27aced462a2c712ce08b4896577b1eaef519a56fbd36fe002c0f52616f1468e3

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
Size

483KB
MD5

53451ce26b458c67ac9a7dcccbb48ee0
SHA1

76274e182ae5d767375b01a31fcd2d42dd2363b5
SHA256

27aced462a2c712ce08b4896577b1eaef519a56fbd36fe002c0f52616f1468e3
SHA512

3c6084468c0e768f2aa70da770ae848571ee4fb085a65e86d1fc5a47340f8dc6b7090feec015b0394e57e35ba85054becccbda828e749fa7de5cc37478e5aafd
SSDEEP

6144:R829Xsq5CRVrtv35CPXbo92ynn8sbeWDJk4sNnVCj:RmRFbet4OnV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe

Executes dropped EXE 37 IoCs

pid	Process
3568	Bnhjohkb.exe
3720	Bagflcje.exe
4628	Baicac32.exe
4668	Balpgb32.exe
4980	Bmbplc32.exe
4724	Bhhdil32.exe
4176	Bfkedibe.exe
3976	Cjinkg32.exe
4544	Cenahpha.exe
4836	Cmiflbel.exe
3228	Chokikeb.exe
4880	Ceckcp32.exe
1768	Cmnpgb32.exe
3364	Cdhhdlid.exe
2404	Cegdnopg.exe
1468	Dhfajjoj.exe
1184	Dopigd32.exe
1920	Danecp32.exe
4480	Dejacond.exe
1940	Dhhnpjmh.exe
628	Dobfld32.exe
1528	Daqbip32.exe
4372	Ddonekbl.exe
1304	Dhkjej32.exe
5012	Dfnjafap.exe
1412	Dodbbdbb.exe
3348	Dmgbnq32.exe
4872	Daconoae.exe
2708	Deokon32.exe
4164	Dhmgki32.exe
1540	Dogogcpo.exe
4060	Dmjocp32.exe
2612	Daekdooc.exe
4672	Dddhpjof.exe
4252	Dhocqigp.exe
3512	Dknpmdfc.exe
5112	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe

Program crash 1 IoCs

pid	pid_target	Process
3168	5112	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 3568	3732	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe	85
PID 3732 wrote to memory of 3568	3732	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe	85
PID 3732 wrote to memory of 3568	3732	53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe	85
PID 3568 wrote to memory of 3720	3568	Bnhjohkb.exe	86
PID 3568 wrote to memory of 3720	3568	Bnhjohkb.exe	86
PID 3568 wrote to memory of 3720	3568	Bnhjohkb.exe	86
PID 3720 wrote to memory of 4628	3720	Bagflcje.exe	87
PID 3720 wrote to memory of 4628	3720	Bagflcje.exe	87
PID 3720 wrote to memory of 4628	3720	Bagflcje.exe	87
PID 4628 wrote to memory of 4668	4628	Baicac32.exe	88
PID 4628 wrote to memory of 4668	4628	Baicac32.exe	88
PID 4628 wrote to memory of 4668	4628	Baicac32.exe	88
PID 4668 wrote to memory of 4980	4668	Balpgb32.exe	89
PID 4668 wrote to memory of 4980	4668	Balpgb32.exe	89
PID 4668 wrote to memory of 4980	4668	Balpgb32.exe	89
PID 4980 wrote to memory of 4724	4980	Bmbplc32.exe	90
PID 4980 wrote to memory of 4724	4980	Bmbplc32.exe	90
PID 4980 wrote to memory of 4724	4980	Bmbplc32.exe	90
PID 4724 wrote to memory of 4176	4724	Bhhdil32.exe	91
PID 4724 wrote to memory of 4176	4724	Bhhdil32.exe	91
PID 4724 wrote to memory of 4176	4724	Bhhdil32.exe	91
PID 4176 wrote to memory of 3976	4176	Bfkedibe.exe	92
PID 4176 wrote to memory of 3976	4176	Bfkedibe.exe	92
PID 4176 wrote to memory of 3976	4176	Bfkedibe.exe	92
PID 3976 wrote to memory of 4544	3976	Cjinkg32.exe	93
PID 3976 wrote to memory of 4544	3976	Cjinkg32.exe	93
PID 3976 wrote to memory of 4544	3976	Cjinkg32.exe	93
PID 4544 wrote to memory of 4836	4544	Cenahpha.exe	94
PID 4544 wrote to memory of 4836	4544	Cenahpha.exe	94
PID 4544 wrote to memory of 4836	4544	Cenahpha.exe	94
PID 4836 wrote to memory of 3228	4836	Cmiflbel.exe	96
PID 4836 wrote to memory of 3228	4836	Cmiflbel.exe	96
PID 4836 wrote to memory of 3228	4836	Cmiflbel.exe	96
PID 3228 wrote to memory of 4880	3228	Chokikeb.exe	98
PID 3228 wrote to memory of 4880	3228	Chokikeb.exe	98
PID 3228 wrote to memory of 4880	3228	Chokikeb.exe	98
PID 4880 wrote to memory of 1768	4880	Ceckcp32.exe	99
PID 4880 wrote to memory of 1768	4880	Ceckcp32.exe	99
PID 4880 wrote to memory of 1768	4880	Ceckcp32.exe	99
PID 1768 wrote to memory of 3364	1768	Cmnpgb32.exe	100
PID 1768 wrote to memory of 3364	1768	Cmnpgb32.exe	100
PID 1768 wrote to memory of 3364	1768	Cmnpgb32.exe	100
PID 3364 wrote to memory of 2404	3364	Cdhhdlid.exe	101
PID 3364 wrote to memory of 2404	3364	Cdhhdlid.exe	101
PID 3364 wrote to memory of 2404	3364	Cdhhdlid.exe	101
PID 2404 wrote to memory of 1468	2404	Cegdnopg.exe	102
PID 2404 wrote to memory of 1468	2404	Cegdnopg.exe	102
PID 2404 wrote to memory of 1468	2404	Cegdnopg.exe	102
PID 1468 wrote to memory of 1184	1468	Dhfajjoj.exe	103
PID 1468 wrote to memory of 1184	1468	Dhfajjoj.exe	103
PID 1468 wrote to memory of 1184	1468	Dhfajjoj.exe	103
PID 1184 wrote to memory of 1920	1184	Dopigd32.exe	104
PID 1184 wrote to memory of 1920	1184	Dopigd32.exe	104
PID 1184 wrote to memory of 1920	1184	Dopigd32.exe	104
PID 1920 wrote to memory of 4480	1920	Danecp32.exe	105
PID 1920 wrote to memory of 4480	1920	Danecp32.exe	105
PID 1920 wrote to memory of 4480	1920	Danecp32.exe	105
PID 4480 wrote to memory of 1940	4480	Dejacond.exe	107
PID 4480 wrote to memory of 1940	4480	Dejacond.exe	107
PID 4480 wrote to memory of 1940	4480	Dejacond.exe	107
PID 1940 wrote to memory of 628	1940	Dhhnpjmh.exe	108
PID 1940 wrote to memory of 628	1940	Dhhnpjmh.exe	108
PID 1940 wrote to memory of 628	1940	Dhhnpjmh.exe	108
PID 628 wrote to memory of 1528	628	Dobfld32.exe	109

C:\Users\Admin\AppData\Local\Temp\53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\53451ce26b458c67ac9a7dcccbb48ee0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\SysWOW64\Bnhjohkb.exe
  C:\Windows\system32\Bnhjohkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\Bagflcje.exe
    C:\Windows\system32\Bagflcje.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\SysWOW64\Baicac32.exe
      C:\Windows\system32\Baicac32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 396
        40⤵
        Program crash
        
        PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5112 -ip 5112
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagflcje.exe

Filesize
483KB

MD5
13551e880e0bac71f39e242b151d36d3

SHA1
468808c7d2db86ed268b9763426a60e770f61942

SHA256
30e3aeaff63cb09ae8f8194e9b0e090b20199627df83b2e578f422218e0e6d11

SHA512
dd84672413ecc63eed46679288d985878a4a9aed98d92229c1f9e22f15b435184298f1e9dac9ff445e25e489e1beb99ee4e3321fdb860dc047a28ddbc64de8a5

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
483KB

MD5
2be7efaea2364c2c72d03b8119b37c9b

SHA1
d63f4845991f800108bc5d85ca5caf28e22acd47

SHA256
55af7f2adfea8f7880946dbbaa15380e9b0b618e0c56ef135825ee8f85c32f5d

SHA512
7b8957e4f2994b59a3dec13dad5705fe7235020a862c22fe173f1388d125d37dd39305d114256dca22225e1d33cbbd1e10c86612b34cba9a1ff10f510f973d37

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
483KB

MD5
1249722e52e87b74087cba20f63482e4

SHA1
490d7300e70023ea1161c9faff2faecac1be49d6

SHA256
40cec3629d9c5e08aea27ae079713168a26f30315e75c286c2bb07bbcbe086df

SHA512
e533e6c09560cecb2e57e5c0716d191962583fea9e8933aa35b96af09a2c047f80cc53f55cac0d2412a6f777d5b93bf16c5ace4a56041bfe93da0ef148b80998

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
483KB

MD5
19186d653ac5bbd33f3c47db2ffca8bb

SHA1
a492f7bfeb8ad421530fb9956a2abc0a4134ed18

SHA256
b54a90d56f11f93df7e04bee4be8824a60ea69f2ca65da0bb2dae6d96a87ed88

SHA512
46bac5bc28a44c92980cd20f9b85e9b0da8759a50b327bd727bad2d321ebcb181a5fabf8a0d60ea832e9017c297bf589e2925b603a2f25dbe11891b242f0681a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
483KB

MD5
7a17ba57f10d82a25933f1a3d37515b8

SHA1
5386fa1155654f6a2691ce0b0e09e4f5216d664e

SHA256
4598a42f1a1f582026e8e3f13ec4b3757bf2c880651e594327cb084b0ffbff45

SHA512
918f9ed9eb7515281f576f31e32ba8282cd478b8163e93966d57d11da1b481e25511a48f9158a2b4093d50d91534bc5c1fdfe4ecac84d39ba99455970002d0f7

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
483KB

MD5
7a1d3696f20fbdc9206e34b0b9ddfbea

SHA1
3aedeac839730351400829dfde28ccc9c62259f0

SHA256
147b7fa968401b3ad9c31da4c5845904e2bddbe5e0cb5b7503442c200e5aa5e6

SHA512
84872f4475d20024f5c6c4ab13e14e83f249861ca1f894daf508aa563ac71eec1bae7aed7c57fef0d04f9e500e69dd15e458d3c467868cd5dd40f35562a5682a

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
483KB

MD5
5b4d986a9246a1c30e4a7f4023840b7a

SHA1
0701d85973bc035040c9d2164bb5bccadb9a25f3

SHA256
029968d4cfb7bfcad908772ecab1a70402009e17f056cdc6c10ec5161a9f37b2

SHA512
c83e77d13876ee1412f7fe3f72f61a5a464c72ee4a63539ab55f6a3bb0b984cda3073ed65dcd732264ecc45675adfd180bbac0f6ffdb270935c1a3c781c46eac

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
483KB

MD5
0f96eff4a272cb264d9ee7131543998c

SHA1
e23e04f5b77d73685f7729094d1d0787845a9e8c

SHA256
7f0e9d302923aba068af2f0dddfb238afc19f65907543f7cf72609aa96ed6835

SHA512
4cacad0311f016d97dfd12ac8960477f8416789bd9a603b2361c5984753df0fb97cf0b96a50af7c0fe35ac6f4dab5a218a8f17880aebd81df98c6e48349327f3

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
483KB

MD5
ebd6d1ca49c7584b0a6d5bd175ba7678

SHA1
9c8c2dd0dd436dfd35a0718bc5cbcaad2bc0c111

SHA256
6a2cb359d22168e85855cfdfd764a3841c277e827f625aec5dd491b46de9025b

SHA512
675bd2275f462a7048c6c84ac8fabbf20bdff26d1f5811a938633b14439f2a52ce9664cae25921cb187e45e0bbac80b92119270d5d8e624051deb21d1e5ac8e5

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
483KB

MD5
73bb1b78a635d7203802bcba351b32de

SHA1
ec7694d3624e1565905a8416886ce993aa3df114

SHA256
462be205aad45cd4d86c7afd118a0e90894cf95e54ffbfa91a1f22860e0c769b

SHA512
6015770fa7f71b2da800cf3da8ef8754a52cd6395397b0d8473040fb4cb03856209f803aebbb8d9473010faf761c0c3772579dddc156d0453031f540a4b5e841

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
483KB

MD5
a62e21673de44f2ee3a194a73670d548

SHA1
fbef5fae96751817a5779b9f7463606975fe3930

SHA256
23d2275fba388fb6cd64cd8f2db28852b93d82b039ed50ef2c6c43669f832628

SHA512
1d7a21f2820ee3bf3390ffe0bc523a453dbceb55c81aa32d1f7f4ed28852f84039d3c54383c274c20f9531f6a7eb56f9ffe4f63807049602da35a28f14be0bc8

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
483KB

MD5
705944288328befb56be1d8fffa7435c

SHA1
beb5a56712589dc63d0191f9af191e06124c39c6

SHA256
c70673359b209f9cc926d1fbdcb8dd85d12633600c6b10a8cd71fc27c8741ac9

SHA512
1d96740bbe853d136ea6d0e09edf126adf8860192a356cf39ffa0dc396161e1089f647a5e4e13eec7522fc756b3d1e96ceb8ed17c53e6f63a32d0c77b1f7bfe6

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
483KB

MD5
3eb18fe48bf10eb6fe6c9d50ceba3686

SHA1
9d083e6737a8bacdde59e0094cfe290616f5859f

SHA256
0b523f2cae94c7869b434d6145501d11f2f1116e65ad3c285388b8448b1dbdeb

SHA512
114e887db37719ab1e1e90bb71a0e24e97f26fe30a279c9244ebdee8399f10e28afd8d264eeac5df35201a7bbb45b289f950fc460e9116cb9a48ce53a9a48b69

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
483KB

MD5
78d61dc4af2deb2ed996ab3100cb0366

SHA1
ef60a64f097673747b1971f4aeceb427d545bea2

SHA256
6099661d4ff00c9265ea0d6b89629f4834f162023e81f0d442d98ed5278b391f

SHA512
ba94fc52c4ba6ad05aa2a7dda9526975f58c46fd0f179bf4ef0bc7bfd43d52bbb2215995683b65056e2ba831476e6704e6b8d255652e5235504d7a2bd6f3cdef

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
483KB

MD5
e0b9ae66dabb98dfc2a524c6996c4ef7

SHA1
00a206204a2cdc9a3d049af92529b77ca6659e9a

SHA256
e71262445641ad79d3dae16a2104146ecf76523f91e4eff39fe923a735d524f0

SHA512
14cc276cb0bfa420baaae0724cf632fb15d8ceae603f491207d42064bf615f439feda0778c3d509e65181708eada2928006f25c82663af639183b24c91069d1e

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
483KB

MD5
98f8b7adac20d9b7369e6ac37c8fba51

SHA1
c6dfe656da775120e296017e6924712340d06d80

SHA256
e781a061b604337a0c892f3e2efc8c28a77aa24a0e5423c18d0aa842e30fa050

SHA512
ae9d55909e9ca161fbde00bd7711303b06f950ebfb7ada7b5da4563e82ab9a603735e48ee637b0dce5c4af4223869d44e5932ea027f88013fa92db31a8dec9b2

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
483KB

MD5
707fd7a23fda8674de1ce547855d0933

SHA1
a4e0657dc03a0ed328aa576a3c763e7f57badd8e

SHA256
2d1bab50e8aeac179fef20af05f7e5846e73c969e41f76b46bce3fcc5953391f

SHA512
4261925e2254ffed95fac324aa727566e79d0fe9f61c48a2ad4f5c3272c659ec9f5b158863ef959817bf9ea71e4e744d20e3c1bf25ddef38ca371d660cb77377

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
483KB

MD5
c6bdc941eb9151e6be98748231a00a90

SHA1
5260aec8a3cc3cbb56845e2fa467ab5526ddfcd9

SHA256
a1c4851b8ce1109f5ff9621344fc4fd13407da61b1b1fd06352a0f8596465755

SHA512
c1a0d98bf99b033febd96ae07c6689c6f65bcd4854df0fa0f540e883c6382e2e3d72cd4a864efbc4c23e6b57b5a307635e311677ad651410d0453b0c32a28ca1

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
483KB

MD5
cc4a3543a8016f49853cc23561192b18

SHA1
45e9176189b48323a63a4d7b45c187dcc63e61ef

SHA256
1d35ed6fcc5abfc42c153a1103bbc0351ca02f99221b65929786ae63b211f034

SHA512
82f85b6b885c655c8125e3f1aecf9b5534bccaf4f2de9d63bf9186cff5686446c6fee5a53fa466f841850ac6698ab84b50431d25dbd81df0c7297c60566b0e7d

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
483KB

MD5
9c7ab3efa7d2e8cb91b535604f763ee0

SHA1
6450c8cd95c4a766a720de276dc0f4cd33edfff9

SHA256
2a6168e751d1a7b711c02d68fc41fc23b4c9cf5f02fab8b79a037772c2c959cc

SHA512
b5c85d08f0251a14fe7a5936ce6a44ed8e4a500301adb14153254462494b0b4daf59507a4dff15bdd73e446fcecbb70e00f22bff9236ac4af2af7731c232c6d4

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
483KB

MD5
e2c9dcfb07cd845ecf703a9097927377

SHA1
9b6586e1bbade16cbc0b9e8dba547f75312df42c

SHA256
d0351db8b89c015a22bb847a9eb4f0794f7cdb69ba982cf781c6ca5299234e80

SHA512
f04ed3a36eff9c4d07f8d5e54da3d12b5f97f7b8d5b8b7a478f3f19ea93fd2a8532dac03799430126188387fcc02c4ce354d0686ff094418fc90476a3509975d

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
483KB

MD5
6a9eaa8ced5ecb5ea69d9178f140758f

SHA1
af92c6054f6842ccfeb22c74a91a1af1a9b6003e

SHA256
68c91f0760de9c7a53d69ac82124e11e9c21dce1dbe181bd8134bdb5f9639b4e

SHA512
017cad468f71e923300cb3529421ae611f935054e21f5da9fa30fa7d95c5d6a8183b30416f8d21e50a8287c316d0eb137419a022dda862349b4ef54a39679887

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
483KB

MD5
0322617836dca7e40179fca31fa259e1

SHA1
d0145bfd8dd3cb05b43d9154cee0a3a0a29d5d6c

SHA256
e413b23bd4275911161aaddb827bd5d6b70b37077f8ef6b0f6ef2a0ef9c4bcf4

SHA512
a3d9bdb8610462de4bc6f62a0fa50f5ed69a11af565b80f14e441269932d9808fbfcab908cf83fb5dc6053498e30820acba8c5c2050a2795c5ae60abcb9838b6

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
483KB

MD5
a8dd252d4b9c40e1144e9de7256387df

SHA1
a9f246b5bee452bbfef72c9494aea64ef95f6c13

SHA256
76428f516ca54d403f8da22c734f4cf507e50c697a4500454f0e54d9955f4de2

SHA512
b4c2c6de4bbfa3dcbcb9c68d492c278adeee0f0f9304fd5a39a9e5ba7f379beda0975f7aaecc059cfe69f1b7cf300769232e0ae58b99f0a142094263ec13539d

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
483KB

MD5
712aa55209def17e4a6bcae41cd2b6c1

SHA1
4b422f1c45a99bb9644b86299096e0332a525ee3

SHA256
40073fafc41e3cb485e055539080926430e7b5f7c8774c2fe1df88a4933b8827

SHA512
1b47b24b8297caaec82fe1c9a835f07cab9f42ada78aed102c855c704ecbd84301e3f7a2caf01fa8995e45ff085c8fbc24aac5abfcd3e92907c449bfb102fa6e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
483KB

MD5
26cd560ee9fe5e38caa41c7fa1cdc59a

SHA1
4836010a1bf9c3371842c0bf117e9d4c0ab7b2f0

SHA256
f878f61443523dc83cbc9fba34b2f84a75a4c3408f5cd12efd0bc7553391b1be

SHA512
91e995c0949d7fc0e29202e0f5242a47076fc3de2bf685301b76eaf6fe998fb93b3ec438b5064b377b9a7e527968e6c60c8b056d40239087199487539141899c

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
483KB

MD5
08b7cd1f9a14096eebde0486ca1d0b1b

SHA1
0d680f5804fd465bb25b101e32f1285e5f508893

SHA256
e95933bc7b2b714940a7be9699ddac99dc08c2c3cca8d06f94cfcbfcc11a7d14

SHA512
283bc2415ec50d4fb845068bb1c476bd58cef911e46851d148edf8dfce85e6d9d8fc5305511a05b00b8cd3041e6e88dd05397cbd3a8576703aaf8a2498efcae7

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
483KB

MD5
68e0570c77ac6835d6ab935e7520ad02

SHA1
34a6f5a49cc0ea16e21cf37f5b6097812972ed19

SHA256
a1908dab678bd8048d379664badd7fc60686cf3c85285f4bb4b8eb569c4a8a00

SHA512
2ce8c135f52196f13d8a01768907ebfd241a2e561878784030a9f79dd6a35032d12137397f710575bd4752b5d116980713d39c3e72ac1b4c45eff8d73ea19c30

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
483KB

MD5
945d71880215396df30c1ceae0ff4eb3

SHA1
d1787649ba9daea3e12419739623454566338f28

SHA256
3bf5ac58db6db6d914a3cc27a07ac28e1b406922591ca0723828b29baf9d676c

SHA512
ec1d49c4c459c44e7ac0d91448bfa78a9e5dd8e256f7bbb67f3988b8bd0e16df010b8d115780fece2ecc23fd2dc65bb6258c4c744c6000dc1d104c4e14f4f6e6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
483KB

MD5
f82b9c5f825090c1f3d584037e537342

SHA1
52f8fc996af0d13d12e532ad27c117ed20d3b867

SHA256
5a97b2ecd8a3769a58c23b7f51dc1dd38bb5030223843b0561897f1b9a477fc2

SHA512
ae51f87bca2ede89f5ad59114bd083b0ccc5c58eb29bebae7f1a603cb19d65408fbe448d0ba459cc54bbd30bdd8f2024cbb6a7a60f0c4b33beb5fa90659123d6

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
483KB

MD5
e04249f43da9935ca190f52ceec1f786

SHA1
2f8dcbb53f33091be9ed60c3ec2e6216146ca075

SHA256
4f229c01cfdecd96a77563d4cc7a6011982feb7ba4179b144166379a7df0021c

SHA512
3c23adaed351aa7663386e100316faeb06a0eaf29ebc2654c78742c30782d4b29e20509c8070ec2f07047567c9d1413ea310bd4e5e2bd45e1fe14c2fa1062cec

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
483KB

MD5
b6e28f6fbc627355a1e6801b48746e0b

SHA1
de33624b39688777e462c14a84759a7063d95f59

SHA256
0cf59bb17ad37f4aca836bd6ccbb4b12b9a225c4e40d117836a0d5cb0c9970d7

SHA512
b9add6e78990e55ebcfefbe74c91cf3fe9fd0f6f856c8b6914a075467765ac7e515da4c727b6e17808ef849f8ad72bc5e3286c0a6424d721089c333a81a7c5a2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
483KB

MD5
17a1f2c4c3d82efa9b01a3b81175cbd0

SHA1
0bb78dd905c6c6ea06567d031d445ca7b49ad0e0

SHA256
532b6fa52a8a7aacbbcb1404f4d0fd20283b255e2e99dfdb0db3c74545050ffc

SHA512
89b6552a2a8cc48f623ec4ff8454bad0ccb26ec4683995f87d10a814a9f3c00a060bc969afc28d29de4cefc9e1cab2572786ed330d3a00d5ff86b73d06c71890

Download Submit
memory/628-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3732-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads