045addaf4cf8892a3dbf30cf1a1beb7922f884e5ced7751735441f3dcd6d4489

Analysis

max time kernel
142s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72dd1ea144346cd0c27815e60e228a20_NEAS.exe
Size

71KB
MD5

72dd1ea144346cd0c27815e60e228a20
SHA1

e126a64722a1b75d490a0233a4c75df1c29d2da7
SHA256

045addaf4cf8892a3dbf30cf1a1beb7922f884e5ced7751735441f3dcd6d4489
SHA512

d7c3287854391ccbe8339f090a9b931da50a22b3e4517728fc75d99e9a6ec6c40cf2abb02303d1a730e460293d6c53a47f2349aa636f8e81a89af9e37bf8df5c
SSDEEP

1536:QVtktkqY01BiCjrEeFrSwtxw8g64iyYiE+cos9fb0VW4mRQxDbEyRCRRRoR4Rk:QVtkyxabENcosRbemedEy032ya

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	72dd1ea144346cd0c27815e60e228a20_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe

Executes dropped EXE 59 IoCs

pid	Process
4564	Ambgef32.exe
4000	Agglboim.exe
2912	Ajfhnjhq.exe
3456	Aqppkd32.exe
3128	Acnlgp32.exe
3292	Agjhgngj.exe
2636	Andqdh32.exe
4400	Aeniabfd.exe
2720	Aglemn32.exe
5032	Aminee32.exe
4732	Accfbokl.exe
3152	Bfabnjjp.exe
4988	Bagflcje.exe
4156	Bganhm32.exe
4376	Bmngqdpj.exe
4816	Beeoaapl.exe
1312	Bjagjhnc.exe
2608	Bmpcfdmg.exe
4508	Beglgani.exe
1132	Bfhhoi32.exe
4152	Bnpppgdj.exe
1632	Bclhhnca.exe
220	Bfkedibe.exe
2396	Bmemac32.exe
4076	Belebq32.exe
3516	Chjaol32.exe
4600	Cndikf32.exe
4340	Cenahpha.exe
2156	Cdabcm32.exe
1496	Cjkjpgfi.exe
3228	Caebma32.exe
2768	Cdcoim32.exe
2436	Cfbkeh32.exe
812	Cnicfe32.exe
1692	Cagobalc.exe
2192	Chagok32.exe
2556	Cjpckf32.exe
1536	Cnkplejl.exe
1588	Ceehho32.exe
3428	Chcddk32.exe
3080	Cjbpaf32.exe
1888	Cmqmma32.exe
4180	Cegdnopg.exe
3328	Dhfajjoj.exe
1828	Dfiafg32.exe
2676	Dopigd32.exe
2972	Danecp32.exe
3656	Dhhnpjmh.exe
4512	Dfknkg32.exe
4348	Dmefhako.exe
2432	Daqbip32.exe
712	Ddonekbl.exe
2340	Dkifae32.exe
4248	Dmgbnq32.exe
4164	Dhmgki32.exe
2484	Dogogcpo.exe
1916	Deagdn32.exe
4412	Dgbdlf32.exe
3372	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	3372	WerFault.exe	147

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	72dd1ea144346cd0c27815e60e228a20_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 4564	3828	72dd1ea144346cd0c27815e60e228a20_NEAS.exe	86
PID 3828 wrote to memory of 4564	3828	72dd1ea144346cd0c27815e60e228a20_NEAS.exe	86
PID 3828 wrote to memory of 4564	3828	72dd1ea144346cd0c27815e60e228a20_NEAS.exe	86
PID 4564 wrote to memory of 4000	4564	Ambgef32.exe	87
PID 4564 wrote to memory of 4000	4564	Ambgef32.exe	87
PID 4564 wrote to memory of 4000	4564	Ambgef32.exe	87
PID 4000 wrote to memory of 2912	4000	Agglboim.exe	88
PID 4000 wrote to memory of 2912	4000	Agglboim.exe	88
PID 4000 wrote to memory of 2912	4000	Agglboim.exe	88
PID 2912 wrote to memory of 3456	2912	Ajfhnjhq.exe	89
PID 2912 wrote to memory of 3456	2912	Ajfhnjhq.exe	89
PID 2912 wrote to memory of 3456	2912	Ajfhnjhq.exe	89
PID 3456 wrote to memory of 3128	3456	Aqppkd32.exe	90
PID 3456 wrote to memory of 3128	3456	Aqppkd32.exe	90
PID 3456 wrote to memory of 3128	3456	Aqppkd32.exe	90
PID 3128 wrote to memory of 3292	3128	Acnlgp32.exe	91
PID 3128 wrote to memory of 3292	3128	Acnlgp32.exe	91
PID 3128 wrote to memory of 3292	3128	Acnlgp32.exe	91
PID 3292 wrote to memory of 2636	3292	Agjhgngj.exe	92
PID 3292 wrote to memory of 2636	3292	Agjhgngj.exe	92
PID 3292 wrote to memory of 2636	3292	Agjhgngj.exe	92
PID 2636 wrote to memory of 4400	2636	Andqdh32.exe	93
PID 2636 wrote to memory of 4400	2636	Andqdh32.exe	93
PID 2636 wrote to memory of 4400	2636	Andqdh32.exe	93
PID 4400 wrote to memory of 2720	4400	Aeniabfd.exe	94
PID 4400 wrote to memory of 2720	4400	Aeniabfd.exe	94
PID 4400 wrote to memory of 2720	4400	Aeniabfd.exe	94
PID 2720 wrote to memory of 5032	2720	Aglemn32.exe	95
PID 2720 wrote to memory of 5032	2720	Aglemn32.exe	95
PID 2720 wrote to memory of 5032	2720	Aglemn32.exe	95
PID 5032 wrote to memory of 4732	5032	Aminee32.exe	96
PID 5032 wrote to memory of 4732	5032	Aminee32.exe	96
PID 5032 wrote to memory of 4732	5032	Aminee32.exe	96
PID 4732 wrote to memory of 3152	4732	Accfbokl.exe	97
PID 4732 wrote to memory of 3152	4732	Accfbokl.exe	97
PID 4732 wrote to memory of 3152	4732	Accfbokl.exe	97
PID 3152 wrote to memory of 4988	3152	Bfabnjjp.exe	98
PID 3152 wrote to memory of 4988	3152	Bfabnjjp.exe	98
PID 3152 wrote to memory of 4988	3152	Bfabnjjp.exe	98
PID 4988 wrote to memory of 4156	4988	Bagflcje.exe	99
PID 4988 wrote to memory of 4156	4988	Bagflcje.exe	99
PID 4988 wrote to memory of 4156	4988	Bagflcje.exe	99
PID 4156 wrote to memory of 4376	4156	Bganhm32.exe	100
PID 4156 wrote to memory of 4376	4156	Bganhm32.exe	100
PID 4156 wrote to memory of 4376	4156	Bganhm32.exe	100
PID 4376 wrote to memory of 4816	4376	Bmngqdpj.exe	101
PID 4376 wrote to memory of 4816	4376	Bmngqdpj.exe	101
PID 4376 wrote to memory of 4816	4376	Bmngqdpj.exe	101
PID 4816 wrote to memory of 1312	4816	Beeoaapl.exe	102
PID 4816 wrote to memory of 1312	4816	Beeoaapl.exe	102
PID 4816 wrote to memory of 1312	4816	Beeoaapl.exe	102
PID 1312 wrote to memory of 2608	1312	Bjagjhnc.exe	103
PID 1312 wrote to memory of 2608	1312	Bjagjhnc.exe	103
PID 1312 wrote to memory of 2608	1312	Bjagjhnc.exe	103
PID 2608 wrote to memory of 4508	2608	Bmpcfdmg.exe	105
PID 2608 wrote to memory of 4508	2608	Bmpcfdmg.exe	105
PID 2608 wrote to memory of 4508	2608	Bmpcfdmg.exe	105
PID 4508 wrote to memory of 1132	4508	Beglgani.exe	106
PID 4508 wrote to memory of 1132	4508	Beglgani.exe	106
PID 4508 wrote to memory of 1132	4508	Beglgani.exe	106
PID 1132 wrote to memory of 4152	1132	Bfhhoi32.exe	107
PID 1132 wrote to memory of 4152	1132	Bfhhoi32.exe	107
PID 1132 wrote to memory of 4152	1132	Bfhhoi32.exe	107
PID 4152 wrote to memory of 1632	4152	Bnpppgdj.exe	109

C:\Users\Admin\AppData\Local\Temp\72dd1ea144346cd0c27815e60e228a20_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\72dd1ea144346cd0c27815e60e228a20_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\SysWOW64\Ambgef32.exe
  C:\Windows\system32\Ambgef32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\Agglboim.exe
    C:\Windows\system32\Agglboim.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\Ajfhnjhq.exe
      C:\Windows\system32\Ajfhnjhq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        60⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 416
        61⤵
        Program crash
        
        PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3372 -ip 3372
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
71KB

MD5
981709cf2b8c6980ec35d3425470ff18

SHA1
392a7c01f4543d46e03cd10dbe5228941bf69ef6

SHA256
fdf9c5371a520e074cf806d60654b667344ffaab8c833d6b128aa596e15f0fb2

SHA512
61a8c00aa09d665b878bfea2d747c9caeacdcf4b353546643431eaffc034dc9da72f3afe9cbc22c5c99c00e3b7562aa3610e8b0f89b2d8be7e082b16ec38f2ef

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
71KB

MD5
adcce6fc273f92915248fe91a4c95cdf

SHA1
9536f49ff121ff432fdf0c2bc5ea3c7f9dae3525

SHA256
730a3f57d15774b0433125e0e30c954b9ef8753d0cd78374efec858b223a1524

SHA512
125d69339f2e405e9e65622a51c2d88f718fc36b2a5d23ef5f1868af2df9d7b4d5fe974af77cd92096ea24625b8a7626babd20efc7dc657503c32e7f10a04923

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
71KB

MD5
44f184fef18bd8c6faa09b92424080d6

SHA1
01252a1039ec64178625e3cefcd7a8353c84fcf3

SHA256
80db33222559cc535acdca91877edb46b0ee8bbbea0c5ce12418ee678acffd4e

SHA512
b9b09021d6c226d740a834a03c44b062cc476a035fb40c52627faf5bef853417ba6d25936e632f5ad94abe919939ab897ea53ea7607f015fdf18ba38b2bf8d82

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
71KB

MD5
90a4e083e19f7e473784bc1b3592361f

SHA1
dc84d4a9ac131e5cf06eac8c15b6218da592aa12

SHA256
b914dafca66a09d6f84a338f854741eb49f5346a46d053657daa14e942c3a575

SHA512
79223f68f293ab7e00bf774f56af57abe9f519f43b1dac71776dbd1ad4ce4a3f777d19cc299a231847975e33f539473a22a2c951c2d001ba3531a06ba5e98328

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
71KB

MD5
c9fb75d15b90463dffaf99928f7b748f

SHA1
206d7032a2b956a6e753f15a3be2cf0908c1be22

SHA256
38a727a6d1be85fe17d025eca37a1990f0c1b6b4c56988b23efe5d615ad7b60f

SHA512
3670a62c2295e0a6aec9d28cd5221cb119f8842550de40e20bb5ed4de39f458f302c4b02bc8b8361cdb481a59db54512ac1f736a16c9926fa2fc8ccdd3e7fc11

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
71KB

MD5
a77f7d491daf7b9a33ec2cb5f159a52f

SHA1
7308057c739943647956bac483b56ddb8c0ee24b

SHA256
fd73bf0f36a8297a058297b487775ce4fc492093a98183d88a2e0c6d0da0f5b2

SHA512
028fb62bfcc4008f29195b51be7f0d500e4f1e9b0f076c74b6e553459f2f8a409d5ab98afac4f4e0935d525c8babdbb09db4a2d65582ef34a2202b57ed61165a

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
71KB

MD5
3db896d1d8af1a20afa516d18aabfa60

SHA1
45c1abbf6e69d98c5dbee5328abb53518d5af166

SHA256
cd97c79078f4373e6a72c5f0b243a082389cc6d16d893de5485484d073475ad4

SHA512
261a3236d74221bdace3ff19ab20f2e0e8e1f1e636ac8d8d693e793aab261d674a1f17fc7fd47f65a6b22b6c76fd28116d272b10de137fdb660eb50d014ce9f1

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
71KB

MD5
3acddafaeb203e6469092dc459b5cbf5

SHA1
902a9667b4dd6dbe0a47b176afaed23528ae5dd4

SHA256
43df839d1f974679f5285b688189db5d1130c28c34b08bbad195ab2b2cfb4eb1

SHA512
afc3678129f7f57adf00aa7b8c5957beaa897aac393c890d6a75c003c2fcbf7febd7ea10adc7e0b13d9070d3a2831bdc22ec56f9e94530718fcace314e90d8ca

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
71KB

MD5
f0c84510d6e6c64f34dbdd8f1a25be12

SHA1
aa0d54c0534387a4f2460f07f89749027f335fe2

SHA256
50297ab0b5f662aba93dfe0a92cef1f377ebc7c629255bf4c6779d95f5910e0d

SHA512
8cf40790db88c447d5eed40e9d915788e0ad26a1331e4b3f6c6160bddf8b1ce049a595c7e3351539bf3b9fd3e90e7f566246c0b082e1876340d5d25f3ac055dc

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
71KB

MD5
ac917936b8f88ec39c52ed1f135ec305

SHA1
0e58bc7b5c39ac5dae1395e19a7a557bb348a85f

SHA256
14decd17702aced479b39053792016a37e5d326a5e56d3aa6da63696830bf772

SHA512
560070e20ab4f738fdc1108ada542dd918953d23a9ac2c20ee45e6a0e1d914f25ef145a1f7b1c49c4074164cab1a4c71f74a73c8e9eacd6705ae74da8f010b70

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
71KB

MD5
607d3a7b806d2a40ad6f6d248d6380a6

SHA1
9c759943b2849a8cd985bb9f1f9d6540c5a39098

SHA256
c93a001a622f3a1af2d14f7e3ef537ceb132ab48ac8a17aca02506d66e4b6161

SHA512
cc0cc8cd395fe02e314255647c2e1505d75d8284b6fc719f035cd391edfa0c7ff3354f93100710196f3e6915acdcbf23f318607115bba3ab71ddc2ff74798310

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
71KB

MD5
5cf1884818c866b185184eb6e0c09d86

SHA1
cffeb74dc9e319af565bf2c1b5287d0233dc1a37

SHA256
7cae9dd3c987edf9861965dd3d32c1fcf565633e85690203d38533adad40739a

SHA512
257bd9614b699e8138de3b9abe81033f9866606bba6f62bddc699ebef1351d54057d9399e34ea90c0221197b9845a87fecb56ff15c62cd53df4611ac3706f1f7

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
71KB

MD5
dd3cdfb4ef36def113e9e4b14e7c8bf1

SHA1
5bdc39b4e1a5f5888c0b06ec7ed4df5b1daaf49f

SHA256
7260ff7bde58a9c18ede658b35853b8e168584052a3f6ab0040ee7b1e0dbed6f

SHA512
22274916ce7ee5110d9937f4f57909c4df1098ecbf19581fba9846a754d9ccc800551f117421440cd8b7f5c3b58e41f106de4b4b1f60f41d82c298e9540a556c

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
71KB

MD5
a9704e60227a11f23726307032047c3f

SHA1
d3f1856c4cf7d101c8745d938a1becd260afb228

SHA256
768a7b4db12ee14f9a30b3b274d570811e2f24a0e25724cd405158205f5fd611

SHA512
f83c6e9a524d63e27ce8fd84c4a2c71fe4d35b45f31589bc2d3ea2076302443f5b8033cf8b194f980e49b9abd0da989b936e6c36aadbabb480a4de87698a53cb

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
71KB

MD5
220d8186d3fbf56ec739fb0989f8bf5a

SHA1
50ab04c17776360cc1ddb0bb0224a96138295cb9

SHA256
f2d2a02f40c925f36069148f02a616fd6b3326f5928b175146b3a95f46763419

SHA512
f9c3c4cd211c75758659f156df309cc54a8b8858940d73203bb1d64fc0da22e7e736434cc78101025820f123b8861b26a2a1a7621b00cdacf06d5fd121322013

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
71KB

MD5
1ce1a322609e5d460271f4e38107594c

SHA1
ec4f7962dc7bfb4cd639667dec8096c74d7c18d6

SHA256
321b0957c4e679aa42a011aadf96087193455bd6d038410bbb994f19b7bbe9f0

SHA512
1c8700e2e7c00afbbc0a3b2e6f56153c7673bbdd4251b1cf99a0c222bee3091dcfa0e7b645bbdfc9a1c26c713370295810b1cd49254d6b4535dfba4bf98d38e7

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
71KB

MD5
55bf1a804555ecdd900bbaf4a7d2774f

SHA1
69d7af467a9d8dff4eed916261d39bd87c3be394

SHA256
d705bc5548fcd63ed38969f4ba6ca73ba99d16e11a2e479585d4fa575e5c5729

SHA512
4f0aae597e1a7d0cf775d246f830c711381d4170cb8e6c603a3d1b2a62cfb658572ff2a925779e11185f2ffb282fa55edcaa35adf34a5640624e8f6c2b660186

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
71KB

MD5
0ff2289d302ade5d8a690bf80e01c876

SHA1
759ed4e926bb0459d98cc55e0034067c9a7cc758

SHA256
011a76330264c67df28bf25f24406dabb03693720d08805f779160e751de61a7

SHA512
18c6b54ece34d3dd3b87566619d1b890e02e0dc0ba5c6b42264bded5c549fb6c08db60abbbfb2b7cb06f5316ca7749844a56c89fedbc2b8d1cec460bd5f660f6

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
71KB

MD5
0874606026734abe7ff5eeef20441d28

SHA1
3758fc473f2a37e1bc5186d759d6c4aefe5eba09

SHA256
0e33b638b0beea7c05f3a8c81995c31f4a10b6806a60a99117d1999286faf26b

SHA512
d1d8fae6369f5d4cc63327e932c3d046e37eae8fe24f9aeecad0880014c889de2795e2e05be96da16fa061815ec6eb7470e8eb7d83b8a586fa39b874f93560ec

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
71KB

MD5
db45128a8625c8643fa0305cb50531fa

SHA1
458830d3eff90a3b48ba855cfb4a98085bbfb2be

SHA256
6024611447779ae571c4494d12907d2d64c8142801581cc520faa9681b144ef5

SHA512
7531a68e8ecfda4328f33256ff2f5ea9024dd1280af735a18a617855cd05362df00aa57c1f8780dd5924dc9b06530acb00d31261af9332a497cdec7532a12987

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
71KB

MD5
8e7935adec1b03bed539428cfa386cfe

SHA1
748f7b5b5f3a270b8609a2daa9e9f1975f839d41

SHA256
ed819e460f6ca1ccd1ecb970eeb9c1f759359b35a1dbf2ecb5d7ff1e519bc7dd

SHA512
2c8fc3e3fdedcad03cab6608fff5ec88507ab17544d28a49ed4e93c7580c30cdc72bcde6e3103b11b73a6e4cb8c2ec44cbc09f45f749e9f4c14a8fcbc8aa3e2b

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
71KB

MD5
b8c48eada446c640f5c9c845782ab966

SHA1
6cd6888eacc71ef30e6c5d9d6850677c8d20ce63

SHA256
53f4500a09c75f81aa2e9395f50d8864a344d96cf8a16513e17cee2ae87c8e19

SHA512
19071a17fc82edb141146aaff30e1bf0f5b1fff69219317086ebb260b578ee9bb784f395ea0bd7a900ec9577fc9ba9d0cb666e52981fc686cf4456f9e983ed0d

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
71KB

MD5
8e6d5374678f1f31b2e066e516999378

SHA1
10af47c766c27ff21f4d60d0966a9117bc45eebb

SHA256
3d1a699b95e07b8bb82b7b265c66d38dff29deaccd1404081a177519ccea1bc0

SHA512
1e6b216a35cc4957ec0c73a8b7c8034d92035733f34fcbab7b3c4391af956f0cae8bfd3ff66e10e573fa5d6d832c20aac1d1b2f6f91ae19dd5986fbf74f15aec

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
71KB

MD5
a8c74a04988670e5ce203973c3a1dd19

SHA1
05962d8847bdd6019d00bd05cec29936a946ca91

SHA256
9bda3172eca83f23e8fc41ec178b90075578d738a9172353faf84b01fc6f3ef7

SHA512
cf3a882b75123b25b4aa175ef0f6820e21d6b61d679d7a1da91247ef952ac212a2839e992f46aa039097c207a1d73c3a109ad13c2bfcebc7d06302bc818fc16d

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
71KB

MD5
c254ba158fad447ac2347b5c2562aac8

SHA1
cd5a7f03d0f5a0a58b13e18e76001fdf2a9ebe6e

SHA256
7581c05f89ff0938e0a97882f0195e7e625c2b2bb7a7db718b0125b6e66df357

SHA512
ac306ef6f90b237b56ec6c72249a09e078eb4e741e52ed37d933e4b17c642c255a0510f84663ece98776d72331956acb97e9fdd8161f78e872dc98b94d6386ad

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
71KB

MD5
c14f5f8bbcafbf87abfd709d4eb4f5c1

SHA1
7451829ed71101cf0c448bd42e78b1a72aaf7c95

SHA256
e42ab951adc4cedb6c529c42a1ad9d2709810b937fb9978dacb9ba352d2be173

SHA512
7c1657bf13ff44fa88be6e794d03d57d1484ea41cd041a712ed94ff18d0aab935191f62dc0b9238e690032acbd4d8c1b2ced2108d58ac03fe240f3d9fe834b06

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
71KB

MD5
dde0e212c61404863bf747315e5274c1

SHA1
48983157e2abdb98538ea7c5bdc4980137d3a117

SHA256
7ca8f642f2e89e91d10eb38fe342765f5389d9bf8b2af257792e18624c961e5e

SHA512
3657cc01ba34960154b6ff32dbff9f235955425ae30d0e0436c62181c40e62daf5a1f2558c85f18cb28fcac62024877373b049effbe385d25e33c2bc5f0ebae7

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
71KB

MD5
9b6d85e60974d5d469fa12698e457c1e

SHA1
d79de3e68be0229839b64111252ffbab89444e1a

SHA256
e10278d630fa13edd2b41bd90b41e8e15f1b3df7e3cdbe9b55f9dbc802e2b7ba

SHA512
416db2c27dd3d5d9b3ac4db991acdbf6c59a140ef550c707e3aec58f91c51dfd2feb1b77f084a6bb214ad43956014baca0fb0d4e4ebf7cdd59fa35c2e1c478fd

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
71KB

MD5
8dde8fcf06bdf900d6a7643ba0960071

SHA1
0bd20faeca96df2ed82c6d58d1311912dc781c35

SHA256
2ef55c69ce02bcf2de5e2cedd97a9610b3883263aa010e6b7b46a28810791409

SHA512
7b7e19084fc73bfdcd82d816c8bb84306ebbc3d13c6c49c8daa0b2cd5dc7276a6e2cbd002a4940a26f60372ce3a5e59c929db4cf0513489b0aa7e05417b480a4

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
71KB

MD5
5c5103a20a42584a615814332f224653

SHA1
eb2f5d7bf2d9ae54f726bd15036b1c5945a29d53

SHA256
c141d20efb90b17e730bdda0077d91df69b63164cccf804bec31288e8bcd14a0

SHA512
23ead23b2ae0e4e4a22c5388186de9549f7c9c74fd1f564c0d7c49cabceea99bf71ea4aa7fb70b127b8921db104c50274cf5aa28ed0a2cc15f1711901f2fd4e3

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
71KB

MD5
f9551a307a41100797748bff68314ab3

SHA1
03b1434e7e5512cbd233bd6f6f5e223d68d8e2ad

SHA256
2bbc570ed0cbfa667491aeec4749d5cca863ea63542d4d2f423aaad4b11558d4

SHA512
9fc9f752dd1ed66912a65d0c01e7d19df67e790ad91d2d06dc62c319a89e4e5009998f853a42bfcb6cdbd010062a888f5abee34afab6f773bc0a1c91f6b3ce51

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
71KB

MD5
d9b81ea53f76b4eb5bb16dd8904a911b

SHA1
a4cad5af9070f9c0247f45cfbd5c680427fb2bf8

SHA256
dfb5c89e5125819e51f760b0dfccc80f019a17c5cf924b3ee90148e6b63e26cb

SHA512
65ea66c5d0862b73f79f4a8babbb302a11cd17f5f11c65aa2667f4dff04c268a210c3619fc43c4d00cdd66c321a0eed4aa50aed6ebd55c489225a376b91f84b1

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
71KB

MD5
a1f285d85a18a40edf9e422bda3fa036

SHA1
ea462b1ee0e5fbee07bc157984b6f729bdd41cab

SHA256
2137b3c982f694bd58422c3417bedcbc5ac50f32789690e53d318bb30c3d42c9

SHA512
32337a54898f0070e0565bdd68dad0aee32f8be02f217645012361aeea004432ee097b7d294a530624b580c068a83e83cf7e5ffd6f686d1ebf4e7e990a8efeaf

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
71KB

MD5
10ac70248bce16279957175f1c18d5aa

SHA1
d8ce230ce0f673cbfbcf05726f54974b344c1760

SHA256
259aa477934ada984a073a39d32fe114156c92b0a42fef74750bcafaec64a826

SHA512
919db0f152c72f8e546b3ef4e1084d344d4b6e072bc1be1cba8b79567113ca874ad6af26da908e34185da8a6d6a9224d071fdc08700fb2f5343d393f3c40a379

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
71KB

MD5
0e18e79490c1baa6066d11484a4a2cd8

SHA1
266896a9c4276082063eaecc0e3d890694ffcb99

SHA256
a0b8bf9b9c630782d552e8d540d93049bc94ee15001e9096f41f143ac728fb60

SHA512
7786141729de1a6b23ea61cdded3165a7414918d807ecf81518150b93d23c84860a96c7e53f3f69092c20079332bc62c890604032f71dce27e4dbf6d080dc74f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
71KB

MD5
4b5331f2eec52ea016e6af3afe0e680b

SHA1
cbbcec8f8ced1978c6d57372adfb12d2ebfd03af

SHA256
df3bc229726970ac29a7b7fea07a49d7df75cfd76dae68708dd04f68f376020b

SHA512
9e38039467bfab50816244c0d1561169afc276e40868cb858867990d3f6260ec665af0e0b20fbdb1fe94663bf4704c1949681e22fb5c831f8f09f5cd1ce8c297

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
71KB

MD5
e0c051073ae35358bb159902936f7e17

SHA1
fbbde6b74632892570eca26ebca4e182a0067008

SHA256
3cb1bbf5ff5c260e0776c9374df92d28d4bcd3ef959eb2dee5fb7f16825361a6

SHA512
8c6b343e809e55d2d54e7706258c918d1270bc2decbd7bbcdd0efc1b1840bf13b301b92775e6b888c8b93cbc2b7b7e8269c0a8bdab98bf2f9777cfc95927612e

Download Submit
C:\Windows\SysWOW64\Maghgl32.dll

Filesize
7KB

MD5
4bcd5acbe117f5f8d2b9e5d89c9a5053

SHA1
2e2f57bc31d2ff65dd93b8aeda792835f2a515b1

SHA256
4860ecbe34dd8bbb2968fdd5bdacf46692a6d67e35946fcb79180959a6c1cf26

SHA512
3bc66961a5f3348bd2dcd1a5afe8db45632b1f1a8d6b4ecb4d5a0a0e115172fda344c97db8ff44206b69d3c369dc0b594afaf3305de2bc77753b214265ca4707

Download Submit
memory/220-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/220-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/712-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/712-426-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/812-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/812-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1132-452-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1132-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1312-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1496-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1496-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-437-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1888-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1888-434-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-443-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2340-425-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2340-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2432-427-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2432-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2436-267-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2484-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2484-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-148-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-435-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3128-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3152-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3292-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3328-433-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3328-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3372-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3372-419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-37-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3656-429-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3656-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3828-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4000-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4076-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4076-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-451-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4156-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4164-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4164-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4180-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4248-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4248-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-444-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4412-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4412-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-453-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4600-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4600-445-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4732-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5032-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads