09e27817ba8f3b75a6cae7e8f66ecfd524058a522923fd90ac0fe7e821935ea7

Analysis

max time kernel
96s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Size

8.4MB
MD5

b49d9f89f345aa7d9fe52ecc8aeba870
SHA1

4c83772de80fdfa25dfbe56fd975a9dac66af994
SHA256

09e27817ba8f3b75a6cae7e8f66ecfd524058a522923fd90ac0fe7e821935ea7
SHA512

e820c696a90ce86ee2abf78907d11df2ae3d13d0e7e750ca581668f1cabde2d2490bb7ee9d3293b88c5ffe5ee81c580c255041e9f68b28be307cf6a7808183c7
SSDEEP

196608:UaSHFaZRBEYyqmS2DiHPKQgwUgUjvho4wzlF65i6YxE+a6Y:UaSHFaZRBEYyqmS2DiHPKQg3jvZwNVOV

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfobp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfobp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjkaabc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjkaabc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcfggkac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglhld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe

Malware Backdoor - Berbew 44 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0008000000022cd0-7.dat	family_berbew
behavioral2/files/0x0008000000022cd0-8.dat	family_berbew
behavioral2/files/0x0006000000022cf4-15.dat	family_berbew
behavioral2/files/0x0006000000022cf4-16.dat	family_berbew
behavioral2/files/0x0006000000022cf7-23.dat	family_berbew
behavioral2/files/0x0006000000022cf7-24.dat	family_berbew
behavioral2/files/0x0006000000022cfc-31.dat	family_berbew
behavioral2/files/0x0006000000022cfc-33.dat	family_berbew
behavioral2/files/0x0006000000022d02-39.dat	family_berbew
behavioral2/files/0x0006000000022d02-40.dat	family_berbew
behavioral2/files/0x0007000000022d06-48.dat	family_berbew
behavioral2/files/0x0007000000022d06-47.dat	family_berbew
behavioral2/files/0x0007000000022cfe-56.dat	family_berbew
behavioral2/files/0x0007000000022cfe-55.dat	family_berbew
behavioral2/files/0x0007000000022d00-64.dat	family_berbew
behavioral2/files/0x0007000000022d00-63.dat	family_berbew
behavioral2/files/0x0003000000022308-72.dat	family_berbew
behavioral2/files/0x0008000000022d09-79.dat	family_berbew
behavioral2/files/0x0008000000022d09-78.dat	family_berbew
behavioral2/files/0x0003000000022308-71.dat	family_berbew
behavioral2/files/0x0006000000022d0b-85.dat	family_berbew
behavioral2/files/0x0006000000022d0b-86.dat	family_berbew
behavioral2/files/0x0002000000022307-90.dat	family_berbew
behavioral2/files/0x0002000000022307-95.dat	family_berbew
behavioral2/files/0x0002000000022307-97.dat	family_berbew
behavioral2/files/0x0008000000022bf7-105.dat	family_berbew
behavioral2/files/0x0006000000022d11-106.dat	family_berbew
behavioral2/files/0x0008000000022bf7-104.dat	family_berbew
behavioral2/files/0x0006000000022d11-112.dat	family_berbew
behavioral2/files/0x0006000000022d11-114.dat	family_berbew
behavioral2/files/0x0008000000022d0e-128.dat	family_berbew
behavioral2/files/0x0008000000022d0e-130.dat	family_berbew
behavioral2/files/0x0007000000022d13-139.dat	family_berbew
behavioral2/files/0x0007000000022d13-141.dat	family_berbew
behavioral2/files/0x0006000000022d15-148.dat	family_berbew
behavioral2/files/0x0006000000022d15-147.dat	family_berbew
behavioral2/files/0x0006000000022d17-156.dat	family_berbew
behavioral2/files/0x0006000000022d17-157.dat	family_berbew
behavioral2/files/0x0006000000022d19-165.dat	family_berbew
behavioral2/files/0x0006000000022d19-164.dat	family_berbew
behavioral2/files/0x0006000000022d1b-174.dat	family_berbew
behavioral2/files/0x0006000000022d1b-175.dat	family_berbew
behavioral2/files/0x0006000000022d1d-182.dat	family_berbew
behavioral2/files/0x0006000000022d1d-183.dat	family_berbew

Executes dropped EXE 21 IoCs

pid	Process
4976	Iebngial.exe
3392	Jocefm32.exe
648	Jcfggkac.exe
5112	Lljklo32.exe
2540	Mjjkaabc.exe
2596	Mgeakekd.exe
3616	Nglhld32.exe
2512	Oaplqh32.exe
916	Phfcipoo.exe
3268	Qfmmplad.exe
2752	Aphnnafb.exe
1808	Conanfli.exe
4016	Fqgedh32.exe
3948	Ibcjqgnm.exe
4812	Amfobp32.exe
4872	Aalmimfd.exe
3780	Bagmdllg.exe
3564	Dkedonpo.exe
400	Ejagaj32.exe
5068	Fnjocf32.exe
4704	Gbmadd32.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Lljklo32.exe
File opened for modification	C:\Windows\SysWOW64\Nglhld32.exe	Mgeakekd.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Amfobp32.exe	Ibcjqgnm.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Ibcbfe32.dll	Jocefm32.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Conanfli.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Ejagaj32.exe
File opened for modification	C:\Windows\SysWOW64\Fqgedh32.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Bfcklp32.dll	Conanfli.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Lljklo32.exe	Jcfggkac.exe
File opened for modification	C:\Windows\SysWOW64\Mgeakekd.exe	Mjjkaabc.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Oaplqh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkedonpo.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Iebngial.exe	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Jcfggkac.exe	Jocefm32.exe
File created	C:\Windows\SysWOW64\Mnokgcbe.dll	Nglhld32.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Fopjdidn.dll	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Mjjkaabc.exe	Lljklo32.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Ejagaj32.exe	Dkedonpo.exe
File opened for modification	C:\Windows\SysWOW64\Iebngial.exe	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Ibcjqgnm.exe	Fqgedh32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcjqgnm.exe	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Amfobp32.exe	Ibcjqgnm.exe
File opened for modification	C:\Windows\SysWOW64\Aalmimfd.exe	Amfobp32.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Hebqnm32.dll	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Nglhld32.exe
File created	C:\Windows\SysWOW64\Gemdebha.dll	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Bkncfepb.dll	Lljklo32.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Iplfokdm.dll	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Jocefm32.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Lljklo32.exe	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Inpoggcb.dll	Ibcjqgnm.exe
File created	C:\Windows\SysWOW64\Jcfggkac.exe	Jocefm32.exe
File opened for modification	C:\Windows\SysWOW64\Oaplqh32.exe	Nglhld32.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Fkngke32.dll	Iebngial.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Jocefm32.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Pbhafkok.dll	Mgeakekd.exe
File created	C:\Windows\SysWOW64\Fqgedh32.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Hokomfqg.dll	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Aalmimfd.exe	Amfobp32.exe
File created	C:\Windows\SysWOW64\Dccfkp32.dll	Amfobp32.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Mgeakekd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2536	4704	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nglhld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmofmb32.dll"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfkp32.dll"	Amfobp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll"	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokomfqg.dll"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkngke32.dll"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcbfe32.dll"	Jocefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfobp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll"	Lljklo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcklp32.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpoggcb.dll"	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebqnm32.dll"	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jocefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Fnjocf32.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4976	2404	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe	87
PID 2404 wrote to memory of 4976	2404	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe	87
PID 2404 wrote to memory of 4976	2404	NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe	87
PID 4976 wrote to memory of 3392	4976	Iebngial.exe	89
PID 4976 wrote to memory of 3392	4976	Iebngial.exe	89
PID 4976 wrote to memory of 3392	4976	Iebngial.exe	89
PID 3392 wrote to memory of 648	3392	Jocefm32.exe	91
PID 3392 wrote to memory of 648	3392	Jocefm32.exe	91
PID 3392 wrote to memory of 648	3392	Jocefm32.exe	91
PID 648 wrote to memory of 5112	648	Jcfggkac.exe	92
PID 648 wrote to memory of 5112	648	Jcfggkac.exe	92
PID 648 wrote to memory of 5112	648	Jcfggkac.exe	92
PID 5112 wrote to memory of 2540	5112	Lljklo32.exe	95
PID 5112 wrote to memory of 2540	5112	Lljklo32.exe	95
PID 5112 wrote to memory of 2540	5112	Lljklo32.exe	95
PID 2540 wrote to memory of 2596	2540	Mjjkaabc.exe	96
PID 2540 wrote to memory of 2596	2540	Mjjkaabc.exe	96
PID 2540 wrote to memory of 2596	2540	Mjjkaabc.exe	96
PID 2596 wrote to memory of 3616	2596	Mgeakekd.exe	97
PID 2596 wrote to memory of 3616	2596	Mgeakekd.exe	97
PID 2596 wrote to memory of 3616	2596	Mgeakekd.exe	97
PID 3616 wrote to memory of 2512	3616	Nglhld32.exe	98
PID 3616 wrote to memory of 2512	3616	Nglhld32.exe	98
PID 3616 wrote to memory of 2512	3616	Nglhld32.exe	98
PID 2512 wrote to memory of 916	2512	Oaplqh32.exe	99
PID 2512 wrote to memory of 916	2512	Oaplqh32.exe	99
PID 2512 wrote to memory of 916	2512	Oaplqh32.exe	99
PID 916 wrote to memory of 3268	916	Phfcipoo.exe	100
PID 916 wrote to memory of 3268	916	Phfcipoo.exe	100
PID 916 wrote to memory of 3268	916	Phfcipoo.exe	100
PID 3268 wrote to memory of 2752	3268	Qfmmplad.exe	101
PID 3268 wrote to memory of 2752	3268	Qfmmplad.exe	101
PID 3268 wrote to memory of 2752	3268	Qfmmplad.exe	101
PID 2752 wrote to memory of 1808	2752	Aphnnafb.exe	102
PID 2752 wrote to memory of 1808	2752	Aphnnafb.exe	102
PID 2752 wrote to memory of 1808	2752	Aphnnafb.exe	102
PID 1808 wrote to memory of 4016	1808	Conanfli.exe	103
PID 1808 wrote to memory of 4016	1808	Conanfli.exe	103
PID 1808 wrote to memory of 4016	1808	Conanfli.exe	103
PID 4016 wrote to memory of 3948	4016	Fqgedh32.exe	104
PID 4016 wrote to memory of 3948	4016	Fqgedh32.exe	104
PID 4016 wrote to memory of 3948	4016	Fqgedh32.exe	104
PID 3948 wrote to memory of 4812	3948	Ibcjqgnm.exe	105
PID 3948 wrote to memory of 4812	3948	Ibcjqgnm.exe	105
PID 3948 wrote to memory of 4812	3948	Ibcjqgnm.exe	105
PID 4812 wrote to memory of 4872	4812	Amfobp32.exe	106
PID 4812 wrote to memory of 4872	4812	Amfobp32.exe	106
PID 4812 wrote to memory of 4872	4812	Amfobp32.exe	106
PID 4872 wrote to memory of 3780	4872	Aalmimfd.exe	107
PID 4872 wrote to memory of 3780	4872	Aalmimfd.exe	107
PID 4872 wrote to memory of 3780	4872	Aalmimfd.exe	107
PID 3780 wrote to memory of 3564	3780	Bagmdllg.exe	110
PID 3780 wrote to memory of 3564	3780	Bagmdllg.exe	110
PID 3780 wrote to memory of 3564	3780	Bagmdllg.exe	110
PID 3564 wrote to memory of 400	3564	Dkedonpo.exe	111
PID 3564 wrote to memory of 400	3564	Dkedonpo.exe	111
PID 3564 wrote to memory of 400	3564	Dkedonpo.exe	111
PID 400 wrote to memory of 5068	400	Ejagaj32.exe	112
PID 400 wrote to memory of 5068	400	Ejagaj32.exe	112
PID 400 wrote to memory of 5068	400	Ejagaj32.exe	112
PID 5068 wrote to memory of 4704	5068	Fnjocf32.exe	113
PID 5068 wrote to memory of 4704	5068	Fnjocf32.exe	113
PID 5068 wrote to memory of 4704	5068	Fnjocf32.exe	113

C:\Users\Admin\AppData\Local\Temp\NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b49d9f89f345aa7d9fe52ecc8aeba870.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\Iebngial.exe
  C:\Windows\system32\Iebngial.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\Jocefm32.exe
    C:\Windows\system32\Jocefm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\SysWOW64\Jcfggkac.exe
      C:\Windows\system32\Jcfggkac.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        22⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 400
        23⤵
        Program crash
        
        PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4704 -ip 4704
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
8.4MB

MD5
8c356964d7512d0d82a3c5a178c32955

SHA1
e76849119e3ccc7152437777f7f3f2441c7bec29

SHA256
9255d1e67a19b4010153264af50de09b7143bc56f6061b7bebb9a075d567171d

SHA512
3bcc0f57e2da9b8dabacf69b0d7ba28589921c2ee2d85aa120b44d4434fb14c54c65f8c873e551bc48b57457c0eef28590fd85afdbf2899e40b73c497fe55310

Download Submit
C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
8.4MB

MD5
8c356964d7512d0d82a3c5a178c32955

SHA1
e76849119e3ccc7152437777f7f3f2441c7bec29

SHA256
9255d1e67a19b4010153264af50de09b7143bc56f6061b7bebb9a075d567171d

SHA512
3bcc0f57e2da9b8dabacf69b0d7ba28589921c2ee2d85aa120b44d4434fb14c54c65f8c873e551bc48b57457c0eef28590fd85afdbf2899e40b73c497fe55310

Download Submit
C:\Windows\SysWOW64\Amfobp32.exe

Filesize
8.4MB

MD5
9a57846cfc7812a37cad6328a6c7ea36

SHA1
550440b2d70eba50bded20d9f6a8808e8ec97995

SHA256
dda162e6ac03c643705ae2e0c29acf966dc65083f3e9f529e1991f6dba84bc6b

SHA512
138758862bb212ba237be57e92c849e7b2c2eb64c95006639ff6f5738d0bf92116ae5b0cf1e1cd74b21e2fce3f1bc2afee77dc1b334342d085b0c67c84aa7fa1

Download Submit
C:\Windows\SysWOW64\Amfobp32.exe

Filesize
8.4MB

MD5
9a57846cfc7812a37cad6328a6c7ea36

SHA1
550440b2d70eba50bded20d9f6a8808e8ec97995

SHA256
dda162e6ac03c643705ae2e0c29acf966dc65083f3e9f529e1991f6dba84bc6b

SHA512
138758862bb212ba237be57e92c849e7b2c2eb64c95006639ff6f5738d0bf92116ae5b0cf1e1cd74b21e2fce3f1bc2afee77dc1b334342d085b0c67c84aa7fa1

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
8.4MB

MD5
568dfc72477e60992bfbc5ca4a162296

SHA1
06cdd9e471f1a373f3d086b5f43a6433190f3122

SHA256
edd3709e9d8eac8aa86b5379cc6362b3860fd802ef0884473f0d0f252991c964

SHA512
7a142f9144c8bc2299cf2ba8881384842e88850686572da20c1ebb471611c5358a5679191a3fd97a0e3193202c82bcdee1c8946307695de3c524eca22541cbe3

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
8.4MB

MD5
568dfc72477e60992bfbc5ca4a162296

SHA1
06cdd9e471f1a373f3d086b5f43a6433190f3122

SHA256
edd3709e9d8eac8aa86b5379cc6362b3860fd802ef0884473f0d0f252991c964

SHA512
7a142f9144c8bc2299cf2ba8881384842e88850686572da20c1ebb471611c5358a5679191a3fd97a0e3193202c82bcdee1c8946307695de3c524eca22541cbe3

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
8.4MB

MD5
cb6dd5f8725aa5039f5a94f4c107c797

SHA1
860fcddd3bb419788402b150b51d909c63dea3e8

SHA256
2a309c3bdecb6ebeb98e7ba19060773afe397d46ac5936397b0da1756690a99f

SHA512
81848b3ac685ad4ee761300b81e7a6ebfc3599a974538851f15e53e47634cb40595813c07be197aed16e6bd320d08c88a711174495d2d99a04323373f64209a4

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
8.4MB

MD5
cb6dd5f8725aa5039f5a94f4c107c797

SHA1
860fcddd3bb419788402b150b51d909c63dea3e8

SHA256
2a309c3bdecb6ebeb98e7ba19060773afe397d46ac5936397b0da1756690a99f

SHA512
81848b3ac685ad4ee761300b81e7a6ebfc3599a974538851f15e53e47634cb40595813c07be197aed16e6bd320d08c88a711174495d2d99a04323373f64209a4

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
8.4MB

MD5
499224caa6865bb86e97d3c8cc34964e

SHA1
cbb7623df30339c1f1350f8fddb48aaa86b39381

SHA256
4e34b0eced9e3948466c98523c7d721d0cfec0ccba3889576bfc2de09e375d4b

SHA512
fd1f627ab33231f121dac0387e958cfa0be3dae64e023b7c57da6110877842b832fee7715ccb1cfdde133dceb43ca3a24bb8aead412d5bc02a76d766f59e462e

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
8.4MB

MD5
499224caa6865bb86e97d3c8cc34964e

SHA1
cbb7623df30339c1f1350f8fddb48aaa86b39381

SHA256
4e34b0eced9e3948466c98523c7d721d0cfec0ccba3889576bfc2de09e375d4b

SHA512
fd1f627ab33231f121dac0387e958cfa0be3dae64e023b7c57da6110877842b832fee7715ccb1cfdde133dceb43ca3a24bb8aead412d5bc02a76d766f59e462e

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
8.4MB

MD5
499224caa6865bb86e97d3c8cc34964e

SHA1
cbb7623df30339c1f1350f8fddb48aaa86b39381

SHA256
4e34b0eced9e3948466c98523c7d721d0cfec0ccba3889576bfc2de09e375d4b

SHA512
fd1f627ab33231f121dac0387e958cfa0be3dae64e023b7c57da6110877842b832fee7715ccb1cfdde133dceb43ca3a24bb8aead412d5bc02a76d766f59e462e

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
8.4MB

MD5
4a81ac46c51df85d83efb09d53bb99fe

SHA1
32b6b231eb927227f48fb58360496ff0b020fda2

SHA256
b0d6f4c3fc8251a25dd0daaee6c2f061dc61730f827d557ecc706edbc3322c90

SHA512
d6a7af7c297f08ebe4caf10f8396afb38cf7f831ba3c991bb8da3e2aea215e1d464a7d80977014d5d13c982d33b8a4fd4a545900e3fd0f6343533a85f5cae1f3

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
8.4MB

MD5
4a81ac46c51df85d83efb09d53bb99fe

SHA1
32b6b231eb927227f48fb58360496ff0b020fda2

SHA256
b0d6f4c3fc8251a25dd0daaee6c2f061dc61730f827d557ecc706edbc3322c90

SHA512
d6a7af7c297f08ebe4caf10f8396afb38cf7f831ba3c991bb8da3e2aea215e1d464a7d80977014d5d13c982d33b8a4fd4a545900e3fd0f6343533a85f5cae1f3

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
8.4MB

MD5
3e612feb064174d6ba425b188f366202

SHA1
66a105d5b07b49386fce6cf405497e68308a1657

SHA256
338e56e90421cc34acb3582ea78fadec13f80e8615c4280f9cb95c3b0114c6e5

SHA512
5f2fe9a1ed52f683b117b17a5e30866e748d4fce0f48d3088f6e18981cb70fb633eb49b7826b316dc506a7be795b66a17a6da315dffec2f87a260e99b28ad85e

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
8.4MB

MD5
3e612feb064174d6ba425b188f366202

SHA1
66a105d5b07b49386fce6cf405497e68308a1657

SHA256
338e56e90421cc34acb3582ea78fadec13f80e8615c4280f9cb95c3b0114c6e5

SHA512
5f2fe9a1ed52f683b117b17a5e30866e748d4fce0f48d3088f6e18981cb70fb633eb49b7826b316dc506a7be795b66a17a6da315dffec2f87a260e99b28ad85e

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
8.4MB

MD5
8b9e613584d22631190de6982e70ccb5

SHA1
1b50b379cdf4457daf5861f0b9157764c4851c9f

SHA256
a59e9d4999a947564d8596f3b20633fc97b11627b1869125c09cbd7014c77bd0

SHA512
066caccf689d5b39f379042c367dab9ff40622b8d7d4ebc9be453784bfdc3ea01af2edaeacad1439e0a8788b0f691ed75a97bac4c6317569898f257f63e07db7

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
8.4MB

MD5
8b9e613584d22631190de6982e70ccb5

SHA1
1b50b379cdf4457daf5861f0b9157764c4851c9f

SHA256
a59e9d4999a947564d8596f3b20633fc97b11627b1869125c09cbd7014c77bd0

SHA512
066caccf689d5b39f379042c367dab9ff40622b8d7d4ebc9be453784bfdc3ea01af2edaeacad1439e0a8788b0f691ed75a97bac4c6317569898f257f63e07db7

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
8.4MB

MD5
93594950e91f11e6b6c90dae21b01571

SHA1
5faa2e2ba1f43b4636d18d3468abce6eee718462

SHA256
a60614e9245240d582c9b10933d8ab55987937fe7e2116b714b9dcb331ac12cf

SHA512
e6e1da68c86ad15e53533dfeb503d6d415bf046c6508a447176cb1546994022dfcb50e1b4628ab128c878373de039a9e1820c579bf9648c24d5066b5bb51055c

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
8.4MB

MD5
93594950e91f11e6b6c90dae21b01571

SHA1
5faa2e2ba1f43b4636d18d3468abce6eee718462

SHA256
a60614e9245240d582c9b10933d8ab55987937fe7e2116b714b9dcb331ac12cf

SHA512
e6e1da68c86ad15e53533dfeb503d6d415bf046c6508a447176cb1546994022dfcb50e1b4628ab128c878373de039a9e1820c579bf9648c24d5066b5bb51055c

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
8.4MB

MD5
41aba4c8a87ed2613a4c51c803893d16

SHA1
a3f6b34ff29bcb7a31aeb9fd20ab98cc2e4b517b

SHA256
aaa528855a4b70360e9f77c713f4c5d64efea1e8bc004e00234ca954b465fa90

SHA512
2ce0ff93c4ba4af6fe351799a8b3cda19ce5e01756911466e8c7b8fafa9bafe95f4a85f7110cbe41d4e10770504d69306978331b35d1cd63355631e553cd6830

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
8.4MB

MD5
41aba4c8a87ed2613a4c51c803893d16

SHA1
a3f6b34ff29bcb7a31aeb9fd20ab98cc2e4b517b

SHA256
aaa528855a4b70360e9f77c713f4c5d64efea1e8bc004e00234ca954b465fa90

SHA512
2ce0ff93c4ba4af6fe351799a8b3cda19ce5e01756911466e8c7b8fafa9bafe95f4a85f7110cbe41d4e10770504d69306978331b35d1cd63355631e553cd6830

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
8.4MB

MD5
67fe45d59df7d6d8f28e8724f09e8171

SHA1
778e2443ea48f9626fa3802844f376f2d633ddcd

SHA256
7a7136bbd5b24d0e09de903f771d6830546bbeffb2110a79e1e8996526a0c342

SHA512
522a8639354b273f4f7ceb4cdca176dad7ed8c4db2fbccc47f6cc01e71ccadc68f48b4d1260d7688002ab08ed22ba224091f43471287757f9757a7afd57615a8

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
8.4MB

MD5
67fe45d59df7d6d8f28e8724f09e8171

SHA1
778e2443ea48f9626fa3802844f376f2d633ddcd

SHA256
7a7136bbd5b24d0e09de903f771d6830546bbeffb2110a79e1e8996526a0c342

SHA512
522a8639354b273f4f7ceb4cdca176dad7ed8c4db2fbccc47f6cc01e71ccadc68f48b4d1260d7688002ab08ed22ba224091f43471287757f9757a7afd57615a8

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
8.4MB

MD5
67fe45d59df7d6d8f28e8724f09e8171

SHA1
778e2443ea48f9626fa3802844f376f2d633ddcd

SHA256
7a7136bbd5b24d0e09de903f771d6830546bbeffb2110a79e1e8996526a0c342

SHA512
522a8639354b273f4f7ceb4cdca176dad7ed8c4db2fbccc47f6cc01e71ccadc68f48b4d1260d7688002ab08ed22ba224091f43471287757f9757a7afd57615a8

Download Submit
C:\Windows\SysWOW64\Iebngial.exe

Filesize
8.4MB

MD5
4b786fe76107199f28a67e370f10e6bc

SHA1
672e8edd538362610f9b199863bedab2ced1bada

SHA256
e45669c26a7ec793d8bc11cbd6ec5a7d6e05552c04d4f93a723a5b20f03c9d85

SHA512
c65cc3bf951ff05a1f5b012c60c628f2cee9950b694270afddb5435b8c897378ccd9fcd73312a525f782fa52115309a41f8f4502566f689e40f9fbc77c0ac410

Download Submit
C:\Windows\SysWOW64\Iebngial.exe

Filesize
8.4MB

MD5
4b786fe76107199f28a67e370f10e6bc

SHA1
672e8edd538362610f9b199863bedab2ced1bada

SHA256
e45669c26a7ec793d8bc11cbd6ec5a7d6e05552c04d4f93a723a5b20f03c9d85

SHA512
c65cc3bf951ff05a1f5b012c60c628f2cee9950b694270afddb5435b8c897378ccd9fcd73312a525f782fa52115309a41f8f4502566f689e40f9fbc77c0ac410

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
8.4MB

MD5
66e26be8cec2257bdf08d3f62d328030

SHA1
6fb5e998f24e76544b21a711f34d86b15fea4066

SHA256
f5786107f4d2c8b045c10198045669ac98a49caa5cfd30f897c14a90f1d3d191

SHA512
a48a3225bf0c730e6cf21a1329e14975eb6548e39a69a9a36f379479254c2b4fc705ad0fa98313ccbbf393912f477cf0d664715e8189a02c199a2ea336e82e11

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
8.4MB

MD5
66e26be8cec2257bdf08d3f62d328030

SHA1
6fb5e998f24e76544b21a711f34d86b15fea4066

SHA256
f5786107f4d2c8b045c10198045669ac98a49caa5cfd30f897c14a90f1d3d191

SHA512
a48a3225bf0c730e6cf21a1329e14975eb6548e39a69a9a36f379479254c2b4fc705ad0fa98313ccbbf393912f477cf0d664715e8189a02c199a2ea336e82e11

Download Submit
C:\Windows\SysWOW64\Jocefm32.exe

Filesize
8.4MB

MD5
ffb5932fa52b69eeb396c2b4e8633b6e

SHA1
9872b338cb9ae5fc5f422edecf8f29d246de697f

SHA256
c5aff3d35751ec49da5b5a1ec62deb9f7939334c5f98855bd3b8a6f63c1cccd3

SHA512
63487da7a8f51bca89238ee00d0ce130b27cbee123ce1329e41cc7a47b2e9277122e0029e3e2c6fca0754a8bf12fd7af88d18fa3a4cc9928c8cae738450da9f7

Download Submit
C:\Windows\SysWOW64\Jocefm32.exe

Filesize
8.4MB

MD5
ffb5932fa52b69eeb396c2b4e8633b6e

SHA1
9872b338cb9ae5fc5f422edecf8f29d246de697f

SHA256
c5aff3d35751ec49da5b5a1ec62deb9f7939334c5f98855bd3b8a6f63c1cccd3

SHA512
63487da7a8f51bca89238ee00d0ce130b27cbee123ce1329e41cc7a47b2e9277122e0029e3e2c6fca0754a8bf12fd7af88d18fa3a4cc9928c8cae738450da9f7

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
8.4MB

MD5
3126606e6e864e5d986c528a36af8b1b

SHA1
ecae508a121f3bc515c88d5d058582571311f612

SHA256
d9ad37d819d76c3ef68421f89599b74a84cd8a2ad93441c49b0771b2838b9ecf

SHA512
cffd27d09f8c82639eb77740d279d0aa6aaab27586e51fe511bd90049f2f9643f253d686af203d9008dd34d3996edac93b3f8db8ad6e0d2a51349f4544730ef3

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
8.4MB

MD5
3126606e6e864e5d986c528a36af8b1b

SHA1
ecae508a121f3bc515c88d5d058582571311f612

SHA256
d9ad37d819d76c3ef68421f89599b74a84cd8a2ad93441c49b0771b2838b9ecf

SHA512
cffd27d09f8c82639eb77740d279d0aa6aaab27586e51fe511bd90049f2f9643f253d686af203d9008dd34d3996edac93b3f8db8ad6e0d2a51349f4544730ef3

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
8.4MB

MD5
128e4cc126139e506330d14f834e3daa

SHA1
01c7cbd663134b7cd060e06674f4fa106954de15

SHA256
4d4dc7e1d20c367da4d7dee8250c15162c51442ee1ddb43a401b3a1576fb7bcb

SHA512
854964b5736f0805c027f9e28e893557c93909a6bd55a23be5988629d3327b5c530c67997fd15399f15020c7c6642b0d4ff13312a522fa33681802150cc41e71

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
8.4MB

MD5
128e4cc126139e506330d14f834e3daa

SHA1
01c7cbd663134b7cd060e06674f4fa106954de15

SHA256
4d4dc7e1d20c367da4d7dee8250c15162c51442ee1ddb43a401b3a1576fb7bcb

SHA512
854964b5736f0805c027f9e28e893557c93909a6bd55a23be5988629d3327b5c530c67997fd15399f15020c7c6642b0d4ff13312a522fa33681802150cc41e71

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
8.4MB

MD5
122b3fa0921315901913651d3e2ec9a8

SHA1
1ef71989ef5f85b1c46e1e74afc8dd3dc232a800

SHA256
5f5d9b20777005bd0f0fa7419de086dc1b98c2ea83ce41f2397f748907ac11bd

SHA512
33dbcab3572a0f03db130433063f2d079179be33a58a4c9ca8b381b688231f16501e703762fbabf2d04cc81566e3d9ac855aa5b95874978c3b0bfa5dccaf959e

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
8.4MB

MD5
122b3fa0921315901913651d3e2ec9a8

SHA1
1ef71989ef5f85b1c46e1e74afc8dd3dc232a800

SHA256
5f5d9b20777005bd0f0fa7419de086dc1b98c2ea83ce41f2397f748907ac11bd

SHA512
33dbcab3572a0f03db130433063f2d079179be33a58a4c9ca8b381b688231f16501e703762fbabf2d04cc81566e3d9ac855aa5b95874978c3b0bfa5dccaf959e

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
8.4MB

MD5
96e6b958475480a5e39b472ed0643a30

SHA1
76c2c54db8ca284bb45566e062241615f3d208ad

SHA256
100cc373983a0f7b53cefcc58c395817658deb8877e2418483403dcafc34c566

SHA512
60b2bb89373e51b4c6fbb6ab7c4415bfa0fdcacefe6e5bf13933f3d8b32cd7ec3e9635e2deb97c6f0ec9952ba7ba018e3b8b4ca5ca6a023bdbadf0cf3eb833b7

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
8.4MB

MD5
96e6b958475480a5e39b472ed0643a30

SHA1
76c2c54db8ca284bb45566e062241615f3d208ad

SHA256
100cc373983a0f7b53cefcc58c395817658deb8877e2418483403dcafc34c566

SHA512
60b2bb89373e51b4c6fbb6ab7c4415bfa0fdcacefe6e5bf13933f3d8b32cd7ec3e9635e2deb97c6f0ec9952ba7ba018e3b8b4ca5ca6a023bdbadf0cf3eb833b7

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
8.4MB

MD5
6d13421f57366a789a845fcf685780a0

SHA1
7c0dd739c48fec2d0c11dfc5bbd4ebbaabf47a72

SHA256
17c018cf7eaa50b306c33ec1758d26fde563b785419a46380d5488393f729373

SHA512
acc3ca5a46b0fe553d5e9f7fe9846288f3008f38b4380ea76ef07c5f14edc9ffafb41baa401f211063a71acec2401481e21f207e6dfe89c52bf85b61c23f1171

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
8.4MB

MD5
6d13421f57366a789a845fcf685780a0

SHA1
7c0dd739c48fec2d0c11dfc5bbd4ebbaabf47a72

SHA256
17c018cf7eaa50b306c33ec1758d26fde563b785419a46380d5488393f729373

SHA512
acc3ca5a46b0fe553d5e9f7fe9846288f3008f38b4380ea76ef07c5f14edc9ffafb41baa401f211063a71acec2401481e21f207e6dfe89c52bf85b61c23f1171

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
8.4MB

MD5
f9e1c3abefc256250f2f735e949c12e5

SHA1
2b2512cfccf087275bae3596bbafc2cb6a53067f

SHA256
44e8045620baed68a39886b23702b736ebb92fb81ea9ebd45029debea2370762

SHA512
1b66dfb1acee8994e3bd8983895911bcc8d84ed3deb9d69467021b9ec7290a721e76d097d2f3a511b9027d332f0cd1c97566a412d0c82d32a0481e167b12b988

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
8.4MB

MD5
f9e1c3abefc256250f2f735e949c12e5

SHA1
2b2512cfccf087275bae3596bbafc2cb6a53067f

SHA256
44e8045620baed68a39886b23702b736ebb92fb81ea9ebd45029debea2370762

SHA512
1b66dfb1acee8994e3bd8983895911bcc8d84ed3deb9d69467021b9ec7290a721e76d097d2f3a511b9027d332f0cd1c97566a412d0c82d32a0481e167b12b988

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
8.4MB

MD5
cc81d3050fd8502111bec6f8ca763ad3

SHA1
c43d7447ee009fbff7135a9dfb2adff97da9427d

SHA256
d9d7d6f9d4b9ac8db66f72a7ffc27118e1b88da8ea47b034ed656aab3284657a

SHA512
175ae44ffd4163e75a2d80f13080f8606239e792ece9f105f4a53ff4402ddec65d058ffd32e5f93eea6c587759898714df772d10f4411713c4d0a93441f8a55d

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
8.4MB

MD5
cc81d3050fd8502111bec6f8ca763ad3

SHA1
c43d7447ee009fbff7135a9dfb2adff97da9427d

SHA256
d9d7d6f9d4b9ac8db66f72a7ffc27118e1b88da8ea47b034ed656aab3284657a

SHA512
175ae44ffd4163e75a2d80f13080f8606239e792ece9f105f4a53ff4402ddec65d058ffd32e5f93eea6c587759898714df772d10f4411713c4d0a93441f8a55d

Download Submit
memory/400-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads