eee83d409bb715da281d531e9e9be33f4bb8518c09f3254bb6d5452991010076

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 21:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.edadc99073b36870e714e7cc943dbee0.exe
Size

93KB
MD5

edadc99073b36870e714e7cc943dbee0
SHA1

70f5e604097a600f7f011ecfe93f90a8e397f5b5
SHA256

eee83d409bb715da281d531e9e9be33f4bb8518c09f3254bb6d5452991010076
SHA512

dfc3d3d309e0754488b3a4346b2f58b6110d8d275afb031b910b2f2d1be93594d33681304d3fb7a8de6d4ae3c3c8a39cb3aef0aeba1c732860e933851dce294e
SSDEEP

1536:TvpNmMJ70pY/PzQuG7IgXiDbH9qqtU7CkFgTjebmb/TFsjiwg58:LpNmMEY/PzQb7IgSDrvkeTC6WY58

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/1200-0-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e06-6.dat	family_berbew
behavioral2/files/0x0006000000022e06-8.dat	family_berbew
behavioral2/memory/3396-7-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e08-14.dat	family_berbew
behavioral2/files/0x0006000000022e08-15.dat	family_berbew
behavioral2/memory/3316-16-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0a-22.dat	family_berbew
behavioral2/memory/2840-23-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0a-24.dat	family_berbew
behavioral2/files/0x00040000000006e5-30.dat	family_berbew
behavioral2/files/0x00040000000006e5-31.dat	family_berbew
behavioral2/memory/4240-32-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0d-38.dat	family_berbew
behavioral2/files/0x0006000000022e0d-39.dat	family_berbew
behavioral2/memory/3916-40-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0f-46.dat	family_berbew
behavioral2/memory/4912-48-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0f-47.dat	family_berbew
behavioral2/files/0x0008000000022ded-54.dat	family_berbew
behavioral2/memory/2676-56-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022ded-55.dat	family_berbew
behavioral2/files/0x0006000000022e12-62.dat	family_berbew
behavioral2/files/0x0006000000022e12-64.dat	family_berbew
behavioral2/memory/2224-63-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e14-70.dat	family_berbew
behavioral2/files/0x0006000000022e14-71.dat	family_berbew
behavioral2/memory/2112-72-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e16-78.dat	family_berbew
behavioral2/memory/3556-79-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e16-80.dat	family_berbew
behavioral2/files/0x0006000000022e18-86.dat	family_berbew
behavioral2/files/0x0006000000022e18-87.dat	family_berbew
behavioral2/memory/4740-88-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1a-94.dat	family_berbew
behavioral2/files/0x0006000000022e1a-96.dat	family_berbew
behavioral2/memory/4392-95-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1c-102.dat	family_berbew
behavioral2/files/0x0006000000022e1c-103.dat	family_berbew
behavioral2/memory/1828-104-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1e-110.dat	family_berbew
behavioral2/memory/2124-111-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1e-112.dat	family_berbew
behavioral2/files/0x0006000000022e20-118.dat	family_berbew
behavioral2/files/0x0006000000022e20-119.dat	family_berbew
behavioral2/memory/1452-120-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e22-126.dat	family_berbew
behavioral2/memory/3964-127-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e22-128.dat	family_berbew
behavioral2/files/0x0006000000022e25-134.dat	family_berbew
behavioral2/memory/2892-136-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e25-135.dat	family_berbew
behavioral2/files/0x0006000000022e27-142.dat	family_berbew
behavioral2/memory/644-144-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e27-143.dat	family_berbew
behavioral2/files/0x0006000000022e29-150.dat	family_berbew
behavioral2/files/0x0006000000022e29-151.dat	family_berbew
behavioral2/memory/1428-152-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e2b-158.dat	family_berbew
behavioral2/memory/1188-160-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e2b-159.dat	family_berbew
behavioral2/files/0x0006000000022e2e-167.dat	family_berbew
behavioral2/files/0x0006000000022e2e-166.dat	family_berbew
behavioral2/memory/1344-168-0x0000000000400000-0x000000000043F000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3396	Jmknaell.exe
3316	Jbhfjljd.exe
2840	Jianff32.exe
4240	Jbjcolha.exe
3916	Jmpgldhg.exe
4912	Jfhlejnh.exe
2676	Jlednamo.exe
2224	Kiidgeki.exe
2112	Kbaipkbi.exe
3556	Klimip32.exe
4740	Kebbafoj.exe
4392	Kdcbom32.exe
1828	Kedoge32.exe
2124	Klqcioba.exe
1452	Liddbc32.exe
3964	Ldjhpl32.exe
2892	Lmbmibhb.exe
644	Lboeaifi.exe
1428	Lmdina32.exe
1188	Lgmngglp.exe
1344	Lmgfda32.exe
3492	Lebkhc32.exe
4028	Mbfkbhpa.exe
1780	Mlopkm32.exe
60	Megdccmb.exe
3596	Mplhql32.exe
2452	Mmpijp32.exe
4228	Migjoaaf.exe
1456	Mcpnhfhf.exe
3488	Miifeq32.exe
1172	Nngokoej.exe
2976	Nphhmj32.exe
4812	Njqmepik.exe
1324	Ncianepl.exe
4428	Nnneknob.exe
2152	Nckndeni.exe
4684	Olcbmj32.exe
4420	Ogifjcdp.exe
1272	Ocpgod32.exe
5016	Ojjolnaq.exe
5116	Ognpebpj.exe
2460	Oqfdnhfk.exe
1924	Ojoign32.exe
2712	Qnjnnj32.exe
2936	Qddfkd32.exe
1448	Ampkof32.exe
1168	Acjclpcf.exe
4208	Anogiicl.exe
2656	Aclpap32.exe
4808	Aqppkd32.exe
1372	Agjhgngj.exe
5104	Acqimo32.exe
2504	Afoeiklb.exe
3716	Aadifclh.exe
4932	Bfabnjjp.exe
2700	Bmkjkd32.exe
1712	Bganhm32.exe
1056	Bmngqdpj.exe
1936	Beeoaapl.exe
4280	Bmpcfdmg.exe
4972	Bcjlcn32.exe
3648	Bnpppgdj.exe
4360	Beihma32.exe
1340	Chjaol32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Lmdina32.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jfhlejnh.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Klqcioba.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jbhfjljd.exe	Jmknaell.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Jlednamo.exe	Jfhlejnh.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jmknaell.exe	NEAS.edadc99073b36870e714e7cc943dbee0.exe
File created	C:\Windows\SysWOW64\Bhaomhld.dll	Kiidgeki.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6036	5928	WerFault.exe	181

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpmkplp.dll"	Jmknaell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Jlednamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.edadc99073b36870e714e7cc943dbee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.edadc99073b36870e714e7cc943dbee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.edadc99073b36870e714e7cc943dbee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3396	1200	NEAS.edadc99073b36870e714e7cc943dbee0.exe	86
PID 1200 wrote to memory of 3396	1200	NEAS.edadc99073b36870e714e7cc943dbee0.exe	86
PID 1200 wrote to memory of 3396	1200	NEAS.edadc99073b36870e714e7cc943dbee0.exe	86
PID 3396 wrote to memory of 3316	3396	Jmknaell.exe	87
PID 3396 wrote to memory of 3316	3396	Jmknaell.exe	87
PID 3396 wrote to memory of 3316	3396	Jmknaell.exe	87
PID 3316 wrote to memory of 2840	3316	Jbhfjljd.exe	88
PID 3316 wrote to memory of 2840	3316	Jbhfjljd.exe	88
PID 3316 wrote to memory of 2840	3316	Jbhfjljd.exe	88
PID 2840 wrote to memory of 4240	2840	Jianff32.exe	89
PID 2840 wrote to memory of 4240	2840	Jianff32.exe	89
PID 2840 wrote to memory of 4240	2840	Jianff32.exe	89
PID 4240 wrote to memory of 3916	4240	Jbjcolha.exe	90
PID 4240 wrote to memory of 3916	4240	Jbjcolha.exe	90
PID 4240 wrote to memory of 3916	4240	Jbjcolha.exe	90
PID 3916 wrote to memory of 4912	3916	Jmpgldhg.exe	91
PID 3916 wrote to memory of 4912	3916	Jmpgldhg.exe	91
PID 3916 wrote to memory of 4912	3916	Jmpgldhg.exe	91
PID 4912 wrote to memory of 2676	4912	Jfhlejnh.exe	92
PID 4912 wrote to memory of 2676	4912	Jfhlejnh.exe	92
PID 4912 wrote to memory of 2676	4912	Jfhlejnh.exe	92
PID 2676 wrote to memory of 2224	2676	Jlednamo.exe	93
PID 2676 wrote to memory of 2224	2676	Jlednamo.exe	93
PID 2676 wrote to memory of 2224	2676	Jlednamo.exe	93
PID 2224 wrote to memory of 2112	2224	Kiidgeki.exe	94
PID 2224 wrote to memory of 2112	2224	Kiidgeki.exe	94
PID 2224 wrote to memory of 2112	2224	Kiidgeki.exe	94
PID 2112 wrote to memory of 3556	2112	Kbaipkbi.exe	95
PID 2112 wrote to memory of 3556	2112	Kbaipkbi.exe	95
PID 2112 wrote to memory of 3556	2112	Kbaipkbi.exe	95
PID 3556 wrote to memory of 4740	3556	Klimip32.exe	96
PID 3556 wrote to memory of 4740	3556	Klimip32.exe	96
PID 3556 wrote to memory of 4740	3556	Klimip32.exe	96
PID 4740 wrote to memory of 4392	4740	Kebbafoj.exe	97
PID 4740 wrote to memory of 4392	4740	Kebbafoj.exe	97
PID 4740 wrote to memory of 4392	4740	Kebbafoj.exe	97
PID 4392 wrote to memory of 1828	4392	Kdcbom32.exe	98
PID 4392 wrote to memory of 1828	4392	Kdcbom32.exe	98
PID 4392 wrote to memory of 1828	4392	Kdcbom32.exe	98
PID 1828 wrote to memory of 2124	1828	Kedoge32.exe	99
PID 1828 wrote to memory of 2124	1828	Kedoge32.exe	99
PID 1828 wrote to memory of 2124	1828	Kedoge32.exe	99
PID 2124 wrote to memory of 1452	2124	Klqcioba.exe	100
PID 2124 wrote to memory of 1452	2124	Klqcioba.exe	100
PID 2124 wrote to memory of 1452	2124	Klqcioba.exe	100
PID 1452 wrote to memory of 3964	1452	Liddbc32.exe	101
PID 1452 wrote to memory of 3964	1452	Liddbc32.exe	101
PID 1452 wrote to memory of 3964	1452	Liddbc32.exe	101
PID 3964 wrote to memory of 2892	3964	Ldjhpl32.exe	102
PID 3964 wrote to memory of 2892	3964	Ldjhpl32.exe	102
PID 3964 wrote to memory of 2892	3964	Ldjhpl32.exe	102
PID 2892 wrote to memory of 644	2892	Lmbmibhb.exe	103
PID 2892 wrote to memory of 644	2892	Lmbmibhb.exe	103
PID 2892 wrote to memory of 644	2892	Lmbmibhb.exe	103
PID 644 wrote to memory of 1428	644	Lboeaifi.exe	104
PID 644 wrote to memory of 1428	644	Lboeaifi.exe	104
PID 644 wrote to memory of 1428	644	Lboeaifi.exe	104
PID 1428 wrote to memory of 1188	1428	Lmdina32.exe	105
PID 1428 wrote to memory of 1188	1428	Lmdina32.exe	105
PID 1428 wrote to memory of 1188	1428	Lmdina32.exe	105
PID 1188 wrote to memory of 1344	1188	Lgmngglp.exe	106
PID 1188 wrote to memory of 1344	1188	Lgmngglp.exe	106
PID 1188 wrote to memory of 1344	1188	Lgmngglp.exe	106
PID 1344 wrote to memory of 3492	1344	Lmgfda32.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.edadc99073b36870e714e7cc943dbee0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.edadc99073b36870e714e7cc943dbee0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\Jmknaell.exe
  C:\Windows\system32\Jmknaell.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\SysWOW64\Jbhfjljd.exe
    C:\Windows\system32\Jbhfjljd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Windows\SysWOW64\Jianff32.exe
      C:\Windows\system32\Jianff32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1780

C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:60
- C:\Windows\SysWOW64\Mplhql32.exe
  C:\Windows\system32\Mplhql32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3596
- - C:\Windows\SysWOW64\Mmpijp32.exe
    C:\Windows\system32\Mmpijp32.exe
    3⤵
    - Executes dropped EXE
    PID:2452
  - - C:\Windows\SysWOW64\Migjoaaf.exe
      C:\Windows\system32\Migjoaaf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:4228
    - - C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1456
      - C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        22⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        33⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        34⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        38⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        41⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        42⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        43⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2688
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        47⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        49⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        53⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        54⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        56⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        59⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 408
        64⤵
        Program crash
        
        PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5928 -ip 5928
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
93KB

MD5
82527ebf9e66bba6e203219a823798d9

SHA1
b51528014b344e7faffae186a18624648728f082

SHA256
80910bb1a94af2ce2dd1f96c93d267c386801785fbc0f30e69424d59f1c5c386

SHA512
2389d21cbc0405c040512746ddf1522d4e08562a9a2d1541836f72beaac454f3157acb57d8e97d53f9c5d7e73ca09a245e953f8aba2eda5478682cdfd86f4877

Download Submit
C:\Windows\SysWOW64\Ghkmacoj.dll

Filesize
7KB

MD5
6c13b3ee737cb54d7f51cad116a5cfc1

SHA1
190dcf257df4270d81a06e53be30be947e46eda6

SHA256
93feb122d59557b615bffbc21f38ac8c4be6521340105923bf75e9a5452031f5

SHA512
cb68d51d96c9a6f24c1d69281e6429c873c6ab4a710599abca655a4fcb0305409f27f7a9608d9dddea031194b0832ff1b3d08bede416b97432fac9eed6745c6f

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
93KB

MD5
5885a6632b8e59cfea0559504c0b854a

SHA1
7f22638c8a4726c8b51ce9ea8384f4df4d347e19

SHA256
94c461b414db125566adc8fdc5750a3a08fa658e48fc6698c846161a11269b8e

SHA512
e9a40c4fba4ffe6cce4d191624b6e57175c61dcd090e70e8effa44097618538f456ba952aba3fd91f59800deff85c5616df9fab3996998323c0c83b83c00848b

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
93KB

MD5
5885a6632b8e59cfea0559504c0b854a

SHA1
7f22638c8a4726c8b51ce9ea8384f4df4d347e19

SHA256
94c461b414db125566adc8fdc5750a3a08fa658e48fc6698c846161a11269b8e

SHA512
e9a40c4fba4ffe6cce4d191624b6e57175c61dcd090e70e8effa44097618538f456ba952aba3fd91f59800deff85c5616df9fab3996998323c0c83b83c00848b

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
93KB

MD5
6f5fc0c4934f25bcf13fbd87cbf74c06

SHA1
c76e4a2a5707353e15b0b8f99a29cdfafc2988c7

SHA256
c00460b7b5fda8fe5a44a6c45ef9d297c03d2f9658922513d93c011b6c322b39

SHA512
9171148f580b8d01758540298ad61041f4c00792d5ef7d321efff1c590c67d4d38a920e0de3c9cd87d9626e19b64c643b67382ede5787980f6e32a51de73d465

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
93KB

MD5
6f5fc0c4934f25bcf13fbd87cbf74c06

SHA1
c76e4a2a5707353e15b0b8f99a29cdfafc2988c7

SHA256
c00460b7b5fda8fe5a44a6c45ef9d297c03d2f9658922513d93c011b6c322b39

SHA512
9171148f580b8d01758540298ad61041f4c00792d5ef7d321efff1c590c67d4d38a920e0de3c9cd87d9626e19b64c643b67382ede5787980f6e32a51de73d465

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
93KB

MD5
e1d02ea983540c25754ca6613d1a91f0

SHA1
8f8a24cc2367bc1bee204086c2c4a2455483ebf6

SHA256
08d5ca896350b85f5134d16369b93a94c77feb08f0c5366ec483b764b156a5c4

SHA512
04482113339e22b5f5c55f04dc68e51279e70075ff119e86c89c4171e2217e9a2cbbc61440d49ce785d3cb7e836bb0381ab352c682192e944df3bcdd4fc87734

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
93KB

MD5
e1d02ea983540c25754ca6613d1a91f0

SHA1
8f8a24cc2367bc1bee204086c2c4a2455483ebf6

SHA256
08d5ca896350b85f5134d16369b93a94c77feb08f0c5366ec483b764b156a5c4

SHA512
04482113339e22b5f5c55f04dc68e51279e70075ff119e86c89c4171e2217e9a2cbbc61440d49ce785d3cb7e836bb0381ab352c682192e944df3bcdd4fc87734

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
93KB

MD5
920affda3b8eefbee8b96c3a1f6269f2

SHA1
4de8dcfa6cf73d9be767b42f1d595e79c6890ba7

SHA256
66731e7f8e4e9c430b0c64e861b34ee5e3093f22951be2643562d9cf036bcd46

SHA512
7dc173bc3723e8289fb47c2db239e23ad24990e7b66f7f4fe3aa19f8c02a25156beb38c2edc597cc95c0fbaa98141e436e298102aafa6501aab33f7d6cde9bd4

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
93KB

MD5
920affda3b8eefbee8b96c3a1f6269f2

SHA1
4de8dcfa6cf73d9be767b42f1d595e79c6890ba7

SHA256
66731e7f8e4e9c430b0c64e861b34ee5e3093f22951be2643562d9cf036bcd46

SHA512
7dc173bc3723e8289fb47c2db239e23ad24990e7b66f7f4fe3aa19f8c02a25156beb38c2edc597cc95c0fbaa98141e436e298102aafa6501aab33f7d6cde9bd4

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
93KB

MD5
bbf6d39677e3ac171bee88ed680a1543

SHA1
eaba0193d4fdbe960e0dfb4374565edadac14091

SHA256
a59effd0df3466aaf9a2a898bcb6de3f24bcd6c03248146f6f06bda0ee62e059

SHA512
b3313fdfab3134c7679e4e6e782304d088faa4883180bf26744aa132a2643d92d06f7115e96ffc5841cd7470180bf842cf60e4478b797dbafc84353284c03fd4

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
93KB

MD5
bbf6d39677e3ac171bee88ed680a1543

SHA1
eaba0193d4fdbe960e0dfb4374565edadac14091

SHA256
a59effd0df3466aaf9a2a898bcb6de3f24bcd6c03248146f6f06bda0ee62e059

SHA512
b3313fdfab3134c7679e4e6e782304d088faa4883180bf26744aa132a2643d92d06f7115e96ffc5841cd7470180bf842cf60e4478b797dbafc84353284c03fd4

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
93KB

MD5
ce6ad823202a0ede333b8a7d9ac3be9a

SHA1
0f603aeca078100bf279c9bcb220538c73fd520d

SHA256
baf7e1fa3308ea6b3a0866c01d21a36e202d200f935c81f488fd9f8af0d70510

SHA512
5a4e3b7af65626260542d77bbdb50ca5ba64ceb1d6f0801e5c886ac6b15a9f7957dfff31382b5e4bc8166e11a5d1f36cceb877c18d6f458dbdca7236b48660fa

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
93KB

MD5
ce6ad823202a0ede333b8a7d9ac3be9a

SHA1
0f603aeca078100bf279c9bcb220538c73fd520d

SHA256
baf7e1fa3308ea6b3a0866c01d21a36e202d200f935c81f488fd9f8af0d70510

SHA512
5a4e3b7af65626260542d77bbdb50ca5ba64ceb1d6f0801e5c886ac6b15a9f7957dfff31382b5e4bc8166e11a5d1f36cceb877c18d6f458dbdca7236b48660fa

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
93KB

MD5
709f7e6fb7508ca3d36166ca12d0002c

SHA1
c095428f8f4981de7c44acba5b3e6a4cfad18346

SHA256
93b27a69bc665b00f0f2bf5eb9dfdc7c5cdeb33ece56cf04f6c518416da70e29

SHA512
5a2747d25be1a5b256bd146a66d083d2855ad2d683cbeb08c87fd0ff2cd895ab4fae4d5c57f502c49a3672c5eb6e464b38573040061ea686a8773d5448602d74

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
93KB

MD5
709f7e6fb7508ca3d36166ca12d0002c

SHA1
c095428f8f4981de7c44acba5b3e6a4cfad18346

SHA256
93b27a69bc665b00f0f2bf5eb9dfdc7c5cdeb33ece56cf04f6c518416da70e29

SHA512
5a2747d25be1a5b256bd146a66d083d2855ad2d683cbeb08c87fd0ff2cd895ab4fae4d5c57f502c49a3672c5eb6e464b38573040061ea686a8773d5448602d74

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
93KB

MD5
cac5cd154ff554356674ff7ae11988c5

SHA1
2f0626ee68525edbb88b29a110824d726cc14a20

SHA256
aa2f2230ec3a46abe82dd65909f70e1bb1c172b07e1d5e124a0dd3336ab9c1ac

SHA512
dd3e29aac9453ad5a324c3eea00a2f3c8d1f6b5d614f74de28b64d8b2678df50051aefc405d6122f44fd874f6d9daef7831e0cf28f3cb531894d3c57c676f145

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
93KB

MD5
cac5cd154ff554356674ff7ae11988c5

SHA1
2f0626ee68525edbb88b29a110824d726cc14a20

SHA256
aa2f2230ec3a46abe82dd65909f70e1bb1c172b07e1d5e124a0dd3336ab9c1ac

SHA512
dd3e29aac9453ad5a324c3eea00a2f3c8d1f6b5d614f74de28b64d8b2678df50051aefc405d6122f44fd874f6d9daef7831e0cf28f3cb531894d3c57c676f145

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
93KB

MD5
243a8bdf399a2b84acbb6e070d38e6f9

SHA1
df2a13e6fd8cbda9128e4ae1835b96aca0387cf2

SHA256
8323d1e22f004ac107155dbae94a80d5cd46727605ad00f47c943fbf5a1557f8

SHA512
fbecafe8ce6e02bd663e3d01b581b96bc1af9ed12e3ff263afa81d3669588f296fc442e7857d6cf10beb289d82c8d5c88155d3d0845e6125f614f8860df3ce03

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
93KB

MD5
243a8bdf399a2b84acbb6e070d38e6f9

SHA1
df2a13e6fd8cbda9128e4ae1835b96aca0387cf2

SHA256
8323d1e22f004ac107155dbae94a80d5cd46727605ad00f47c943fbf5a1557f8

SHA512
fbecafe8ce6e02bd663e3d01b581b96bc1af9ed12e3ff263afa81d3669588f296fc442e7857d6cf10beb289d82c8d5c88155d3d0845e6125f614f8860df3ce03

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
93KB

MD5
b50a4a98cebb31442251e4d0ba93295b

SHA1
bf15dce59c42768a686f601be59dd2002ef2e5e3

SHA256
7ac0f0573aca506f74f3efa75e634871e985bcc272a0d422b4dfbf565f3c9946

SHA512
811073ca49e2774021001dc32177c071498fc6b2381baf82e5e1dbd00f1f17dba926eec1bd142723dd31884be0bcc40926aeba11b408af631cfbb5b02ca69cde

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
93KB

MD5
b50a4a98cebb31442251e4d0ba93295b

SHA1
bf15dce59c42768a686f601be59dd2002ef2e5e3

SHA256
7ac0f0573aca506f74f3efa75e634871e985bcc272a0d422b4dfbf565f3c9946

SHA512
811073ca49e2774021001dc32177c071498fc6b2381baf82e5e1dbd00f1f17dba926eec1bd142723dd31884be0bcc40926aeba11b408af631cfbb5b02ca69cde

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
93KB

MD5
312d172135115863bb1ddb6d868f986c

SHA1
5dfb375ecb61e75fc5c8811d97de9b659e4a00d7

SHA256
798d97a186d3ec8466e4e89afc89b4efe0149e827d5d96dc41e365a1241d95e8

SHA512
7aa15792d929933d3eb8e9a6a564219cfd070f9926a360b2dda8bbe12cd224b1b6f786935521ae2e697472c4ac778a414be40991f0bd1e2b685fdc9befb99404

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
93KB

MD5
312d172135115863bb1ddb6d868f986c

SHA1
5dfb375ecb61e75fc5c8811d97de9b659e4a00d7

SHA256
798d97a186d3ec8466e4e89afc89b4efe0149e827d5d96dc41e365a1241d95e8

SHA512
7aa15792d929933d3eb8e9a6a564219cfd070f9926a360b2dda8bbe12cd224b1b6f786935521ae2e697472c4ac778a414be40991f0bd1e2b685fdc9befb99404

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
93KB

MD5
5fcbc4650c287115c8b18d63fc3bbe1a

SHA1
8c608d849554e1179f298851ce8afef9898dc52a

SHA256
402492c75dcfe6725b3856bf4f9c1900f8b5fd49dcc4174047bb031cf56218be

SHA512
53ab5eeeaea76d565d3565f7d630061ce09e87cfcfa0c89ed38cd5aaa22fec005b604460fc48adfea58bebec7a298c2986d7d01603c039cc0eeef814719202e5

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
93KB

MD5
5fcbc4650c287115c8b18d63fc3bbe1a

SHA1
8c608d849554e1179f298851ce8afef9898dc52a

SHA256
402492c75dcfe6725b3856bf4f9c1900f8b5fd49dcc4174047bb031cf56218be

SHA512
53ab5eeeaea76d565d3565f7d630061ce09e87cfcfa0c89ed38cd5aaa22fec005b604460fc48adfea58bebec7a298c2986d7d01603c039cc0eeef814719202e5

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
93KB

MD5
61e471ad025b4e36b6b8708d9f2f209b

SHA1
eab15d37dfc3f2d29a459fb89fc2e6d16bc9661c

SHA256
464e9edcda22641e83aa8cfd5c419ee8920ec640fc7325700c4ee3870e852b6e

SHA512
bbc90593311db71cf81c0e2197c78425f3c1c83ca4217435a75b5f81bd46e7af6d3ad16f9b9210a25ad334818a9a25a2c5905bf886f9a92bb253b01d524d83a2

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
93KB

MD5
61e471ad025b4e36b6b8708d9f2f209b

SHA1
eab15d37dfc3f2d29a459fb89fc2e6d16bc9661c

SHA256
464e9edcda22641e83aa8cfd5c419ee8920ec640fc7325700c4ee3870e852b6e

SHA512
bbc90593311db71cf81c0e2197c78425f3c1c83ca4217435a75b5f81bd46e7af6d3ad16f9b9210a25ad334818a9a25a2c5905bf886f9a92bb253b01d524d83a2

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
93KB

MD5
4cbccc1b9449244575dddbcdc70ed132

SHA1
75fe4594f486213911bbee2a261b4ba434cbb2f0

SHA256
02b2840924fef2a2a6e21278221b8f1cb83515e03f1529217ec13f09e0e37479

SHA512
210ae2085917d140426cf5bb35a72ffc96a214b9b778e13d8c3249c659c17a0ec4758d9dbdb23148519e3c8796e18f81818e2e170810dc852833bb35528703b7

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
93KB

MD5
4cbccc1b9449244575dddbcdc70ed132

SHA1
75fe4594f486213911bbee2a261b4ba434cbb2f0

SHA256
02b2840924fef2a2a6e21278221b8f1cb83515e03f1529217ec13f09e0e37479

SHA512
210ae2085917d140426cf5bb35a72ffc96a214b9b778e13d8c3249c659c17a0ec4758d9dbdb23148519e3c8796e18f81818e2e170810dc852833bb35528703b7

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
93KB

MD5
c3823b6d7eb1346cac6ffbb4b73175b5

SHA1
5aeabcd9406905197ecbb3fed135560ace6a20b8

SHA256
d9005a5b2b0207fb233968fd759546b65fde6a5828547ed1a3596932d1d89344

SHA512
0376923fabaaa1601fad76d2acdc8f79d7b0edd19d0c7a9d426a002d777d1967b67db41d236a5d8d590ca131b84b0cbe168fd70faf0c50c8bac60aaf7c73fb08

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
93KB

MD5
c3823b6d7eb1346cac6ffbb4b73175b5

SHA1
5aeabcd9406905197ecbb3fed135560ace6a20b8

SHA256
d9005a5b2b0207fb233968fd759546b65fde6a5828547ed1a3596932d1d89344

SHA512
0376923fabaaa1601fad76d2acdc8f79d7b0edd19d0c7a9d426a002d777d1967b67db41d236a5d8d590ca131b84b0cbe168fd70faf0c50c8bac60aaf7c73fb08

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
93KB

MD5
613c3f4a948c7c1984a18d2be15f923d

SHA1
5fa4b5e7706de53de1e851cea76b8518c024869c

SHA256
16bf184fe1e8efbfd1830200af32a381529ce649b429b17c1ca5ca4bae5d5a7e

SHA512
707dd62996ca57beae367e89aa9fc7f794be1fc022962e83cfcd44984e39197def255f112c12b50daeacae5e1121873da9c2ff8861baaaab166852b0e8484c7f

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
93KB

MD5
613c3f4a948c7c1984a18d2be15f923d

SHA1
5fa4b5e7706de53de1e851cea76b8518c024869c

SHA256
16bf184fe1e8efbfd1830200af32a381529ce649b429b17c1ca5ca4bae5d5a7e

SHA512
707dd62996ca57beae367e89aa9fc7f794be1fc022962e83cfcd44984e39197def255f112c12b50daeacae5e1121873da9c2ff8861baaaab166852b0e8484c7f

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
93KB

MD5
3973e08618993587a38a50a93ecd13d9

SHA1
c0dcfa9b3827218295d63f8e32b6f53bd8652d85

SHA256
0ddcbaca8c6eac6aef893c1273459db8b770282a4c5ec991422b9904ad183d09

SHA512
72c3d08fc912ac7e75f10c679eac03854653c0de779561ef3aecbab9ac37a77b112405d4920aebf4364018417d317cea5b980712b36281fad07d9aaf0e590194

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
93KB

MD5
3973e08618993587a38a50a93ecd13d9

SHA1
c0dcfa9b3827218295d63f8e32b6f53bd8652d85

SHA256
0ddcbaca8c6eac6aef893c1273459db8b770282a4c5ec991422b9904ad183d09

SHA512
72c3d08fc912ac7e75f10c679eac03854653c0de779561ef3aecbab9ac37a77b112405d4920aebf4364018417d317cea5b980712b36281fad07d9aaf0e590194

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
93KB

MD5
c2b6d4399f8df43d1cc6d50319b17f85

SHA1
31f67041c2d3715784e50bd07afb840a5c2ec9dd

SHA256
265b84c88f8cb21614053cf427498b379462816512f4910046d63ab65e52db5b

SHA512
0416739fa244cc4c72160b04835b0693967dc526a4ce9fbdeb9136692ff928b8b6e648a3222fcd968c55e5dbfad42c1803d0c081d53ac926f3e2714b7235d729

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
93KB

MD5
c2b6d4399f8df43d1cc6d50319b17f85

SHA1
31f67041c2d3715784e50bd07afb840a5c2ec9dd

SHA256
265b84c88f8cb21614053cf427498b379462816512f4910046d63ab65e52db5b

SHA512
0416739fa244cc4c72160b04835b0693967dc526a4ce9fbdeb9136692ff928b8b6e648a3222fcd968c55e5dbfad42c1803d0c081d53ac926f3e2714b7235d729

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
93KB

MD5
056412c34291e33a3ba7d6d35b23509a

SHA1
a487d9a5a8761434ce9c62a267fccc4cdbe19ae0

SHA256
e1a9ad9adab6ab33ceba39c2caa0a7d581dd686c34405157d86f1830045adb1c

SHA512
293cf1ee076ab5bd645c1a42d3599d20fc83be875412068a2e0101046c5c9d2591778a0e62f4bf9c036a7f5d884dbe418d36a1c4f0da8d671ba37e6c4bc3449b

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
93KB

MD5
056412c34291e33a3ba7d6d35b23509a

SHA1
a487d9a5a8761434ce9c62a267fccc4cdbe19ae0

SHA256
e1a9ad9adab6ab33ceba39c2caa0a7d581dd686c34405157d86f1830045adb1c

SHA512
293cf1ee076ab5bd645c1a42d3599d20fc83be875412068a2e0101046c5c9d2591778a0e62f4bf9c036a7f5d884dbe418d36a1c4f0da8d671ba37e6c4bc3449b

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
93KB

MD5
1776a02ab2195907b74fe7b793ab28de

SHA1
e033617b78b16c0e86e8f1c3b22e1fae0fe6ce60

SHA256
86310848eb622830a58b2c147ea6a047dd90e81e01a790f3d1d4a01dda025849

SHA512
0d75af71c1ca5a2408f7a0a61734703bc8117f77e7a519c1e873987d3dadc64b7bab07c7cf48d6c90f71ba8ba7be814b296aa6b05c7a1cafbb6b409a03942685

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
93KB

MD5
1776a02ab2195907b74fe7b793ab28de

SHA1
e033617b78b16c0e86e8f1c3b22e1fae0fe6ce60

SHA256
86310848eb622830a58b2c147ea6a047dd90e81e01a790f3d1d4a01dda025849

SHA512
0d75af71c1ca5a2408f7a0a61734703bc8117f77e7a519c1e873987d3dadc64b7bab07c7cf48d6c90f71ba8ba7be814b296aa6b05c7a1cafbb6b409a03942685

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
93KB

MD5
a9406a58eec9928881abffe62fbb686f

SHA1
67feb0b1d945b0e13750a9b70f4a82ee1dcc7655

SHA256
4cbb1dbbaaf18f4aea6a4c8a305965a67f6071727d5d4885d520a96ad1bcb5f4

SHA512
650ada70ae1ad7e2fb7bad365659523470b60576e4b345844e4ca37d05a6972c0b0ab4bc42a5edb5dd327a8973275dfb8df598aa815fe4b82d4b48595c3eded1

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
93KB

MD5
a9406a58eec9928881abffe62fbb686f

SHA1
67feb0b1d945b0e13750a9b70f4a82ee1dcc7655

SHA256
4cbb1dbbaaf18f4aea6a4c8a305965a67f6071727d5d4885d520a96ad1bcb5f4

SHA512
650ada70ae1ad7e2fb7bad365659523470b60576e4b345844e4ca37d05a6972c0b0ab4bc42a5edb5dd327a8973275dfb8df598aa815fe4b82d4b48595c3eded1

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
93KB

MD5
a2f431e95d223435d4112b3439388c2a

SHA1
431b8f19b33d8ef9b551e5fabaecb9daeba9cf05

SHA256
1771b31dc943fab3b5c0ad8cb07578573313956ee686c6dd49d0e26443b327c9

SHA512
6863250ee917aaaa140501f7b67880e86ae0a4e3e116be11fc7aeed13fb80b4b7e902731eaed5da8c646fbb4431815e49c582bf1679eb79e5fdd038e9d14ae54

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
93KB

MD5
a2f431e95d223435d4112b3439388c2a

SHA1
431b8f19b33d8ef9b551e5fabaecb9daeba9cf05

SHA256
1771b31dc943fab3b5c0ad8cb07578573313956ee686c6dd49d0e26443b327c9

SHA512
6863250ee917aaaa140501f7b67880e86ae0a4e3e116be11fc7aeed13fb80b4b7e902731eaed5da8c646fbb4431815e49c582bf1679eb79e5fdd038e9d14ae54

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
93KB

MD5
99da061b7ec804c8c3031146f31dfd6c

SHA1
d56c3c3ff52ed9d0635e3c3c337bcab047fe6d00

SHA256
fb1986497da3c62dc19737030e7a5da218f51df233511c80933052b52826b1cc

SHA512
32e308d8d84fab988862cf0d7880f67341e121a6c68d7267777a02ffe14544fb718d269b6ca846a1c67f5dfe70108df8dead7ba9ada33073d9aa06c97e2591e1

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
93KB

MD5
99da061b7ec804c8c3031146f31dfd6c

SHA1
d56c3c3ff52ed9d0635e3c3c337bcab047fe6d00

SHA256
fb1986497da3c62dc19737030e7a5da218f51df233511c80933052b52826b1cc

SHA512
32e308d8d84fab988862cf0d7880f67341e121a6c68d7267777a02ffe14544fb718d269b6ca846a1c67f5dfe70108df8dead7ba9ada33073d9aa06c97e2591e1

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
93KB

MD5
69df618ca0fe7ef0d53dbe8cea9d06e9

SHA1
a62dc42f93e5c75995284d00c2c89aa19cf9b5d3

SHA256
3247d0888c93963cdf6f521bf4ab00ce96bfe5ec4f0fb08430a73c057fa732dd

SHA512
360934d46e417bbcc64d0a805ae027c071b8930cdcd31ac0ac97d951191a5b9beae591912782a8ea333ea4ce50bf9356d1e3126472ed670499f49b86531ba2b2

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
93KB

MD5
69df618ca0fe7ef0d53dbe8cea9d06e9

SHA1
a62dc42f93e5c75995284d00c2c89aa19cf9b5d3

SHA256
3247d0888c93963cdf6f521bf4ab00ce96bfe5ec4f0fb08430a73c057fa732dd

SHA512
360934d46e417bbcc64d0a805ae027c071b8930cdcd31ac0ac97d951191a5b9beae591912782a8ea333ea4ce50bf9356d1e3126472ed670499f49b86531ba2b2

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
93KB

MD5
46b6f61d6e6a27f414b7ab8a54811c2e

SHA1
fb8eb13ab4f0cb3cfcad2d5fab96b644d072b459

SHA256
62cf3a01dbb353edba7438bb051af440f6f46ea67bd6bd26bf80b66a2b51b31e

SHA512
62ab2521409b520c513032cd14bed30f20f0116372f21233cf190f2ef2e96a70530b31fe233729ceadea6d76dd479106d9d815710a4c6c3869204a7f860980f8

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
93KB

MD5
46b6f61d6e6a27f414b7ab8a54811c2e

SHA1
fb8eb13ab4f0cb3cfcad2d5fab96b644d072b459

SHA256
62cf3a01dbb353edba7438bb051af440f6f46ea67bd6bd26bf80b66a2b51b31e

SHA512
62ab2521409b520c513032cd14bed30f20f0116372f21233cf190f2ef2e96a70530b31fe233729ceadea6d76dd479106d9d815710a4c6c3869204a7f860980f8

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
93KB

MD5
1d1e594a1c9e9c70daac6cb8b22c45b4

SHA1
2d1e761785aa418a1ef9a365f71e2f5897104f5a

SHA256
97f1a0854a300a1dae67e6db29abec8bc30c7d191861dfad3c599238873fb3d2

SHA512
e46eced8cec65e3f7e79e8090d308782959cbf60c19ee76b483f7fd59439e2ab41504a0b557e248885b4990272306c81d4dc42a268699224998a5beb13a8a55a

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
93KB

MD5
1d1e594a1c9e9c70daac6cb8b22c45b4

SHA1
2d1e761785aa418a1ef9a365f71e2f5897104f5a

SHA256
97f1a0854a300a1dae67e6db29abec8bc30c7d191861dfad3c599238873fb3d2

SHA512
e46eced8cec65e3f7e79e8090d308782959cbf60c19ee76b483f7fd59439e2ab41504a0b557e248885b4990272306c81d4dc42a268699224998a5beb13a8a55a

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
ead63d2f2a151846181101c60d9e4cc7

SHA1
dcb964f33ef63ce7c848c5e56f0bf21fda054a15

SHA256
c8bdb16010d0c4a9109a935b1c640f3a2361f054eae5b80c6aacbc0293b73a4b

SHA512
8740efe97d52d286e2e2ce89d44d0fc5c4751d1145b92b720ae73bd61c530157b02c8ba66cecdc66a8f03521d2662f49bbadf8349156ca00c6dd04bf1b5dcfa0

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
ead63d2f2a151846181101c60d9e4cc7

SHA1
dcb964f33ef63ce7c848c5e56f0bf21fda054a15

SHA256
c8bdb16010d0c4a9109a935b1c640f3a2361f054eae5b80c6aacbc0293b73a4b

SHA512
8740efe97d52d286e2e2ce89d44d0fc5c4751d1145b92b720ae73bd61c530157b02c8ba66cecdc66a8f03521d2662f49bbadf8349156ca00c6dd04bf1b5dcfa0

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
ead63d2f2a151846181101c60d9e4cc7

SHA1
dcb964f33ef63ce7c848c5e56f0bf21fda054a15

SHA256
c8bdb16010d0c4a9109a935b1c640f3a2361f054eae5b80c6aacbc0293b73a4b

SHA512
8740efe97d52d286e2e2ce89d44d0fc5c4751d1145b92b720ae73bd61c530157b02c8ba66cecdc66a8f03521d2662f49bbadf8349156ca00c6dd04bf1b5dcfa0

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
93KB

MD5
e046afec47dd44adbd700e37d44d53ee

SHA1
1b29dc16710b1fc8c7dd3ac70d2a352cee5633f0

SHA256
67e47a46f5bb01e81005bb1682f65206f81e6b49951facd7728e3c1006ac7d3e

SHA512
63979ee49676b3f6df5f065a641f9b4719432ce46f80afcf975c65cdf11f7a38a73be18d5791a991e8b89714f50120c707b49b1d07445d5bb05e7c1e082d3af3

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
93KB

MD5
e046afec47dd44adbd700e37d44d53ee

SHA1
1b29dc16710b1fc8c7dd3ac70d2a352cee5633f0

SHA256
67e47a46f5bb01e81005bb1682f65206f81e6b49951facd7728e3c1006ac7d3e

SHA512
63979ee49676b3f6df5f065a641f9b4719432ce46f80afcf975c65cdf11f7a38a73be18d5791a991e8b89714f50120c707b49b1d07445d5bb05e7c1e082d3af3

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
93KB

MD5
c55a6d25c1110771face2efe0ddea0b0

SHA1
4009860c622ff18eed8447b65195f566541021db

SHA256
b2cd4c1503f17b41643a78fc6295a51360356cc3a3d7a5a031edb32fe27b5723

SHA512
d277fe0d8f07b4d066baa42fbfefe79278ff630a9c4bacd1bd6a3fd5152f6732c6067cbec74b7ed300eea5a07ccee19cb29c737772a54a675ac854e88b9c1027

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
93KB

MD5
c55a6d25c1110771face2efe0ddea0b0

SHA1
4009860c622ff18eed8447b65195f566541021db

SHA256
b2cd4c1503f17b41643a78fc6295a51360356cc3a3d7a5a031edb32fe27b5723

SHA512
d277fe0d8f07b4d066baa42fbfefe79278ff630a9c4bacd1bd6a3fd5152f6732c6067cbec74b7ed300eea5a07ccee19cb29c737772a54a675ac854e88b9c1027

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
93KB

MD5
f6d0e21bb7ac2fd12363bf427b18de62

SHA1
d8fd866aa2662b0425382ed8bee1b94010c4f728

SHA256
85680d4d4db586318202a445860afdeec6255624065696eec694d94f1f2c804c

SHA512
758708b90896efa8dcf2fe6c586448a5ee40071e4848daef6638f8705986b1ee36862800b2c5953e98e936fa5c8f74a757b96bf93129afbf4e02877036d376e4

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
93KB

MD5
f6d0e21bb7ac2fd12363bf427b18de62

SHA1
d8fd866aa2662b0425382ed8bee1b94010c4f728

SHA256
85680d4d4db586318202a445860afdeec6255624065696eec694d94f1f2c804c

SHA512
758708b90896efa8dcf2fe6c586448a5ee40071e4848daef6638f8705986b1ee36862800b2c5953e98e936fa5c8f74a757b96bf93129afbf4e02877036d376e4

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
93KB

MD5
7620087886e07631b426ffa22e15eeae

SHA1
4c5b01b92641044a0cd6c9d71e18b960543f7fee

SHA256
3e210c9cb7bba8a241f147e6c6e137ce5cb10d617c8c383320dc4f3335dfe8ef

SHA512
57089d59092341443e20bff2f762bb142374708278ee7d99f81fd6ba7825a3c7e2dfb6600673ea4457f4a492a795cca2718428145c8039c1c46b16724b447852

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
93KB

MD5
7620087886e07631b426ffa22e15eeae

SHA1
4c5b01b92641044a0cd6c9d71e18b960543f7fee

SHA256
3e210c9cb7bba8a241f147e6c6e137ce5cb10d617c8c383320dc4f3335dfe8ef

SHA512
57089d59092341443e20bff2f762bb142374708278ee7d99f81fd6ba7825a3c7e2dfb6600673ea4457f4a492a795cca2718428145c8039c1c46b16724b447852

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
93KB

MD5
70a3707247e963a669b7e6d8f465bc8e

SHA1
df40d9c5ab1af2552dec2410cb99ce446f5cd41d

SHA256
80fbe7b1df7ccea67726108b272e615277a41dd5f1c59d3ea6aed061750ed8c8

SHA512
420e0aa9083d61143af67651130ea7cb452d2e48ce71e3c496cf6668060a12bae78ae9ab08e4e3d1f8fa06559a46602b7b453e2a2b4831c74caffbedba3b9363

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
93KB

MD5
70a3707247e963a669b7e6d8f465bc8e

SHA1
df40d9c5ab1af2552dec2410cb99ce446f5cd41d

SHA256
80fbe7b1df7ccea67726108b272e615277a41dd5f1c59d3ea6aed061750ed8c8

SHA512
420e0aa9083d61143af67651130ea7cb452d2e48ce71e3c496cf6668060a12bae78ae9ab08e4e3d1f8fa06559a46602b7b453e2a2b4831c74caffbedba3b9363

Download Submit
memory/60-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/644-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1188-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1200-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1324-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1344-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1428-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1456-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1780-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1828-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2124-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2936-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3316-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3396-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3556-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3648-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3916-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4228-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4240-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4428-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4684-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4740-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4808-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4812-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4912-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5016-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads