aea07c9c3c0976031448316385e7d01c274f08d2f3a9de7546c0b06e80c01a8a

Analysis

max time kernel
141s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 03:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2a837f7553b824775d905dee1ee3030_NEIKI.exe
Size

74KB
MD5

b2a837f7553b824775d905dee1ee3030
SHA1

c2ca0fdf03432ee77f584279a83ef878ef112577
SHA256

aea07c9c3c0976031448316385e7d01c274f08d2f3a9de7546c0b06e80c01a8a
SHA512

d1ca164ded6d46111292bde89231c23893ee19d08ff5eb2b1ca362a5b068bb05249beca95e9448dfa6c4a07ae7bd8cdc70c7193d9867cda11b4512e9d5a7f505
SSDEEP

1536:38hULVooMIgb+3g3EklLMtG+AH4phhhhhhhhhhhhhhUhhhhhhZHhhhhhhC:Mobgb+3gHlLf+U4j

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b2a837f7553b824775d905dee1ee3030_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b2a837f7553b824775d905dee1ee3030_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe

Executes dropped EXE 49 IoCs

pid	Process
4508	Bjmnoi32.exe
1804	Bmkjkd32.exe
4840	Bagflcje.exe
2116	Bcebhoii.exe
4384	Bfdodjhm.exe
3624	Baicac32.exe
3208	Bchomn32.exe
3252	Bffkij32.exe
1456	Bmpcfdmg.exe
3168	Beglgani.exe
4712	Bgehcmmm.exe
4024	Bjddphlq.exe
4464	Bmbplc32.exe
3984	Beihma32.exe
1768	Bhhdil32.exe
3160	Bjfaeh32.exe
1964	Bapiabak.exe
3700	Chjaol32.exe
2600	Cjinkg32.exe
1920	Cmgjgcgo.exe
3820	Cenahpha.exe
872	Cdabcm32.exe
3444	Cjkjpgfi.exe
4196	Caebma32.exe
1544	Cdcoim32.exe
3872	Cjmgfgdf.exe
4052	Cmlcbbcj.exe
4908	Ceckcp32.exe
1596	Cfdhkhjj.exe
844	Cmnpgb32.exe
3332	Cdhhdlid.exe
4628	Cjbpaf32.exe
3028	Calhnpgn.exe
2088	Dhfajjoj.exe
4376	Dopigd32.exe
3856	Danecp32.exe
3312	Dejacond.exe
380	Dfknkg32.exe
4756	Dmefhako.exe
4144	Daqbip32.exe
1084	Ddonekbl.exe
2308	Ddakjkqi.exe
2776	Dfpgffpm.exe
2664	Dogogcpo.exe
3204	Dmjocp32.exe
5044	Deagdn32.exe
4892	Dhocqigp.exe
1808	Dknpmdfc.exe
1904	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	b2a837f7553b824775d905dee1ee3030_NEIKI.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	b2a837f7553b824775d905dee1ee3030_NEIKI.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	b2a837f7553b824775d905dee1ee3030_NEIKI.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	1904	WerFault.exe	136

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b2a837f7553b824775d905dee1ee3030_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b2a837f7553b824775d905dee1ee3030_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b2a837f7553b824775d905dee1ee3030_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4508	2264	b2a837f7553b824775d905dee1ee3030_NEIKI.exe	85
PID 2264 wrote to memory of 4508	2264	b2a837f7553b824775d905dee1ee3030_NEIKI.exe	85
PID 2264 wrote to memory of 4508	2264	b2a837f7553b824775d905dee1ee3030_NEIKI.exe	85
PID 4508 wrote to memory of 1804	4508	Bjmnoi32.exe	86
PID 4508 wrote to memory of 1804	4508	Bjmnoi32.exe	86
PID 4508 wrote to memory of 1804	4508	Bjmnoi32.exe	86
PID 1804 wrote to memory of 4840	1804	Bmkjkd32.exe	87
PID 1804 wrote to memory of 4840	1804	Bmkjkd32.exe	87
PID 1804 wrote to memory of 4840	1804	Bmkjkd32.exe	87
PID 4840 wrote to memory of 2116	4840	Bagflcje.exe	88
PID 4840 wrote to memory of 2116	4840	Bagflcje.exe	88
PID 4840 wrote to memory of 2116	4840	Bagflcje.exe	88
PID 2116 wrote to memory of 4384	2116	Bcebhoii.exe	89
PID 2116 wrote to memory of 4384	2116	Bcebhoii.exe	89
PID 2116 wrote to memory of 4384	2116	Bcebhoii.exe	89
PID 4384 wrote to memory of 3624	4384	Bfdodjhm.exe	90
PID 4384 wrote to memory of 3624	4384	Bfdodjhm.exe	90
PID 4384 wrote to memory of 3624	4384	Bfdodjhm.exe	90
PID 3624 wrote to memory of 3208	3624	Baicac32.exe	91
PID 3624 wrote to memory of 3208	3624	Baicac32.exe	91
PID 3624 wrote to memory of 3208	3624	Baicac32.exe	91
PID 3208 wrote to memory of 3252	3208	Bchomn32.exe	92
PID 3208 wrote to memory of 3252	3208	Bchomn32.exe	92
PID 3208 wrote to memory of 3252	3208	Bchomn32.exe	92
PID 3252 wrote to memory of 1456	3252	Bffkij32.exe	93
PID 3252 wrote to memory of 1456	3252	Bffkij32.exe	93
PID 3252 wrote to memory of 1456	3252	Bffkij32.exe	93
PID 1456 wrote to memory of 3168	1456	Bmpcfdmg.exe	94
PID 1456 wrote to memory of 3168	1456	Bmpcfdmg.exe	94
PID 1456 wrote to memory of 3168	1456	Bmpcfdmg.exe	94
PID 3168 wrote to memory of 4712	3168	Beglgani.exe	95
PID 3168 wrote to memory of 4712	3168	Beglgani.exe	95
PID 3168 wrote to memory of 4712	3168	Beglgani.exe	95
PID 4712 wrote to memory of 4024	4712	Bgehcmmm.exe	96
PID 4712 wrote to memory of 4024	4712	Bgehcmmm.exe	96
PID 4712 wrote to memory of 4024	4712	Bgehcmmm.exe	96
PID 4024 wrote to memory of 4464	4024	Bjddphlq.exe	97
PID 4024 wrote to memory of 4464	4024	Bjddphlq.exe	97
PID 4024 wrote to memory of 4464	4024	Bjddphlq.exe	97
PID 4464 wrote to memory of 3984	4464	Bmbplc32.exe	98
PID 4464 wrote to memory of 3984	4464	Bmbplc32.exe	98
PID 4464 wrote to memory of 3984	4464	Bmbplc32.exe	98
PID 3984 wrote to memory of 1768	3984	Beihma32.exe	99
PID 3984 wrote to memory of 1768	3984	Beihma32.exe	99
PID 3984 wrote to memory of 1768	3984	Beihma32.exe	99
PID 1768 wrote to memory of 3160	1768	Bhhdil32.exe	100
PID 1768 wrote to memory of 3160	1768	Bhhdil32.exe	100
PID 1768 wrote to memory of 3160	1768	Bhhdil32.exe	100
PID 3160 wrote to memory of 1964	3160	Bjfaeh32.exe	101
PID 3160 wrote to memory of 1964	3160	Bjfaeh32.exe	101
PID 3160 wrote to memory of 1964	3160	Bjfaeh32.exe	101
PID 1964 wrote to memory of 3700	1964	Bapiabak.exe	102
PID 1964 wrote to memory of 3700	1964	Bapiabak.exe	102
PID 1964 wrote to memory of 3700	1964	Bapiabak.exe	102
PID 3700 wrote to memory of 2600	3700	Chjaol32.exe	103
PID 3700 wrote to memory of 2600	3700	Chjaol32.exe	103
PID 3700 wrote to memory of 2600	3700	Chjaol32.exe	103
PID 2600 wrote to memory of 1920	2600	Cjinkg32.exe	105
PID 2600 wrote to memory of 1920	2600	Cjinkg32.exe	105
PID 2600 wrote to memory of 1920	2600	Cjinkg32.exe	105
PID 1920 wrote to memory of 3820	1920	Cmgjgcgo.exe	106
PID 1920 wrote to memory of 3820	1920	Cmgjgcgo.exe	106
PID 1920 wrote to memory of 3820	1920	Cmgjgcgo.exe	106
PID 3820 wrote to memory of 872	3820	Cenahpha.exe	107

C:\Users\Admin\AppData\Local\Temp\b2a837f7553b824775d905dee1ee3030_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b2a837f7553b824775d905dee1ee3030_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\Bjmnoi32.exe
  C:\Windows\system32\Bjmnoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\Bmkjkd32.exe
    C:\Windows\system32\Bmkjkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Bagflcje.exe
      C:\Windows\system32\Bagflcje.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        50⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 408
        51⤵
        Program crash
        
        PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1904 -ip 1904
1⤵
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagflcje.exe

Filesize
74KB

MD5
7132d5ea004e9d03234b0c248752a6db

SHA1
577dbdada2da73c5b4f7bb31e875e7529058ff1b

SHA256
512fd55787fe89dac2dae01f94851bc3366a53305568491522d522137cb0ba30

SHA512
a5675da7fce76b5b5a329ff5325afe2fb44eaa07ecf50215476f16626e0a3f0c736532b36ef703a3ce62f8e02d3b029c4f0ff6e2e06591b6b8e900b71d87560b

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
74KB

MD5
d594fba6af5a262ab1d76db4a7207db3

SHA1
ac914cf734a972b5e4a35b1af36b36789e946ed3

SHA256
2ca123324f4d84a7d9f10002f7a9abdc5149a944a1592b1e878f1e7f122cb34e

SHA512
b634a006f345a2d232ccf00943b7ffaaf8d7c3279d4f0ff888ea184736aa04134f7689e0436fab1eb04fb78426c10e6e7e38bc2888571dea591d9f0b3b1419b0

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
74KB

MD5
df13f88a4c953f2e3f0bc67b5cff24d9

SHA1
52ed7aaec7eb71a6826ddfe7d9e8bfd7099468cc

SHA256
8d6711173ae4626b4e99cf5007878aa8ee4d50c39781d3c653fc2c67e08a0906

SHA512
04c7500f10f578b2bad8c35daea29ea2e72b43a12988af9b929242825fcb23eff2dda859319cb3f42ea6e15d1c21d2b9e5b88e6962dbfb239315c02d11389ae0

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
74KB

MD5
6c2fd346b4829a7e3f54379d6a8ba613

SHA1
37eff9e3776243a525c79c1dba350e416d85a8db

SHA256
5f46dd19d7ccee94ef732150bb96c6a8aee6ae36e37d5baf978fa9c2bd550b2f

SHA512
cb3d9a2bd35edd26bfba6d654e21ea5d38864f07fca858bf8aebb77efc93bb778d45fdca46148594f9902ed1d594899422783e2ac417666ce73b9e6ba7d649d1

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
74KB

MD5
451832cc91bf72309130da5f8bb286e9

SHA1
e4ec39e3937de06c343bcc2e1ac7058a03a816fc

SHA256
70519bb45bc233a920254874413dc1a72590f5d0805fd93f9ae3d9596defe320

SHA512
3da5dccc706f564acca73a3a73231dd1d63d5ab6b1920a15b915e16167a1f46d308b5cc893033b11924397c7aa0138f859cb8d544472b5e47742b983ac3f8ef1

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
74KB

MD5
acad0b4cc4dab0cdd16ac1b338781e3a

SHA1
dfb538fc27bf6826b925d402ab53c6521d6d51ed

SHA256
89c51734008bb6766e4d593daa2a3528a9ba215a57933e0d7688698373e76e46

SHA512
4e95102b6ee44d5577c15a5684267021886d2201e8577bd7ff4032b812a3c8c83f85285610ac8d38bb31f66cf63ca227080fa13dcbecf929db8d696711ff07ba

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
74KB

MD5
6bff79df6735dea8fe58b124ac12aef4

SHA1
4feca9dd16482289dbd2413530b4403ac01b3fbc

SHA256
1971570f251b06097ecbefb86af63c5f883e0028f38c83ec50a097647dc7ee92

SHA512
c622b0f15d5920939f477e90e0be674d5e316516f4665df1a4604063fa95782793993fa5fa63eb849db2bcfb14398a7e3cd70b2287dc83cc4b86115030483513

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
74KB

MD5
7efec61ebbbed5461f2dc387a462d118

SHA1
85b290c40044ef987a90cfbdc54169179e5e7c1e

SHA256
5c4c858a3f2d1bfe66032d76854533bc1089592ed7e8d701cf0bdd8cf8b2b143

SHA512
a5fc33de8c3ea1d776319ef397048115c6c67967dadfa73d405874ff43555d144af834b155d9341d0693daf49eef63b1f05117be034e77d1d3b86aa02f315563

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
74KB

MD5
d263dfa6254069cd6e26f78c8a201502

SHA1
84c202404979dfd67e0d4649ca91b77967d71841

SHA256
b8280616c43c32097e6457b24a462d72f3c79b0ee143cbe044ff8e5250966be3

SHA512
664e72ff79032309295fbf11067c945c685badbdf1d5b6b925646c38873c99b1052f99b1b45529ae18feb75048e561a4a59bc228d204cd80ef9c7d5c5656b682

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
74KB

MD5
f94b95346bd4d97e3300165d75825be7

SHA1
837fa6d15d693a6f4168d627e8c17fe677682c2e

SHA256
885d40ac070b3cf98d7a01ad2bda0f899bb4ce5decf26cffe3eb218637e95d02

SHA512
bf64df3fe59661575fbd6b93f231df38dc140af7f512e6243a0f254ecf29ccfe16a038903f90815dccd89776766ddfbd4595862daa165745dc705cffe6ee1782

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
74KB

MD5
0494976a60a742e4d83601ede2ba4854

SHA1
89682e0fb937ecd4679283e46f904c1812d8a845

SHA256
085b44683548f1cb69f2ff84f6b141761c0bde3ea0d964aa19baa5313082feed

SHA512
a8810a237edf134c79aada92bd8f9ee391827cee77dd3d73469db1dbff1eb5e6690fa75f436c0a0ff4a3a7771f7e77a5d885985884e6837ec0fb4d4cb75b2cfb

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
74KB

MD5
2c91af98cf1581bb743ca41f81039803

SHA1
3e198ef5d9aad84c4fe468b21a1ac193e400a982

SHA256
b38a68199f9d52b039f495130c00a3710c3aa9b1b15b9f79fc0fed3d39de0cd7

SHA512
43f06fd096b17ce28ca844c8b969a59a31f8a06e970cc969c83ecf605a9bcd4c7b3595f40ec29146617c3cc0f131bcf52c021ec3c4ab72c29936bb1fe02c6c4c

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
74KB

MD5
51e95ae5e6b9ed6281676eff46c92c72

SHA1
857eb81d30970e3eb3812dc545964b0f03d74885

SHA256
5b2d3af923c4f92db44cf29b5027ff6f2e2067149804fc0b1f3bd07a4ac17902

SHA512
03f64cc7d9d12b1c69ddf48b95051c365138704c8c2b2c67862b7c62fcc99f28d849c0647725ae97e13fe2ad9d0266c70183889bbcdc85cfebfb18b1020fa059

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
74KB

MD5
756f180276593afb81d70000bfd78763

SHA1
70293d569aaa8a161740607685da8ec2ee39a2c1

SHA256
3719eea1d57404541ba0417e3423526389d2bca05138f60d68ec4f7900a3d30d

SHA512
1c55e0830ca111bacfc7df4fe7ebfff76872c0b37c4822d659d42d9e78e6140ecc1c345fb136c26d9dbad6ddb294ee7fe19fed7f398ebfd19d91a8713be468b5

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
74KB

MD5
4218de69fa96e82b18c6c6ad880f8452

SHA1
964b08d29484fc3fb07525e2078f4345ac9b4590

SHA256
5feaf2d9938c9f222f1a39a0d2d26ced5bf538df5dfa417ea12000b04b46a1dc

SHA512
7817069027f66742cc81b063ff0df5591ced26a86cc463d8cf971f422a99da1fffe7c7d3f4c862ae2a2e4904cd2ab371ca1514c15b73b1e2c806cb302fd0c3e3

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
74KB

MD5
43090458492229d98a0afc91f141f5fc

SHA1
edd0e7ea808c296fc6fd985249c1280ad8da6459

SHA256
8b4216732e4806f796713684cc2cfaac2c0e3b73fd3eb5e6c04b1ee5123d9ea4

SHA512
8b20883fd6df644ad4bad4ca4c893b4405fd92c4411e058049bec6211367bb56118661ffb97a550d8293135eb96e0f4e16858e0f9ab10adb02d78be6e04370ac

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
74KB

MD5
3334d3ba588c8ab771e5e04d96cb9298

SHA1
419471bcf82248d61958f8524ce9eec6d12c98c8

SHA256
d0934a5a59a1717195a0eccd9f21b73c0dc6c778e16970a9ef646fff66707f85

SHA512
739886d63d1ea44ffde268a49e453dbd77b84ff7968be1eade09e068f56b1a538d873748b4ae125fbfc09120cffcb50cb86eb4cccafc186afd77ba1ead7d35a1

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
74KB

MD5
54793eb9b3aecb0d9364daccd96180dd

SHA1
53de0f0e1b7a6dc550633ae34e185d667dbf1965

SHA256
019aaaf376cadb55afaf180db8a21e94e198be41878c3afab557f48a3d27362a

SHA512
e0da704f4f8f0e234f728fb5be4a5e6adbcdb10103047ac96c73257d098dc920a03343fc9a2a72cdd291c3eed92a2ff2a55613ddf05cc3ec86e82f6c7c2f6eab

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
74KB

MD5
826fd67a279289d0da56ad765d96a716

SHA1
12e5b51de28f1509d88ad439c25e572770062f7e

SHA256
1a9b68b0ad9924f0e0f3beadb795148813af0cdbd150058ec84faf8bf13f2066

SHA512
f449bc349aaf846c5c88b2120b413eb1b743b036266e567f16b426666c772d5026b5877f3c4a2d75a6314a0dd8e26857a0099009c89b0ee123f10e1e6bd330db

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
74KB

MD5
6c20ffce8a97421b80761c983feca3c6

SHA1
f5b3c61f7feba9d9e9cf5a44a930606a444b2e82

SHA256
05fc99a560289d407b95375852225de0bdd4a00af04f62f57b80d88729233a95

SHA512
24042a0c8aac669c0821103efed40bdda12d5a838574fd41925069b9abc30b2210b636e31ee484da937da3b1a3eee4577bc13ab7401ea1a8cad5250440735c78

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
74KB

MD5
ec3b6ff39c4febab438b72b265525c0e

SHA1
7cfceb9b3eab6a875698c60aef7ded7a7bb2b31f

SHA256
9d0a36b77c0597881dd705b209996b2363ed7f5d037fde94873057611e28b40c

SHA512
fd760db6bce99a8fb48f746031a0794c825066902b9d843da56be9334b86ec17a570945e3b5837817f9f707e815dabe10de836759d3560fe884404c9292e8d6a

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
74KB

MD5
b137e5cfe18aaa66555f6f6886b8fe8b

SHA1
3642d9ab2705ce347f878774da2c405f8a5fad14

SHA256
9e73affcaa603ce37cd61b8cbbe2941490c0dbfff241566f3815937a13414823

SHA512
43de038606b691e89aa994ad1eece499318daea225a576a2ab96180a9ac06a8da8f55971bec5976345394890c47e0376f9dafce9a9f74d0dbab8a6c1f63a6e7d

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
74KB

MD5
a24a0f231aec0208e749f695f7a5618b

SHA1
1757a6aef827568da9b7cb9c5ea1c5762a35169d

SHA256
73d2c4d67c50549e534733a45be606fbbf1a7197255e553369cdf1aa6b2d6539

SHA512
a79fd178987122df6fc5f4d652edd36f136b77acd32d81d5bd6dc4d155dca9c514e2ebbad314d52861b6f0d1c7982d84910a04ad9c94ecce60dcaff593396963

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
74KB

MD5
f0837c01809c6ea5d9d9e97b61fa3d1e

SHA1
efd32af9119bc83fa8f1607ead8ece82d17d8be1

SHA256
a9cfb8a7fcc5c6a52f8c861a41857fac24c46346c46787adc62ca1d1f0953a29

SHA512
0f0a12b43840fa9428fc7cbc0fbe6c69fad9e21e090e64c917795efcb3c78d0b7d468d77d93b2f38f85baf25ed7fe020cf2bfd6098eeb9113a0e3ba57279ce36

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
74KB

MD5
31c2d54e14520ddf815f7811997a2639

SHA1
a6e7cb828ec31c6f740efd73c78bc46ab122a469

SHA256
4f8124fa11889357525919c5139699a5d4f9f7ce0d6c0294619d2b97586f7b35

SHA512
21542cdc9b3cd023634e900e4d1de870600715ef7820864449b2e320758ee49b504f41b325eaba8dfe3cf6aa9d678d66e188e5c19027da5a38fb7b3f91d5a196

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
74KB

MD5
3089d791cca18cd60afb73052c900a49

SHA1
8b763cf194ef8dbbd8edc9053226123847d251f2

SHA256
e87c7c3fba6cab76fb34cbad7814b522fc2b30bbb2f7d30a4ccb6633344c1afc

SHA512
d690a6ab1e6c3c1c4fefac967486402bfae9cd0272bf09a53125fd8bad648a8f7931c8ce230f632dba827ac27a44fc9cc0b39587ca8578ca8b12e30b82656ac0

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
74KB

MD5
ee5fd331cc0dfc787d1a34c2f0bfac4d

SHA1
7a09e60ae16c6b1a70077cfac8e0a9f0dbeadd20

SHA256
eb5369d82892f7bb0575e0da70b7763823ca504faa2e92bc80ec8c8cfe019b0b

SHA512
4c76d83794cc29b65fd0a3d6b0c9a489002a7866c0e68ef974c30af303d6fee12047e875fac49a15200a2471f86f2aa00f4ed5d98232c65a4af436616b5e998a

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
74KB

MD5
84096d780dbd84cca88070982438d21a

SHA1
f2c8f1fa7de632ad341d812f254d7b30290377b1

SHA256
c28723efb0170e8d3cbc41350fe36cdcf2f9a875ebe6c542612ad85a0063fdc2

SHA512
0c4a1b9f867a155a46bf8d14f23630a35dbb49a20ba3ba2b824a8b0d1e8296cc4e6fc77a7a66a1b443174694d72009806267da2c4334797b96fe81f1f774c9a5

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
74KB

MD5
984f521e05890fcbfeeaa90ee8d51b4f

SHA1
844d1ce3775fad51a3618442ec8171c3c5fb2baa

SHA256
208c20878df7fcf4c8821361ad4358b8d7ff4f173a3e2ffe66ff8d2b7e784aad

SHA512
34220cbce0a718f11938dc5ff5cf055625270a6af8c033ed25d41a87b9577b5ac3caf5ab48b7be4c9ace22011d501215652f4d8624ba101c69371c3776e9ff17

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
74KB

MD5
af9bce9e86b4c8848b23e156a3fc2ad2

SHA1
3bf2b35defdf22005f5b63ceac345001d7698597

SHA256
e350dec0edfa3c19375aa020dabbbaf16e902c8de79340b8a7bbfb4e611155fb

SHA512
19aec17070be6b817c74a34ddadd86f4aa3bc509cd07b969d5780aca0747f271af291eb205cf7b0736a5500f07be22a904067bc868639681f715d29314a951d8

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
74KB

MD5
31a134b71e8f437ebe718d6a09f39e62

SHA1
6645742a125bb41b57d72900f18e19e6d270096a

SHA256
972c3a2e5bd4c5000635e1ca15acc837e87a743289831977df096e6ad952234f

SHA512
a0f378f7e4aa4eb29ea935fb630b9f566e2f9176af6a5fd46ae1cfc27867919c07b5b42e17111454bea6723ad78577c8ad183a545ebe99b1d295264dbc1572bf

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
74KB

MD5
ff505f7abc2ac32eeda0d3ea7f05cd4e

SHA1
6aa3b8ecfa899fe3976b7ef837e7f57596dc927d

SHA256
7e8b4bdce8122bff7384e73bcbc249e7e42b7bffd3efae4dc0b7790cd43f76cb

SHA512
34bd4e2d0fc913e2e6370f65cfceda4bad7949e92497e5dc49de3151755c298ad0082dd3d01ca119b038777f0e1730e14823579e7dec19c8b3c05872452d115b

Download Submit
C:\Windows\SysWOW64\Glbandkm.dll

Filesize
7KB

MD5
f63a57fc8aebd6134275f4aabd1e8c6e

SHA1
a695ec1ee81137c41a3e4c4a2b24ca0851a82556

SHA256
ba2f3242f9380ad94d6d5e961e3f4e1a607dd5f4d2aa213c394395c92c2a67f1

SHA512
a33519a65bde151a4065494e0aa40fc8773b76d62f3c1826496738cffe80bb30bab07ca4d92a12257b6dde97f1a5858e207658d4f7cd5aa460f8799f29a5ce4b

Download Submit
memory/380-365-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/380-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/844-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/844-372-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/872-379-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/872-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1084-363-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1084-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-392-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1544-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1544-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-373-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1768-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1768-386-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1804-397-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1804-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-359-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1904-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1920-163-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1920-381-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-384-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2088-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2088-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-36-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2264-399-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2264-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2308-362-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2308-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2600-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2600-156-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-361-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-327-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3028-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3028-369-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3160-385-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3160-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3168-391-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3168-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3204-338-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3208-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3208-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3252-393-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3252-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3312-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3312-366-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3332-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3332-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3444-378-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3444-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3624-52-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3624-395-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3700-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3700-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3820-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3820-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3856-367-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3856-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3872-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3872-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3984-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3984-387-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4024-100-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4024-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4052-375-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4052-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4144-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4144-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4196-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4376-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4376-368-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4384-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4384-396-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4464-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4464-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4508-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4508-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4628-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4628-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4712-92-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4712-390-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4756-302-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4840-28-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4892-350-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4908-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4908-374-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5044-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5044-360-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads