2a8398465e2d324bcd84662a91d249319fd4dd5561f74eeae6a59a1b5c490838

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.be54a2cc62532768cbee97db5738a5a0.exe
Size

45KB
MD5

be54a2cc62532768cbee97db5738a5a0
SHA1

ac91cac43c0bb15657f9113894e8327a51b97028
SHA256

2a8398465e2d324bcd84662a91d249319fd4dd5561f74eeae6a59a1b5c490838
SHA512

6228f4ffc7521c45247b049e55d9c07a0e573cbad7d0dba7b194f82db69eb363478e4800dab08ba509ca5a5485001732cf15196855fd557851f386e8637cd66e
SSDEEP

768:gAK9Z4PwWN7sIRLGC+KDD126WzwjXNd5bqp5btjDhiNAE7/1H5vV3:8aDwoKYbXjRqp5lDRcB5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe

Executes dropped EXE 27 IoCs

pid	Process
4424	Accfbokl.exe
2444	Bmkjkd32.exe
2876	Bcebhoii.exe
1220	Bjokdipf.exe
1764	Baicac32.exe
3040	Bgcknmop.exe
4116	Bnmcjg32.exe
4808	Bgehcmmm.exe
1108	Bjddphlq.exe
2268	Banllbdn.exe
4944	Bhhdil32.exe
4240	Bcoenmao.exe
3936	Cmgjgcgo.exe
1780	Cfpnph32.exe
1872	Cfbkeh32.exe
1000	Cagobalc.exe
4948	Cjpckf32.exe
2176	Cdhhdlid.exe
4968	Cffdpghg.exe
2300	Dejacond.exe
4852	Dobfld32.exe
1016	Delnin32.exe
2288	Dkifae32.exe
3956	Ddakjkqi.exe
4784	Dkkcge32.exe
880	Daekdooc.exe
4408	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4924	4408	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.be54a2cc62532768cbee97db5738a5a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.be54a2cc62532768cbee97db5738a5a0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4424	2632	NEAS.be54a2cc62532768cbee97db5738a5a0.exe	85
PID 2632 wrote to memory of 4424	2632	NEAS.be54a2cc62532768cbee97db5738a5a0.exe	85
PID 2632 wrote to memory of 4424	2632	NEAS.be54a2cc62532768cbee97db5738a5a0.exe	85
PID 4424 wrote to memory of 2444	4424	Accfbokl.exe	86
PID 4424 wrote to memory of 2444	4424	Accfbokl.exe	86
PID 4424 wrote to memory of 2444	4424	Accfbokl.exe	86
PID 2444 wrote to memory of 2876	2444	Bmkjkd32.exe	87
PID 2444 wrote to memory of 2876	2444	Bmkjkd32.exe	87
PID 2444 wrote to memory of 2876	2444	Bmkjkd32.exe	87
PID 2876 wrote to memory of 1220	2876	Bcebhoii.exe	88
PID 2876 wrote to memory of 1220	2876	Bcebhoii.exe	88
PID 2876 wrote to memory of 1220	2876	Bcebhoii.exe	88
PID 1220 wrote to memory of 1764	1220	Bjokdipf.exe	89
PID 1220 wrote to memory of 1764	1220	Bjokdipf.exe	89
PID 1220 wrote to memory of 1764	1220	Bjokdipf.exe	89
PID 1764 wrote to memory of 3040	1764	Baicac32.exe	90
PID 1764 wrote to memory of 3040	1764	Baicac32.exe	90
PID 1764 wrote to memory of 3040	1764	Baicac32.exe	90
PID 3040 wrote to memory of 4116	3040	Bgcknmop.exe	91
PID 3040 wrote to memory of 4116	3040	Bgcknmop.exe	91
PID 3040 wrote to memory of 4116	3040	Bgcknmop.exe	91
PID 4116 wrote to memory of 4808	4116	Bnmcjg32.exe	93
PID 4116 wrote to memory of 4808	4116	Bnmcjg32.exe	93
PID 4116 wrote to memory of 4808	4116	Bnmcjg32.exe	93
PID 4808 wrote to memory of 1108	4808	Bgehcmmm.exe	96
PID 4808 wrote to memory of 1108	4808	Bgehcmmm.exe	96
PID 4808 wrote to memory of 1108	4808	Bgehcmmm.exe	96
PID 1108 wrote to memory of 2268	1108	Bjddphlq.exe	94
PID 1108 wrote to memory of 2268	1108	Bjddphlq.exe	94
PID 1108 wrote to memory of 2268	1108	Bjddphlq.exe	94
PID 2268 wrote to memory of 4944	2268	Banllbdn.exe	95
PID 2268 wrote to memory of 4944	2268	Banllbdn.exe	95
PID 2268 wrote to memory of 4944	2268	Banllbdn.exe	95
PID 4944 wrote to memory of 4240	4944	Bhhdil32.exe	97
PID 4944 wrote to memory of 4240	4944	Bhhdil32.exe	97
PID 4944 wrote to memory of 4240	4944	Bhhdil32.exe	97
PID 4240 wrote to memory of 3936	4240	Bcoenmao.exe	98
PID 4240 wrote to memory of 3936	4240	Bcoenmao.exe	98
PID 4240 wrote to memory of 3936	4240	Bcoenmao.exe	98
PID 3936 wrote to memory of 1780	3936	Cmgjgcgo.exe	99
PID 3936 wrote to memory of 1780	3936	Cmgjgcgo.exe	99
PID 3936 wrote to memory of 1780	3936	Cmgjgcgo.exe	99
PID 1780 wrote to memory of 1872	1780	Cfpnph32.exe	101
PID 1780 wrote to memory of 1872	1780	Cfpnph32.exe	101
PID 1780 wrote to memory of 1872	1780	Cfpnph32.exe	101
PID 1872 wrote to memory of 1000	1872	Cfbkeh32.exe	102
PID 1872 wrote to memory of 1000	1872	Cfbkeh32.exe	102
PID 1872 wrote to memory of 1000	1872	Cfbkeh32.exe	102
PID 1000 wrote to memory of 4948	1000	Cagobalc.exe	103
PID 1000 wrote to memory of 4948	1000	Cagobalc.exe	103
PID 1000 wrote to memory of 4948	1000	Cagobalc.exe	103
PID 4948 wrote to memory of 2176	4948	Cjpckf32.exe	104
PID 4948 wrote to memory of 2176	4948	Cjpckf32.exe	104
PID 4948 wrote to memory of 2176	4948	Cjpckf32.exe	104
PID 2176 wrote to memory of 4968	2176	Cdhhdlid.exe	105
PID 2176 wrote to memory of 4968	2176	Cdhhdlid.exe	105
PID 2176 wrote to memory of 4968	2176	Cdhhdlid.exe	105
PID 4968 wrote to memory of 2300	4968	Cffdpghg.exe	106
PID 4968 wrote to memory of 2300	4968	Cffdpghg.exe	106
PID 4968 wrote to memory of 2300	4968	Cffdpghg.exe	106
PID 2300 wrote to memory of 4852	2300	Dejacond.exe	108
PID 2300 wrote to memory of 4852	2300	Dejacond.exe	108
PID 2300 wrote to memory of 4852	2300	Dejacond.exe	108
PID 4852 wrote to memory of 1016	4852	Dobfld32.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.be54a2cc62532768cbee97db5738a5a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.be54a2cc62532768cbee97db5738a5a0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\Accfbokl.exe
  C:\Windows\system32\Accfbokl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\Bmkjkd32.exe
    C:\Windows\system32\Bmkjkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\Bcebhoii.exe
      C:\Windows\system32\Bcebhoii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108

C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\Bhhdil32.exe
  C:\Windows\system32\Bhhdil32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\Bcoenmao.exe
    C:\Windows\system32\Bcoenmao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\SysWOW64\Cmgjgcgo.exe
      C:\Windows\system32\Cmgjgcgo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        18⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 404
        19⤵
        Program crash
        
        PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4408 -ip 4408
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
45KB

MD5
c4bce7f9dfd9735de4713f4717b3ea17

SHA1
16ef06a4a794a4288d19b1a3c16f6d51e4eb1cee

SHA256
e3ae02f0c29582307b41baad8b8bba79bd68b981be7c2e9aa5c12c5dade0778e

SHA512
5327be02b9ff9e83f4be588e250f917d8e93529f76d809a79755835a04a3516346c805dedeba22b63866df69b0ae27cb0fb0eba7000e1c520c8cf9edeb2ed5c6

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
45KB

MD5
c4bce7f9dfd9735de4713f4717b3ea17

SHA1
16ef06a4a794a4288d19b1a3c16f6d51e4eb1cee

SHA256
e3ae02f0c29582307b41baad8b8bba79bd68b981be7c2e9aa5c12c5dade0778e

SHA512
5327be02b9ff9e83f4be588e250f917d8e93529f76d809a79755835a04a3516346c805dedeba22b63866df69b0ae27cb0fb0eba7000e1c520c8cf9edeb2ed5c6

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
45KB

MD5
fcd529ea41992ce4c2303a00885ca33e

SHA1
82d318adbc0caba0cb2d0ebd727bf1594f3c4099

SHA256
2eb1b6a8d4548a22d71a61393c335b7b8c7884bfd11ae2fa08328dfe26cf749c

SHA512
5c631cff1d9ab810276766b056b5fa037212a37c22db2fee6f3e719c6a393c68e5a354de2882f20770a1659f25b0a24a64dbfebdffd48f704a88db515fa1c0ce

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
45KB

MD5
fcd529ea41992ce4c2303a00885ca33e

SHA1
82d318adbc0caba0cb2d0ebd727bf1594f3c4099

SHA256
2eb1b6a8d4548a22d71a61393c335b7b8c7884bfd11ae2fa08328dfe26cf749c

SHA512
5c631cff1d9ab810276766b056b5fa037212a37c22db2fee6f3e719c6a393c68e5a354de2882f20770a1659f25b0a24a64dbfebdffd48f704a88db515fa1c0ce

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
45KB

MD5
589d1aeb30829965e6073b95928cf732

SHA1
78455d8bf51f20584d3f79d7a264a846deb3185d

SHA256
7d19a39864f2567bbac37144e216eba27fc2ae73329b555517b880b085f89be1

SHA512
4abf5d5844811253c6db008b52f014b3a6854423ea9dc38eee92da6952f25b8c051772efe8f226ec81e30ec0b227e5aa666848004746817b7bdbe34f391b7b7d

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
45KB

MD5
589d1aeb30829965e6073b95928cf732

SHA1
78455d8bf51f20584d3f79d7a264a846deb3185d

SHA256
7d19a39864f2567bbac37144e216eba27fc2ae73329b555517b880b085f89be1

SHA512
4abf5d5844811253c6db008b52f014b3a6854423ea9dc38eee92da6952f25b8c051772efe8f226ec81e30ec0b227e5aa666848004746817b7bdbe34f391b7b7d

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
45KB

MD5
bd1a0829faf7206e67ac0f87271a1036

SHA1
c6b40fffe80f777301263df8e636dd011613d4e9

SHA256
2be4733a8c42ffce3db296dc386fc27b80bd442686fb3df32da55793e765331b

SHA512
117190dc8ff4b0bfcf6f09bfc71b100e646c2859187c0495cb14a0e9d3d377449bdfd0b4567bffa4ce35c8e858a370f00365bbef3d38ee4ef7509c1fe2d1f571

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
45KB

MD5
bd1a0829faf7206e67ac0f87271a1036

SHA1
c6b40fffe80f777301263df8e636dd011613d4e9

SHA256
2be4733a8c42ffce3db296dc386fc27b80bd442686fb3df32da55793e765331b

SHA512
117190dc8ff4b0bfcf6f09bfc71b100e646c2859187c0495cb14a0e9d3d377449bdfd0b4567bffa4ce35c8e858a370f00365bbef3d38ee4ef7509c1fe2d1f571

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
45KB

MD5
8f43a0c24a5e69ffc151c660ba878aea

SHA1
d884836634c2f35122ba93df8cd4ea6bda30d004

SHA256
3e638c63c3a9864480de0af0ac76a32148b9e4da6c05e3330e3347a9cf16dc94

SHA512
d0d3f0b5386ae9c47850877bbf7c504bf8f48052457afdd37ca09b69f42b5f7d45c809721846b62db96f797a7571b35db5c23d03f856aa7685f54c514f3adeec

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
45KB

MD5
8f43a0c24a5e69ffc151c660ba878aea

SHA1
d884836634c2f35122ba93df8cd4ea6bda30d004

SHA256
3e638c63c3a9864480de0af0ac76a32148b9e4da6c05e3330e3347a9cf16dc94

SHA512
d0d3f0b5386ae9c47850877bbf7c504bf8f48052457afdd37ca09b69f42b5f7d45c809721846b62db96f797a7571b35db5c23d03f856aa7685f54c514f3adeec

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
45KB

MD5
6808152fa0124d8f2f06e696f2031084

SHA1
eb514158f5eddbc875e1531f180c510ee2488d13

SHA256
f68b10790f8bfaf1cd30139496e4c20d1bd2f82856613f52c415361cc0cabf1f

SHA512
6025bd47c353a234115133ca1d8a1e0f7597189300486590879b0ec489a8e5d89713f75c27b0d3ddeaf9891ea95d719e6fd3e882b6521e9efacb75cab3cb12d7

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
45KB

MD5
6808152fa0124d8f2f06e696f2031084

SHA1
eb514158f5eddbc875e1531f180c510ee2488d13

SHA256
f68b10790f8bfaf1cd30139496e4c20d1bd2f82856613f52c415361cc0cabf1f

SHA512
6025bd47c353a234115133ca1d8a1e0f7597189300486590879b0ec489a8e5d89713f75c27b0d3ddeaf9891ea95d719e6fd3e882b6521e9efacb75cab3cb12d7

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
45KB

MD5
fa01a789330100155e05e119c80bb663

SHA1
412d85f4815c211cf9d2af09df5bdd54c437034a

SHA256
c7983422e8085ac7a7c73080f46167e6bfc23a6c442b93eb4e96a08a3eaf3dfb

SHA512
54f738fa57eb1466898af908d522bf63c114f44822d6dc41ee58ddb12654f7d13965518e040c8333ee005cdeadce78fd70dae112a498c7bf6f5b2744b8200dbc

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
45KB

MD5
fa01a789330100155e05e119c80bb663

SHA1
412d85f4815c211cf9d2af09df5bdd54c437034a

SHA256
c7983422e8085ac7a7c73080f46167e6bfc23a6c442b93eb4e96a08a3eaf3dfb

SHA512
54f738fa57eb1466898af908d522bf63c114f44822d6dc41ee58ddb12654f7d13965518e040c8333ee005cdeadce78fd70dae112a498c7bf6f5b2744b8200dbc

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
45KB

MD5
da18af806ea96af1773109c34020a85d

SHA1
84cc51dbee8da9131b0f5bc29932cd600d6f5246

SHA256
cf1cf3001a3ced6918076fa23074d3639d2b828ef7cc04c9fa4eeda7d2586694

SHA512
12b40369a4744fbcff028a1a4d7f487e9f4de5950d133478b5697108e9b55d3c6b22bea67bac81e604017efc9a9107e98b9d95f5c5bb4683a7d853025d144837

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
45KB

MD5
da18af806ea96af1773109c34020a85d

SHA1
84cc51dbee8da9131b0f5bc29932cd600d6f5246

SHA256
cf1cf3001a3ced6918076fa23074d3639d2b828ef7cc04c9fa4eeda7d2586694

SHA512
12b40369a4744fbcff028a1a4d7f487e9f4de5950d133478b5697108e9b55d3c6b22bea67bac81e604017efc9a9107e98b9d95f5c5bb4683a7d853025d144837

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
45KB

MD5
faaf4612d04bda2a1170adcb221fd2fa

SHA1
e30c3ac6f8d3f5be50d2325540bb359419b72ccc

SHA256
510a1c3b47a89c575d7c5f253c2d6292516067cfab7289ba3c067da14da9f219

SHA512
606c15ba14f74617b5d13e4d12fd17f7110c59578aced8d5137fc018e42fcf68d847d6f6ca0730ef80956227e69506128ad5909a849ff6825623b38e0282a909

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
45KB

MD5
faaf4612d04bda2a1170adcb221fd2fa

SHA1
e30c3ac6f8d3f5be50d2325540bb359419b72ccc

SHA256
510a1c3b47a89c575d7c5f253c2d6292516067cfab7289ba3c067da14da9f219

SHA512
606c15ba14f74617b5d13e4d12fd17f7110c59578aced8d5137fc018e42fcf68d847d6f6ca0730ef80956227e69506128ad5909a849ff6825623b38e0282a909

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
45KB

MD5
eaa1090fba22e174502daa90170c1e36

SHA1
cfaf794835f2dcab8fd8fe9ec482446f0e3567af

SHA256
008269296e2b47540739885e18b8e53ef89cdde477c473f79ca5acc121b67f0f

SHA512
0acfd37e9f6e97f7e31def9f3568513715f9e57925743388d4b674202c8c00ec77c4f6e578d05c39b7d2094d7973b88e0329be4acb2ad39ea8ba37d21b98ad06

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
45KB

MD5
eaa1090fba22e174502daa90170c1e36

SHA1
cfaf794835f2dcab8fd8fe9ec482446f0e3567af

SHA256
008269296e2b47540739885e18b8e53ef89cdde477c473f79ca5acc121b67f0f

SHA512
0acfd37e9f6e97f7e31def9f3568513715f9e57925743388d4b674202c8c00ec77c4f6e578d05c39b7d2094d7973b88e0329be4acb2ad39ea8ba37d21b98ad06

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
45KB

MD5
01c3062a2c631473f10db85f5d10e9a7

SHA1
9d0e01046be6b9b045e513821625a1d8e26f0f6b

SHA256
99810a70c1c4277eb12e5481e02fc5c77cb4fcb441729869a1b6fe040f1438be

SHA512
bb6a21d4ddb426eed3688d13868ecd4dc8197947cf52e8ce1b83bd4b33be78975e6323f0261b7d044062a23b800681774867d0fa8e90e2660fb75180374e25c7

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
45KB

MD5
01c3062a2c631473f10db85f5d10e9a7

SHA1
9d0e01046be6b9b045e513821625a1d8e26f0f6b

SHA256
99810a70c1c4277eb12e5481e02fc5c77cb4fcb441729869a1b6fe040f1438be

SHA512
bb6a21d4ddb426eed3688d13868ecd4dc8197947cf52e8ce1b83bd4b33be78975e6323f0261b7d044062a23b800681774867d0fa8e90e2660fb75180374e25c7

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
45KB

MD5
0151190392b650b62300ad2de8c7b039

SHA1
5b28fed4ffcf78eeab719391b80f35d4dd9ba6de

SHA256
eeb2a03a619947e025adc75a0960ff88e91e7e416c6aff55ed7c935327903c62

SHA512
4b58c9f862ac23563580f29220f011a6512cfa4e6dad16fff693f1857343b2cc6aae1d0a9a195c447e4d4fc65092288ffd9560bc40b1acabb304069b1cd5ed45

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
45KB

MD5
0151190392b650b62300ad2de8c7b039

SHA1
5b28fed4ffcf78eeab719391b80f35d4dd9ba6de

SHA256
eeb2a03a619947e025adc75a0960ff88e91e7e416c6aff55ed7c935327903c62

SHA512
4b58c9f862ac23563580f29220f011a6512cfa4e6dad16fff693f1857343b2cc6aae1d0a9a195c447e4d4fc65092288ffd9560bc40b1acabb304069b1cd5ed45

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
45KB

MD5
47a431e38d07506158211a0c57c1dcb7

SHA1
9cedcd35cf24a58c3686274b5a664c44069db5bb

SHA256
127debd4f24aa1db20f9456ec9551bd63514577472a462a0f7c058c87436a758

SHA512
108978f0a9e6901b642c43ab6fb26d237954162eb648d3d334e8f8f724aa14c549ac1d15bfe8d391ab3c7229642e280834acd0f33d8c743f50e94397c9d8baba

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
45KB

MD5
47a431e38d07506158211a0c57c1dcb7

SHA1
9cedcd35cf24a58c3686274b5a664c44069db5bb

SHA256
127debd4f24aa1db20f9456ec9551bd63514577472a462a0f7c058c87436a758

SHA512
108978f0a9e6901b642c43ab6fb26d237954162eb648d3d334e8f8f724aa14c549ac1d15bfe8d391ab3c7229642e280834acd0f33d8c743f50e94397c9d8baba

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
45KB

MD5
61541adf5d5eb270501da263f3f09255

SHA1
dc2fa8d9cdcf95265b49021bc5bbe7a8670d630d

SHA256
b077a4ccb84e02fc9f714c27fd62a75e0536ca0b0b104e0eecea3997fecc6172

SHA512
e4d759a5f8ca034bbbb84da144f7840ef07226156d902703c603181bf35c496fed9c422c41f70620e5d39d3e73edc85bde934c55372eaf86fd83fc1205b3deee

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
45KB

MD5
61541adf5d5eb270501da263f3f09255

SHA1
dc2fa8d9cdcf95265b49021bc5bbe7a8670d630d

SHA256
b077a4ccb84e02fc9f714c27fd62a75e0536ca0b0b104e0eecea3997fecc6172

SHA512
e4d759a5f8ca034bbbb84da144f7840ef07226156d902703c603181bf35c496fed9c422c41f70620e5d39d3e73edc85bde934c55372eaf86fd83fc1205b3deee

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
45KB

MD5
8adb681fbe53ae3cf9af3f4addc50eff

SHA1
bbff4a6296b659f1d7462afa421f9d04c2c8853d

SHA256
693e02dfac3ce7872c2491c74d3ab7f8e96b70fcbc7c7e4396cb0fa12ae49803

SHA512
63a28c70318fb6c22d1fea4b2875485fcf7a02cc20494e7979233b15bb52392cabe7a9e8fdad601c1b3dbfb6461e562890683fb0a6f681aa0e7226d269b007a9

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
45KB

MD5
8adb681fbe53ae3cf9af3f4addc50eff

SHA1
bbff4a6296b659f1d7462afa421f9d04c2c8853d

SHA256
693e02dfac3ce7872c2491c74d3ab7f8e96b70fcbc7c7e4396cb0fa12ae49803

SHA512
63a28c70318fb6c22d1fea4b2875485fcf7a02cc20494e7979233b15bb52392cabe7a9e8fdad601c1b3dbfb6461e562890683fb0a6f681aa0e7226d269b007a9

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
45KB

MD5
8adb681fbe53ae3cf9af3f4addc50eff

SHA1
bbff4a6296b659f1d7462afa421f9d04c2c8853d

SHA256
693e02dfac3ce7872c2491c74d3ab7f8e96b70fcbc7c7e4396cb0fa12ae49803

SHA512
63a28c70318fb6c22d1fea4b2875485fcf7a02cc20494e7979233b15bb52392cabe7a9e8fdad601c1b3dbfb6461e562890683fb0a6f681aa0e7226d269b007a9

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
45KB

MD5
0e2b177a8c1346cf52cb44a91acb4fc2

SHA1
8edd81f7673ecfb2a5583ea354913dd0f494dba9

SHA256
06b08325c08528c1206b44c6eab14ef647253e981b307a5a67a11c636140d240

SHA512
25a69b691de8e003a1d182453670ca3fe696f152ef0e54758b67fb68b95a6161d7d706bac09cb843c5d8bd1ebb67c4e3d615e237831abdddc27a6b8819ce7b6f

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
45KB

MD5
0e2b177a8c1346cf52cb44a91acb4fc2

SHA1
8edd81f7673ecfb2a5583ea354913dd0f494dba9

SHA256
06b08325c08528c1206b44c6eab14ef647253e981b307a5a67a11c636140d240

SHA512
25a69b691de8e003a1d182453670ca3fe696f152ef0e54758b67fb68b95a6161d7d706bac09cb843c5d8bd1ebb67c4e3d615e237831abdddc27a6b8819ce7b6f

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
45KB

MD5
5f344abc4e743e24f365862bf97fc258

SHA1
fcbf18b25930712404c0854459cd1937e3b08725

SHA256
9aa68c200a982b81de6f054a25b3d4396fcc6d1395920783bae2b86183e907ac

SHA512
10e5b85663de29649b24444c456536d6d61f8581ae5ff4e166a397a9d7a24ec8a31d290d7ceb82558df4985beecce70df131eeb2a8ec8ba8974d3cf2e2ff50a6

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
45KB

MD5
5f344abc4e743e24f365862bf97fc258

SHA1
fcbf18b25930712404c0854459cd1937e3b08725

SHA256
9aa68c200a982b81de6f054a25b3d4396fcc6d1395920783bae2b86183e907ac

SHA512
10e5b85663de29649b24444c456536d6d61f8581ae5ff4e166a397a9d7a24ec8a31d290d7ceb82558df4985beecce70df131eeb2a8ec8ba8974d3cf2e2ff50a6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
45KB

MD5
511b8154802fe6e2995828ce706f2f61

SHA1
c92d3a29b63031ec949bc3ab7a1ba25a9d014cd5

SHA256
cacf1ba7addc1ac53a214c504103b36ba26db5452e0db9c5ffa94f778152b4bd

SHA512
9125be0b339fc4be95d9fa8d8c193487ab5b25f40968788c3dc542b630111e02c27d64c90bdb83fa67c625e3c3a5594825bbc957485938200d56e6756d743d6a

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
45KB

MD5
511b8154802fe6e2995828ce706f2f61

SHA1
c92d3a29b63031ec949bc3ab7a1ba25a9d014cd5

SHA256
cacf1ba7addc1ac53a214c504103b36ba26db5452e0db9c5ffa94f778152b4bd

SHA512
9125be0b339fc4be95d9fa8d8c193487ab5b25f40968788c3dc542b630111e02c27d64c90bdb83fa67c625e3c3a5594825bbc957485938200d56e6756d743d6a

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
45KB

MD5
2cb48cac67f32cc0498f10b32c494dc6

SHA1
da548943e9bc261a6700c03cba2bfd735015c1be

SHA256
6e7b673973a8107aed07658efc7ec1d4483936b7021a843b7e12625d76c8cce0

SHA512
abe389b57e40f7d91c2e234165a2c96d2e3ab35145e072528030dc0ee816be86644d9395438b99afbe7e0dd64b665c700d562861a9a9360a20208b3e20b07dd6

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
45KB

MD5
2cb48cac67f32cc0498f10b32c494dc6

SHA1
da548943e9bc261a6700c03cba2bfd735015c1be

SHA256
6e7b673973a8107aed07658efc7ec1d4483936b7021a843b7e12625d76c8cce0

SHA512
abe389b57e40f7d91c2e234165a2c96d2e3ab35145e072528030dc0ee816be86644d9395438b99afbe7e0dd64b665c700d562861a9a9360a20208b3e20b07dd6

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
45KB

MD5
535ab885cd94193f948c6d0638248ad7

SHA1
84e2d6310f19f66c5865931278c4029f9be08060

SHA256
c8f01c4afb58448a6280db4168cabc77d8bdccb21c37dececd28d131cdb44979

SHA512
a9ace6986aa3a5c8e48918a2732b482bf7ffe4cecffdb45e62abd2c7d44f16cf254bab0679cce7d5b8b97a329f7e5af3f7db5d5cd22cc1099dfbe0556ae598e5

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
45KB

MD5
535ab885cd94193f948c6d0638248ad7

SHA1
84e2d6310f19f66c5865931278c4029f9be08060

SHA256
c8f01c4afb58448a6280db4168cabc77d8bdccb21c37dececd28d131cdb44979

SHA512
a9ace6986aa3a5c8e48918a2732b482bf7ffe4cecffdb45e62abd2c7d44f16cf254bab0679cce7d5b8b97a329f7e5af3f7db5d5cd22cc1099dfbe0556ae598e5

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
45KB

MD5
261e478bb057f7bd95430c24e343ee4a

SHA1
d3c0d7191f18e0129299576e7efe428300a010ec

SHA256
1561ce2145888a3a43d830e4808f75bbfee2771d74f3ec2c9e18d65184ed9674

SHA512
9b27838e459c1238647ca3255e38438d963b0c249e60b08cd8e92fd402af2a99c9552ed33f671513132b87d54b0572afaa2700052008849c2a83a877d1660315

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
45KB

MD5
261e478bb057f7bd95430c24e343ee4a

SHA1
d3c0d7191f18e0129299576e7efe428300a010ec

SHA256
1561ce2145888a3a43d830e4808f75bbfee2771d74f3ec2c9e18d65184ed9674

SHA512
9b27838e459c1238647ca3255e38438d963b0c249e60b08cd8e92fd402af2a99c9552ed33f671513132b87d54b0572afaa2700052008849c2a83a877d1660315

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
45KB

MD5
aa97104cf3ba2b9f959bae09252f5a04

SHA1
396c7092b97b6a136d763b31449f5452cf0af2f1

SHA256
6fb5567a0323930c140884d8b620654be259d41b4eb17ad64ed944d187979f83

SHA512
b15f40b7b86811793bf008ba832fef36fa864aaad8831876ab26a6c2ebcfa69873307a9ab2d4592a04e95f2f2af99a1f90d7e7c413bc05358966b04d599310d0

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
45KB

MD5
aa97104cf3ba2b9f959bae09252f5a04

SHA1
396c7092b97b6a136d763b31449f5452cf0af2f1

SHA256
6fb5567a0323930c140884d8b620654be259d41b4eb17ad64ed944d187979f83

SHA512
b15f40b7b86811793bf008ba832fef36fa864aaad8831876ab26a6c2ebcfa69873307a9ab2d4592a04e95f2f2af99a1f90d7e7c413bc05358966b04d599310d0

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
45KB

MD5
aa97104cf3ba2b9f959bae09252f5a04

SHA1
396c7092b97b6a136d763b31449f5452cf0af2f1

SHA256
6fb5567a0323930c140884d8b620654be259d41b4eb17ad64ed944d187979f83

SHA512
b15f40b7b86811793bf008ba832fef36fa864aaad8831876ab26a6c2ebcfa69873307a9ab2d4592a04e95f2f2af99a1f90d7e7c413bc05358966b04d599310d0

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
45KB

MD5
dd4cb50942da5ff3448c7d49cd7f832f

SHA1
6bb5a89fcf69f5bbd1a2505348b6c74230e749bc

SHA256
f311d3900eea023f6cbb2e5037c99ccdda45aab3bac2a24994ee84626db20df2

SHA512
226eab5d05fe6056730b963e541078e2acc10292d77f82e555f2f49f19958560d7da6d91fccab951845de4285f019d911048fe1b21bc463497d48baecebb2913

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
45KB

MD5
dd4cb50942da5ff3448c7d49cd7f832f

SHA1
6bb5a89fcf69f5bbd1a2505348b6c74230e749bc

SHA256
f311d3900eea023f6cbb2e5037c99ccdda45aab3bac2a24994ee84626db20df2

SHA512
226eab5d05fe6056730b963e541078e2acc10292d77f82e555f2f49f19958560d7da6d91fccab951845de4285f019d911048fe1b21bc463497d48baecebb2913

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
45KB

MD5
f7869adce8af065bb375c5782c543f2c

SHA1
8280d13f94dfa8bccd9867b0f176dfcfdd0f84b4

SHA256
00329b4ac8b8a14108dbfdf32404916292a71915d8c46d454af610ab2c1cde3c

SHA512
cefddd4a65459e649b9ded5e74b6b459cae3cc83b2558716a421a7fdc0a2f775ff2f9837727d2083d42f4dec2ebf71736c13ea2e2ee60a41841e735dca5c8c64

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
45KB

MD5
f7869adce8af065bb375c5782c543f2c

SHA1
8280d13f94dfa8bccd9867b0f176dfcfdd0f84b4

SHA256
00329b4ac8b8a14108dbfdf32404916292a71915d8c46d454af610ab2c1cde3c

SHA512
cefddd4a65459e649b9ded5e74b6b459cae3cc83b2558716a421a7fdc0a2f775ff2f9837727d2083d42f4dec2ebf71736c13ea2e2ee60a41841e735dca5c8c64

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
45KB

MD5
f7869adce8af065bb375c5782c543f2c

SHA1
8280d13f94dfa8bccd9867b0f176dfcfdd0f84b4

SHA256
00329b4ac8b8a14108dbfdf32404916292a71915d8c46d454af610ab2c1cde3c

SHA512
cefddd4a65459e649b9ded5e74b6b459cae3cc83b2558716a421a7fdc0a2f775ff2f9837727d2083d42f4dec2ebf71736c13ea2e2ee60a41841e735dca5c8c64

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
45KB

MD5
7c303d90250fec433ea2bb65dae02ca7

SHA1
803379f4d2c38506ac1837ad7f7948588deb3207

SHA256
ff8a590ad566732cc2409ec3ab45157eaf9f7fbc236248d9d59877d1f168a7f7

SHA512
eb149976a8cbb28db89906b50c4fb33a93399adc37b8d39760ae2693b332637e17e8dd74aa0cdccb3c73af454061dbdaeb8dd1680ab920aa4ded86c07970b3b5

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
45KB

MD5
7c303d90250fec433ea2bb65dae02ca7

SHA1
803379f4d2c38506ac1837ad7f7948588deb3207

SHA256
ff8a590ad566732cc2409ec3ab45157eaf9f7fbc236248d9d59877d1f168a7f7

SHA512
eb149976a8cbb28db89906b50c4fb33a93399adc37b8d39760ae2693b332637e17e8dd74aa0cdccb3c73af454061dbdaeb8dd1680ab920aa4ded86c07970b3b5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
45KB

MD5
522be408b906e2ee2f51b86df6402909

SHA1
c1a96a6673b4c72b0de5fb3d541408c3bcab70b2

SHA256
da59bb178318f5f42a609b994f935b12cb3ebdcda03523c8fc5bbeedbdd4199e

SHA512
82967152f6ebbd86ea6936cf0386be97d897ced4dd83d9de57a3bb44c44d27d830f12cf9a9cf7c75edd70fc2f52a0173be80cc880092acb0f8a230c84a9dbef2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
45KB

MD5
522be408b906e2ee2f51b86df6402909

SHA1
c1a96a6673b4c72b0de5fb3d541408c3bcab70b2

SHA256
da59bb178318f5f42a609b994f935b12cb3ebdcda03523c8fc5bbeedbdd4199e

SHA512
82967152f6ebbd86ea6936cf0386be97d897ced4dd83d9de57a3bb44c44d27d830f12cf9a9cf7c75edd70fc2f52a0173be80cc880092acb0f8a230c84a9dbef2

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
45KB

MD5
062a66d17b6b664b4da1cfd6039353f8

SHA1
46a1f016f1a97b2ae37985ba90f135ed40ab8f46

SHA256
3bfa3530a08f5c966c12f087c943dfe85a9a5fa52b9fbffe2d7a0c2fca424c23

SHA512
5b0e4d57e7899cfb3f0693e4d7cebcf146673ca4f068a2693fd0c7196fc44bcfa05cbe5515caf56f642811c3dceaad067fbd87987bcea43114c5a68a28e36cc2

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
45KB

MD5
062a66d17b6b664b4da1cfd6039353f8

SHA1
46a1f016f1a97b2ae37985ba90f135ed40ab8f46

SHA256
3bfa3530a08f5c966c12f087c943dfe85a9a5fa52b9fbffe2d7a0c2fca424c23

SHA512
5b0e4d57e7899cfb3f0693e4d7cebcf146673ca4f068a2693fd0c7196fc44bcfa05cbe5515caf56f642811c3dceaad067fbd87987bcea43114c5a68a28e36cc2

Download Submit
memory/880-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1000-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1000-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1016-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1016-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4948-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4948-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads