98c5d5c993a3511d99ddc9fe850580471705f4b7a14bb80f3ce0f1729768897041fd19dc0ba21f50

Download Submit
C:\Windows\SysWOW64\Iggaah32.exe

Filesize
414KB

MD5
a74784cbcf2ab48124c90cf587157cbb

SHA1
d9c9366721ed718fba0cdabe9f401b3be11f86c0

SHA256
768a3501cee5f166e4c1a657b3e47bb6118feb8a84df8e3d5a22f0f84db554ba

SHA512
44a6835f95971e4eaf85b6ad80d90d623f1dc86ff1b480cb98c5d5c993a3511d99ddc9fe850580471705f4b7a14bb80f3ce0f1729768897041fd19dc0ba21f50

Download Submit
C:\Windows\SysWOW64\Ijogmdqm.exe

Filesize
414KB

MD5
aa0d20b351cdfe1c4ac1bad4f4312a1c

SHA1
3f3c8d799b0b73b1eaae62026f16fdd802937cb2

SHA256
4483e20c7ea010018dcb01fb53b1a8d3482fb3559aa959ab8adb175ea9f99ba4

SHA512
500d67c36504d33a1410ac424c0079a4da6088d3c5ec304807ca33cf375d99eea60b75f56089ef1ae9e92abe531736acd8ec8390fab4e06cc97bfef8fe8b5853

Download Submit
C:\Windows\SysWOW64\Ijogmdqm.exe

Filesize
414KB

MD5
aa0d20b351cdfe1c4ac1bad4f4312a1c

SHA1
3f3c8d799b0b73b1eaae62026f16fdd802937cb2

SHA256
4483e20c7ea010018dcb01fb53b1a8d3482fb3559aa959ab8adb175ea9f99ba4

SHA512
500d67c36504d33a1410ac424c0079a4da6088d3c5ec304807ca33cf375d99eea60b75f56089ef1ae9e92abe531736acd8ec8390fab4e06cc97bfef8fe8b5853

Download Submit
C:\Windows\SysWOW64\Jbfheo32.exe

Filesize
414KB

MD5
eb9df7f31556b1850680882244b72c8c

SHA1
2b00ef99dc9266542c10b78086048da1aef018e6

SHA256
8d21370058806f4fb84d25d9632332ce7ec4d606b3cdb40395f28c335e4b05d7

SHA512
f2e5e0aca3eedd3c2a2ca1f16adae1dfcc40572a43d13b218aaa67fac02160f346fc9e5e7deb2055b52966fa892deea3a981e9f8d26ee3c30e859c960a546af2

Download Submit
C:\Windows\SysWOW64\Jbfheo32.exe

Filesize
414KB

MD5
eb9df7f31556b1850680882244b72c8c

SHA1
2b00ef99dc9266542c10b78086048da1aef018e6

SHA256
8d21370058806f4fb84d25d9632332ce7ec4d606b3cdb40395f28c335e4b05d7

SHA512
f2e5e0aca3eedd3c2a2ca1f16adae1dfcc40572a43d13b218aaa67fac02160f346fc9e5e7deb2055b52966fa892deea3a981e9f8d26ee3c30e859c960a546af2

Download Submit
C:\Windows\SysWOW64\Jdbhkk32.exe

Filesize
414KB

MD5
6fdff95778a19a9e50e58a06c22b9cd1

SHA1
051fee5125a924d9ee896eed47b76200e393091c

SHA256
460d39dc30dc1fa9623ce863de4fa938a98c90009844055ce592c355e0f7864a

SHA512
acdb14f6e4b63f8398d2a2d000f7ad0d4cee2981750cabe372e92a79242ddbb3d28828785200ce1bde42e65e76b8c2726711aa9c746a5a0252f4871e722dc8c6

Download Submit
C:\Windows\SysWOW64\Jdbhkk32.exe

Filesize
414KB

MD5
6fdff95778a19a9e50e58a06c22b9cd1

SHA1
051fee5125a924d9ee896eed47b76200e393091c

SHA256
460d39dc30dc1fa9623ce863de4fa938a98c90009844055ce592c355e0f7864a

SHA512
acdb14f6e4b63f8398d2a2d000f7ad0d4cee2981750cabe372e92a79242ddbb3d28828785200ce1bde42e65e76b8c2726711aa9c746a5a0252f4871e722dc8c6

Download Submit
C:\Windows\SysWOW64\Jglklggl.exe

Filesize
414KB

MD5
d7631e8fede02c603d182ee3834f09ec

SHA1
cc8e2a33adbcca52a5afc71d2a70df13388148f3

SHA256
981bc0ba1b6bbe66902e441fdeab0c7a728273871248fc8628c06cea006f06cf

SHA512
9ad932929cd2556aaacd7dacc6949a03ec5b14c841004c7074a595dbc4018089455828e6ab11bff22e2dc9efbc10bed096fcce258670c8617e54af1fd45e24b2

Download Submit
C:\Windows\SysWOW64\Jglklggl.exe

Filesize
414KB

MD5
d7631e8fede02c603d182ee3834f09ec

SHA1
cc8e2a33adbcca52a5afc71d2a70df13388148f3

SHA256
981bc0ba1b6bbe66902e441fdeab0c7a728273871248fc8628c06cea006f06cf

SHA512
9ad932929cd2556aaacd7dacc6949a03ec5b14c841004c7074a595dbc4018089455828e6ab11bff22e2dc9efbc10bed096fcce258670c8617e54af1fd45e24b2

Download Submit
C:\Windows\SysWOW64\Jhlgfj32.exe

Filesize
414KB

MD5
07f1d78187f79e2fd0e186f1aa940cf2

SHA1
4f0735e3bce3a8dfee42774e77281f34ca6e8475

SHA256
47101553c3032dcd4b0d693443eaf4355902c4f0e9eede8fd2fdef267da04786

SHA512
0afb00b11ced4fcc8a63a1aede15f87237ea3267481c996e95e2454b8c9a72a3b662deb30ff8036cf5408582badb8635ba33819c64b29ccb706aa88fbe60b545

Download Submit
C:\Windows\SysWOW64\Jhlgfj32.exe

Filesize
414KB

MD5
07f1d78187f79e2fd0e186f1aa940cf2

SHA1
4f0735e3bce3a8dfee42774e77281f34ca6e8475

SHA256
47101553c3032dcd4b0d693443eaf4355902c4f0e9eede8fd2fdef267da04786

SHA512
0afb00b11ced4fcc8a63a1aede15f87237ea3267481c996e95e2454b8c9a72a3b662deb30ff8036cf5408582badb8635ba33819c64b29ccb706aa88fbe60b545

Download Submit
C:\Windows\SysWOW64\Jnmijq32.exe

Filesize
414KB

MD5
ccb9692e50dc0598e07acc1b0128d640

SHA1
37b26bb10e6a7f26230ae59561d3eda6bfa79eed

SHA256
02faea3412dfbea091e899ff3a5ee0c52794f1f63627fd57d156cc7af3c44b0c

SHA512
cb9e7d49b9bfeff45ecab93f37516d242e0a8a2b222766a6d9af9c0371ea58320f4a0e83c19a9d81ae2863453e7c31e27612be0ef0d80e06154085661747530a

Download Submit
C:\Windows\SysWOW64\Jnmijq32.exe

Filesize
414KB

MD5
ccb9692e50dc0598e07acc1b0128d640

SHA1
37b26bb10e6a7f26230ae59561d3eda6bfa79eed

SHA256
02faea3412dfbea091e899ff3a5ee0c52794f1f63627fd57d156cc7af3c44b0c

SHA512
cb9e7d49b9bfeff45ecab93f37516d242e0a8a2b222766a6d9af9c0371ea58320f4a0e83c19a9d81ae2863453e7c31e27612be0ef0d80e06154085661747530a

Download Submit
C:\Windows\SysWOW64\Jnpfop32.exe

Filesize
414KB

MD5
87467fcfb0a03eacb91efa4a1845f6c3

SHA1
5e8ef8effe68d924c1f28d9e614cbdeb03626949

SHA256
4803f8aa2f0d153a16d21e736c04e39d9995b050d117a4f80c90b5296e5d9689

SHA512
2ddcd9645a2381849d4f48ccca71c111654635512196319da651eb48c55fb9c9096cab0a6b0aca4fd123d00d2ade7a05cc845a6bde78dfbc9eeafc3acbd2b869

Download Submit
C:\Windows\SysWOW64\Jnpfop32.exe

Filesize
414KB

MD5
87467fcfb0a03eacb91efa4a1845f6c3

SHA1
5e8ef8effe68d924c1f28d9e614cbdeb03626949

SHA256
4803f8aa2f0d153a16d21e736c04e39d9995b050d117a4f80c90b5296e5d9689

SHA512
2ddcd9645a2381849d4f48ccca71c111654635512196319da651eb48c55fb9c9096cab0a6b0aca4fd123d00d2ade7a05cc845a6bde78dfbc9eeafc3acbd2b869

Download Submit
C:\Windows\SysWOW64\Kaehljpj.exe

Filesize
414KB

MD5
a6e5b04560552187d306632627635c41

SHA1
4b847809904dd5ef50f10b498d3d1d2003263ddc

SHA256
8965e1f1856777c809062b2a04b62a1be22fa8ec81b46e4c8ba61a9185fde68f

SHA512
f3bc439b864c2d93df7c6757eb84a287c077bf4bbab4ce47187372e49025ad4fa4e8dfd0221e9a3d84c847333de38cc9058a091e0338c65ee3d89bc95d5c038b

Download Submit
C:\Windows\SysWOW64\Kaehljpj.exe

Filesize
414KB

MD5
a6e5b04560552187d306632627635c41

SHA1
4b847809904dd5ef50f10b498d3d1d2003263ddc

SHA256
8965e1f1856777c809062b2a04b62a1be22fa8ec81b46e4c8ba61a9185fde68f

SHA512
f3bc439b864c2d93df7c6757eb84a287c077bf4bbab4ce47187372e49025ad4fa4e8dfd0221e9a3d84c847333de38cc9058a091e0338c65ee3d89bc95d5c038b

Download Submit
C:\Windows\SysWOW64\Kbpkkn32.exe

Filesize
414KB

MD5
ade6517209b1e52542e913e4d5fbc805

SHA1
1f58bf934255fbf97601dea49293f0dd0cbd410d

SHA256
63cd8cfa8f2ee93bf96d7ff5c27dad0169c9d71e7a24089d1f0ee6e7593d5496

SHA512
386a787c7989a63c8530e36b3df4c7565329680aedc46365b6d2b86ab2c81cadeac9166d66865a3c13b35886e28cb6f323be0d46622a9ed81bea45fcf2a43939

Download Submit
C:\Windows\SysWOW64\Kbpkkn32.exe

Filesize
414KB

MD5
ade6517209b1e52542e913e4d5fbc805

SHA1
1f58bf934255fbf97601dea49293f0dd0cbd410d

SHA256
63cd8cfa8f2ee93bf96d7ff5c27dad0169c9d71e7a24089d1f0ee6e7593d5496

SHA512
386a787c7989a63c8530e36b3df4c7565329680aedc46365b6d2b86ab2c81cadeac9166d66865a3c13b35886e28cb6f323be0d46622a9ed81bea45fcf2a43939

Download Submit
C:\Windows\SysWOW64\Kjkpoq32.exe

Filesize
414KB

MD5
5f03803fe907d1a5f02d7408bd49c265

SHA1
8119aa0d6eb50ac10bf8e7e14d7d1d830ccaf068

SHA256
99e577f9930ec733ecdf88546094690ebaa2cb6a5e3a7018a4438268a1b0b482

SHA512
4079f726c38b62ff04abe4b570c647fa6935e34e32f3debeb43de0637ab88f8d89c5da0ac88d04621c12d7c9f2325aa449a1bcbde0cf03a1767c4d2db69b777d

Download Submit
C:\Windows\SysWOW64\Kjkpoq32.exe

Filesize
414KB

MD5
5f03803fe907d1a5f02d7408bd49c265

SHA1
8119aa0d6eb50ac10bf8e7e14d7d1d830ccaf068

SHA256
99e577f9930ec733ecdf88546094690ebaa2cb6a5e3a7018a4438268a1b0b482

SHA512
4079f726c38b62ff04abe4b570c647fa6935e34e32f3debeb43de0637ab88f8d89c5da0ac88d04621c12d7c9f2325aa449a1bcbde0cf03a1767c4d2db69b777d

Download Submit
C:\Windows\SysWOW64\Kkcfid32.exe

Filesize
414KB

MD5
ef9697d40be6af3b1f4a08fed70dc440

SHA1
54b0ae31456d034ccbe4675a18026b396d254d30

SHA256
18c05d3d284bfce607c36d3b404bd489cceb07676cbdf8575e6129bcda1359c0

SHA512
555970b805dbfd69d3734977dde84f8fe1e1fb7e0bd8abb432b9d7b2f33be3e62172fe5962008462217d8e919f9a8850b0cce84bdc8f570fe9b3fce717b31b6c

Download Submit
C:\Windows\SysWOW64\Kkcfid32.exe

Filesize
414KB

MD5
ef9697d40be6af3b1f4a08fed70dc440

SHA1
54b0ae31456d034ccbe4675a18026b396d254d30

SHA256
18c05d3d284bfce607c36d3b404bd489cceb07676cbdf8575e6129bcda1359c0

SHA512
555970b805dbfd69d3734977dde84f8fe1e1fb7e0bd8abb432b9d7b2f33be3e62172fe5962008462217d8e919f9a8850b0cce84bdc8f570fe9b3fce717b31b6c

Download Submit
C:\Windows\SysWOW64\Kkjlic32.exe

Filesize
414KB

MD5
ab7b3c7ae16efe7f2d28ed620d935c61

SHA1
1a01eccc42e16310b6cbf7ef76553c87b2bb1ea8

SHA256
0f78d3f2036c93aeb433d62f273b6198937c110e0b9d95d6164e29826bb4580a

SHA512
e3aef7b24e2f2d6dbf23a5868a909d2eebd22da17c2dfa4682b4534cda03d12cf029cd8b22c5ba37cc19f4698f886b1956391a79ea530ada1384fd9afd6dc3e2

Download Submit
C:\Windows\SysWOW64\Kkjlic32.exe

Filesize
414KB

MD5
ab7b3c7ae16efe7f2d28ed620d935c61

SHA1
1a01eccc42e16310b6cbf7ef76553c87b2bb1ea8

SHA256
0f78d3f2036c93aeb433d62f273b6198937c110e0b9d95d6164e29826bb4580a

SHA512
e3aef7b24e2f2d6dbf23a5868a909d2eebd22da17c2dfa4682b4534cda03d12cf029cd8b22c5ba37cc19f4698f886b1956391a79ea530ada1384fd9afd6dc3e2

Download Submit
C:\Windows\SysWOW64\Ldgccb32.exe

Filesize
414KB

MD5
03b7e27c9ec416070490ae15b62563c0

SHA1
911f5be77111e6ce8b7b0d3c77c99a2594d21d02

SHA256
5e445a6216eaf9cfead59c43afbf547529aed8d0d5d9dab6795daff737c92cd1

SHA512
c25a423858576aa692e3350cf111d9be591d499a8fa0cc08fc6423af5c04ce824dab32f17d16a0423f20cd3667bc2e47ddb54f76212f43dcf4daa0c77443ab4e

Download Submit
C:\Windows\SysWOW64\Ldgccb32.exe

Filesize
414KB

MD5
03b7e27c9ec416070490ae15b62563c0

SHA1
911f5be77111e6ce8b7b0d3c77c99a2594d21d02

SHA256
5e445a6216eaf9cfead59c43afbf547529aed8d0d5d9dab6795daff737c92cd1

SHA512
c25a423858576aa692e3350cf111d9be591d499a8fa0cc08fc6423af5c04ce824dab32f17d16a0423f20cd3667bc2e47ddb54f76212f43dcf4daa0c77443ab4e

Download Submit
C:\Windows\SysWOW64\Lejgch32.exe

Filesize
414KB

MD5
dcb5f4dbd2451b0df861687890d27e18

SHA1
00e66ccc473a6712c46a5430a2ad89322bbb93f7

SHA256
465cf8e5ef01666949083578bfcbcb103bded03d66267ef129d6f47453a54ed4

SHA512
c0f475c95d81bc5c4c8e407fa9cf72c06f4498c0cc6597e4d1b2239322fd38fe6ef0cd51435bbe7f151f48745d000990cd887d523a4fc8268867b4bcf6cd893c

Download Submit
C:\Windows\SysWOW64\Lejgch32.exe

Filesize
414KB

MD5
dcb5f4dbd2451b0df861687890d27e18

SHA1
00e66ccc473a6712c46a5430a2ad89322bbb93f7

SHA256
465cf8e5ef01666949083578bfcbcb103bded03d66267ef129d6f47453a54ed4

SHA512
c0f475c95d81bc5c4c8e407fa9cf72c06f4498c0cc6597e4d1b2239322fd38fe6ef0cd51435bbe7f151f48745d000990cd887d523a4fc8268867b4bcf6cd893c

Download Submit
C:\Windows\SysWOW64\Lgccinoe.exe

Filesize
414KB

MD5
fa37467aee9dbf6f2344a9b413f7088d

SHA1
fc54c316fbe554a7ed2302bea3800b34943e82ad

SHA256
e3dead77268fdcccb2b455372d938f55d380a627dd39c522da6cc352696ef5af

SHA512
34c3ea484dc957d765989410aa3409cb0966fa1b3c215c68e96689122dbd01e1f9cb4b07472ffcf797238669bca3a86d332ca13f69c0019805fa1584fdfb624e

Download Submit
C:\Windows\SysWOW64\Lgccinoe.exe

Filesize
414KB

MD5
fa37467aee9dbf6f2344a9b413f7088d

SHA1
fc54c316fbe554a7ed2302bea3800b34943e82ad

SHA256
e3dead77268fdcccb2b455372d938f55d380a627dd39c522da6cc352696ef5af

SHA512
34c3ea484dc957d765989410aa3409cb0966fa1b3c215c68e96689122dbd01e1f9cb4b07472ffcf797238669bca3a86d332ca13f69c0019805fa1584fdfb624e

Download Submit
C:\Windows\SysWOW64\Licfngjd.exe

Filesize
414KB

MD5
9d341547c937cdd9facf036eb64487f1

SHA1
3106a0c0e14f80f44b4ead4552aaa0c10432849e

SHA256
7b86615b04d3d32c198c28c9dedb1068745b6d16aa2b2a62eb4bee5c75f96ce4

SHA512
a4dadb6e3a8d32376d380d7fae3b40c82f5e7e736e066cb4a215c87804ec1d684815210de4f81991ee3a8400b80ff88e97e3415d87cbd66e430b188bf75afaa0

Download Submit
C:\Windows\SysWOW64\Licfngjd.exe

Filesize
414KB

MD5
9d341547c937cdd9facf036eb64487f1

SHA1
3106a0c0e14f80f44b4ead4552aaa0c10432849e

SHA256
7b86615b04d3d32c198c28c9dedb1068745b6d16aa2b2a62eb4bee5c75f96ce4

SHA512
a4dadb6e3a8d32376d380d7fae3b40c82f5e7e736e066cb4a215c87804ec1d684815210de4f81991ee3a8400b80ff88e97e3415d87cbd66e430b188bf75afaa0

Download Submit
C:\Windows\SysWOW64\Lndham32.exe

Filesize
414KB

MD5
05ed95bdd0833a561a50f774fd092430

SHA1
1cd7a2a52a859072a3ba7d6199b7acb994e2c96c

SHA256
af5a92ceb811efc0a4d18b9de944207254b049c44f7684166ab9ad6954d0f2ba

SHA512
7a395e99f92913a2e5b84eb992ca513c0463e0b9173b3532924525c32fc57d57e964f90ea4c092182c03862f4a6231f4de6690989b6c787b6f1cf3f024391632

Download Submit
C:\Windows\SysWOW64\Lndham32.exe

Filesize
414KB

MD5
05ed95bdd0833a561a50f774fd092430

SHA1
1cd7a2a52a859072a3ba7d6199b7acb994e2c96c

SHA256
af5a92ceb811efc0a4d18b9de944207254b049c44f7684166ab9ad6954d0f2ba

SHA512
7a395e99f92913a2e5b84eb992ca513c0463e0b9173b3532924525c32fc57d57e964f90ea4c092182c03862f4a6231f4de6690989b6c787b6f1cf3f024391632

Download Submit
C:\Windows\SysWOW64\Lnnbqnjn.exe

Filesize
414KB

MD5
a6db8298d4d5b6b092f38516d686df5c

SHA1
cdb5e55dfb7cc701c33b4ac29ea00e5a9b5b0713

SHA256
177b7267527d357955dfe8b626ba0dbd2c12dcf7c9a2008699b120da8d530ca8

SHA512
85b6e19c8c1b8133fc9cd8b540cd2ca1102a1ebd7c96100a7804b7f06e8430adb4adb5e2c4b09f699e38bff3a04a5c34f7ac4d0158dc2840f94f2a7ff3af196b

Download Submit
C:\Windows\SysWOW64\Lnnbqnjn.exe

Filesize
414KB

MD5
a6db8298d4d5b6b092f38516d686df5c

SHA1
cdb5e55dfb7cc701c33b4ac29ea00e5a9b5b0713

SHA256
177b7267527d357955dfe8b626ba0dbd2c12dcf7c9a2008699b120da8d530ca8

SHA512
85b6e19c8c1b8133fc9cd8b540cd2ca1102a1ebd7c96100a7804b7f06e8430adb4adb5e2c4b09f699e38bff3a04a5c34f7ac4d0158dc2840f94f2a7ff3af196b

Download Submit
C:\Windows\SysWOW64\Milidebi.exe

Filesize
414KB

MD5
fce5785b2868cea1754d7aa7e970718e

SHA1
d2042c27431c13df2741992491718a792e4c09f5

SHA256
c59924063043389ebffbca977a4f5277e7e44d8de6e181695a4563a13b2750a2

SHA512
c94a4fccd5cce06eec847cd4f71ee257e4933ffd2ca3485920211d3c4e4ca653e4c0c2accfdcb46144af62cfd5e11d441dffbf454c5c675bc6a3ed317ed5a7cd

Download Submit
C:\Windows\SysWOW64\Milidebi.exe

Filesize
414KB

MD5
fce5785b2868cea1754d7aa7e970718e

SHA1
d2042c27431c13df2741992491718a792e4c09f5

SHA256
c59924063043389ebffbca977a4f5277e7e44d8de6e181695a4563a13b2750a2

SHA512
c94a4fccd5cce06eec847cd4f71ee257e4933ffd2ca3485920211d3c4e4ca653e4c0c2accfdcb46144af62cfd5e11d441dffbf454c5c675bc6a3ed317ed5a7cd

Download Submit
memory/380-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/384-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/400-374-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/456-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/688-406-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1100-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1124-244-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1200-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1288-380-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1308-207-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1508-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1644-351-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1744-127-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1784-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1860-260-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1888-430-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1940-192-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2012-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2044-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2112-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2260-39-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2304-290-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2532-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2580-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2584-368-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2592-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2652-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2688-146-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2840-123-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3048-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3120-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3240-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3396-231-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3432-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3444-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3556-437-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3712-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3776-394-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3820-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3836-419-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3852-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3864-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3928-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3972-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4028-332-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4040-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4144-96-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4172-356-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4308-185-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4316-424-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4340-362-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4432-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4440-284-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4448-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4612-266-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4620-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4684-272-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4720-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-405-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4820-23-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4836-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4848-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4980-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4996-308-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads