a0bb2a7641a563dfbbce4f6ef6e88ac88ec9efcbedfc10fd4f9a70e9c6deeb1a

Analysis

max time kernel
138s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3929e77a3c40e5470841cb07218b7390_NEIKI.exe
Size

896KB
MD5

3929e77a3c40e5470841cb07218b7390
SHA1

61393167de87993e642edf9208941267e4810206
SHA256

a0bb2a7641a563dfbbce4f6ef6e88ac88ec9efcbedfc10fd4f9a70e9c6deeb1a
SHA512

35a0036c655d215fea5b85483ba3151de2aaa94c09afe63a95a11a27e31a26df33d4e938bd1f242a10039d53e96edb815ca638eaf8892092774eae62e40b16fd
SSDEEP

24576:QtskBR6Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+5:QhWbazR0vp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3929e77a3c40e5470841cb07218b7390_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe

Executes dropped EXE 56 IoCs

pid	Process
2140	Pncgmkmj.exe
2204	Pqbdjfln.exe
4432	Pjjhbl32.exe
1308	Pmidog32.exe
1496	Pdpmpdbd.exe
1720	Qqfmde32.exe
4920	Qgqeappe.exe
2080	Qjoankoi.exe
2040	Qqijje32.exe
2164	Qcgffqei.exe
3168	Ampkof32.exe
3932	Ajckij32.exe
3308	Acnlgp32.exe
3252	Afmhck32.exe
3228	Amgapeea.exe
4928	Acqimo32.exe
3440	Anfmjhmd.exe
1716	Bfabnjjp.exe
4376	Bmkjkd32.exe
2672	Bganhm32.exe
1620	Bjokdipf.exe
4712	Bmngqdpj.exe
2532	Beeoaapl.exe
4816	Bffkij32.exe
616	Bnmcjg32.exe
4196	Beglgani.exe
3104	Bfhhoi32.exe
1880	Bmbplc32.exe
5108	Beihma32.exe
2580	Bfkedibe.exe
4188	Bnbmefbg.exe
2112	Chjaol32.exe
4008	Cmgjgcgo.exe
3336	Cnffqf32.exe
5044	Ceqnmpfo.exe
4052	Cfbkeh32.exe
4192	Cnkplejl.exe
2208	Cajlhqjp.exe
4532	Ceehho32.exe
896	Cnnlaehj.exe
3512	Calhnpgn.exe
2856	Dfiafg32.exe
1376	Dmcibama.exe
2708	Ddmaok32.exe
4180	Djgjlelk.exe
2760	Dobfld32.exe
64	Daqbip32.exe
60	Ddonekbl.exe
3936	Dfnjafap.exe
3028	Dodbbdbb.exe
1868	Deokon32.exe
2316	Dfpgffpm.exe
4724	Dmjocp32.exe
3164	Dddhpjof.exe
1436	Dgbdlf32.exe
456	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	456	WerFault.exe	141

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3929e77a3c40e5470841cb07218b7390_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2140	2248	3929e77a3c40e5470841cb07218b7390_NEIKI.exe	84
PID 2248 wrote to memory of 2140	2248	3929e77a3c40e5470841cb07218b7390_NEIKI.exe	84
PID 2248 wrote to memory of 2140	2248	3929e77a3c40e5470841cb07218b7390_NEIKI.exe	84
PID 2140 wrote to memory of 2204	2140	Pncgmkmj.exe	85
PID 2140 wrote to memory of 2204	2140	Pncgmkmj.exe	85
PID 2140 wrote to memory of 2204	2140	Pncgmkmj.exe	85
PID 2204 wrote to memory of 4432	2204	Pqbdjfln.exe	86
PID 2204 wrote to memory of 4432	2204	Pqbdjfln.exe	86
PID 2204 wrote to memory of 4432	2204	Pqbdjfln.exe	86
PID 4432 wrote to memory of 1308	4432	Pjjhbl32.exe	87
PID 4432 wrote to memory of 1308	4432	Pjjhbl32.exe	87
PID 4432 wrote to memory of 1308	4432	Pjjhbl32.exe	87
PID 1308 wrote to memory of 1496	1308	Pmidog32.exe	88
PID 1308 wrote to memory of 1496	1308	Pmidog32.exe	88
PID 1308 wrote to memory of 1496	1308	Pmidog32.exe	88
PID 1496 wrote to memory of 1720	1496	Pdpmpdbd.exe	89
PID 1496 wrote to memory of 1720	1496	Pdpmpdbd.exe	89
PID 1496 wrote to memory of 1720	1496	Pdpmpdbd.exe	89
PID 1720 wrote to memory of 4920	1720	Qqfmde32.exe	90
PID 1720 wrote to memory of 4920	1720	Qqfmde32.exe	90
PID 1720 wrote to memory of 4920	1720	Qqfmde32.exe	90
PID 4920 wrote to memory of 2080	4920	Qgqeappe.exe	91
PID 4920 wrote to memory of 2080	4920	Qgqeappe.exe	91
PID 4920 wrote to memory of 2080	4920	Qgqeappe.exe	91
PID 2080 wrote to memory of 2040	2080	Qjoankoi.exe	92
PID 2080 wrote to memory of 2040	2080	Qjoankoi.exe	92
PID 2080 wrote to memory of 2040	2080	Qjoankoi.exe	92
PID 2040 wrote to memory of 2164	2040	Qqijje32.exe	93
PID 2040 wrote to memory of 2164	2040	Qqijje32.exe	93
PID 2040 wrote to memory of 2164	2040	Qqijje32.exe	93
PID 2164 wrote to memory of 3168	2164	Qcgffqei.exe	95
PID 2164 wrote to memory of 3168	2164	Qcgffqei.exe	95
PID 2164 wrote to memory of 3168	2164	Qcgffqei.exe	95
PID 3168 wrote to memory of 3932	3168	Ampkof32.exe	96
PID 3168 wrote to memory of 3932	3168	Ampkof32.exe	96
PID 3168 wrote to memory of 3932	3168	Ampkof32.exe	96
PID 3932 wrote to memory of 3308	3932	Ajckij32.exe	98
PID 3932 wrote to memory of 3308	3932	Ajckij32.exe	98
PID 3932 wrote to memory of 3308	3932	Ajckij32.exe	98
PID 3308 wrote to memory of 3252	3308	Acnlgp32.exe	99
PID 3308 wrote to memory of 3252	3308	Acnlgp32.exe	99
PID 3308 wrote to memory of 3252	3308	Acnlgp32.exe	99
PID 3252 wrote to memory of 3228	3252	Afmhck32.exe	100
PID 3252 wrote to memory of 3228	3252	Afmhck32.exe	100
PID 3252 wrote to memory of 3228	3252	Afmhck32.exe	100
PID 3228 wrote to memory of 4928	3228	Amgapeea.exe	101
PID 3228 wrote to memory of 4928	3228	Amgapeea.exe	101
PID 3228 wrote to memory of 4928	3228	Amgapeea.exe	101
PID 4928 wrote to memory of 3440	4928	Acqimo32.exe	102
PID 4928 wrote to memory of 3440	4928	Acqimo32.exe	102
PID 4928 wrote to memory of 3440	4928	Acqimo32.exe	102
PID 3440 wrote to memory of 1716	3440	Anfmjhmd.exe	103
PID 3440 wrote to memory of 1716	3440	Anfmjhmd.exe	103
PID 3440 wrote to memory of 1716	3440	Anfmjhmd.exe	103
PID 1716 wrote to memory of 4376	1716	Bfabnjjp.exe	104
PID 1716 wrote to memory of 4376	1716	Bfabnjjp.exe	104
PID 1716 wrote to memory of 4376	1716	Bfabnjjp.exe	104
PID 4376 wrote to memory of 2672	4376	Bmkjkd32.exe	105
PID 4376 wrote to memory of 2672	4376	Bmkjkd32.exe	105
PID 4376 wrote to memory of 2672	4376	Bmkjkd32.exe	105
PID 2672 wrote to memory of 1620	2672	Bganhm32.exe	106
PID 2672 wrote to memory of 1620	2672	Bganhm32.exe	106
PID 2672 wrote to memory of 1620	2672	Bganhm32.exe	106
PID 1620 wrote to memory of 4712	1620	Bjokdipf.exe	107

C:\Users\Admin\AppData\Local\Temp\3929e77a3c40e5470841cb07218b7390_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3929e77a3c40e5470841cb07218b7390_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\Pncgmkmj.exe
  C:\Windows\system32\Pncgmkmj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Pqbdjfln.exe
    C:\Windows\system32\Pqbdjfln.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\Pjjhbl32.exe
      C:\Windows\system32\Pjjhbl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        55⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        57⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 412
        58⤵
        Program crash
        
        PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 456 -ip 456
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2856

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
896KB

MD5
1403de21d42b407741df47dac814838b

SHA1
81128d22460053829ab5a3722a186dca48c3f5f4

SHA256
4450181230eb75e311be0d965a2b3133e829e9b2f7444a39283b3d77edb986ec

SHA512
8faff9e613283a4ac68792aa955fbdf563916516b8d26112b83813274bf05783fe7973609b891d9886f57d21ad46d7353f945c4a0dc85c54bc6c10bd14361aba

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
896KB

MD5
22a230c900f29cc360a8a4e3f2b31f40

SHA1
4267f39118f5407a08f9358fce5225833f42b491

SHA256
49c9fbd36cc03757a076c9280363d8936f2c58ebce0c3a0c7e72bf6b6234a529

SHA512
d66425d847a101758d18a79d4af0ed5433497c44497f1932620141a3a972c90f168e931d3e34897654a9ad9a20f7a5eb8da11ae8f742aa9dadde4af8a75b0558

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
896KB

MD5
c37f2b9d4e135bca864ca09fc5e4c3fb

SHA1
a466b9b3b32e895732ea10dc2fe8087539db21d9

SHA256
e84fe5fe853ff241c46873ff78a09ed361f77971df14a7f49ef530e802e4e70b

SHA512
0317b093f4d5c84ff40edb1c6a061c19b7f3a1a4f605ba30803a6ca5fc557281805e0c3dde8a08687ae13d402a5af68760d603a696fdd6f75fd7a0780e48ac9f

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
896KB

MD5
59a1413ff033fce42f07c568547af28e

SHA1
7e74f9f25a6d78b729fcb02b93407766a00a4a26

SHA256
d6c1d915fb77f501dfd3be4384d9441351d40d094fc73be000ff3e942c2f279c

SHA512
957aa8e776ae5f9458b1c15dbc44cf0a662fe99af80029ad280d02253c9e1051d5f52459840c79478e431da4e418781aa1d6b4b29124584bf93cec8e571a6129

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
896KB

MD5
6ab86673f22da72d8c0d5010b74fcbe9

SHA1
120c4e975f0f5a596844f401e555458084b8957a

SHA256
b2985c45bd6e910ffd114629041c3f7f3ef510f408a0e446c818124fceea2f6e

SHA512
b1820e389dca2d048dae93c1b4c9fb8f1e05a7b1a377c66213eb699c05fe857a35fba78ab6807c94152656fed6502d98949271864af9f96e772f563fc638cc80

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
896KB

MD5
1d9616f5ee77e4115dcb4a1a33f41919

SHA1
16019a0839eb8097317d13f6e0a4cd2b6eb07bf8

SHA256
1951f13c0d3d1d12fe5aee8ee62be76506467c14d126956b989241bc5ad1b8c9

SHA512
ed4a2050909513354d9c1683c284b66b2bddfc26568aefd63bb89d6987132504af4d6b1379029b07256b9433a2a8a85464eae3c997f22c49b17036aaad94525b

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
896KB

MD5
3fa024866ec18e64f8264270ba7643a6

SHA1
eb0a0a9a4746c06e388829e82d4da13f0af7ea7d

SHA256
b3a7058efae75d0a2b4759acb607f97094762768302a0d858193ef71d4aab47a

SHA512
12feceb88aceadf0b2002a2c60a87c65a820970f828f07527a359196541b299f90f86d73bf8511860163bef10968ce25ba62ae40ced1d096020844605d5ad1b6

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
896KB

MD5
94d4783caf16ef3b66977f8bb501af52

SHA1
3c052377ca7bd772afd97bb2871cb1d4663f01af

SHA256
0cacdd739aa528456c9bad27291190d49a448ad2723b51c03469c48ebdc34690

SHA512
23a597095d9aa9a9378982c4b2564b167c2ccb7cc15e6f2443c4cd24948e9c31e238c8346ff4e1a87d2bcf78e725984d49fdc2a601dd2e84929dd8d427f99a07

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
896KB

MD5
3413bba16818b6d510e20366c65b0d64

SHA1
266f14a94a030aafd91f10576c9554df4e72b99a

SHA256
096277fd8c6e32588c4eae8502ddaef5009a07fd711d1ce3ac43ee9d3af2053a

SHA512
a70e6f78bbca603732cf4b5e390a3f8738454eb556dbe889b9475f600e6b2e1238c480f307562d65099320697f2f1b128eb8d88dd24b7038839f3b0c8026ee57

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
896KB

MD5
e9c5fcaedba0279a5f562f17bc64c412

SHA1
70b24282fa526519d033582ce244180ff3d5badf

SHA256
4c88037263cf9b5d928ed0c349237deca1fabe6e94e3a3bf059112793ee9c6df

SHA512
4e8ba8fd2c24ab5403e6311c55ff3a1fb9704e09f002898779ed6d8b3eb09a3cee2c0ba6238e8ac0c04ddc8b2f8d8a08c836efd7f394d95ac6b3b92380cd332f

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
896KB

MD5
126bf8276220fad70a113dd5f4274db4

SHA1
4ac9135b86ad6fbe6a570f404c15df92be71e96f

SHA256
eb6e3eba6e7f7c8e380e1c96b238b7fd8744eede36fa5886a283ff89378d32ab

SHA512
c8bf12796c4b7289484d403ab290a816e791ee715bdf122168a116923eff4a51465707e32d700596e6b36cfc5dee702e6b412de1f2267667e9fce84d9eea5cd5

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
896KB

MD5
a714dc2ab8e99afdc4fcbbab7d00c69f

SHA1
b7cc6f9bb09df7bb9d6d63365e93b4b38b534a7b

SHA256
a1836c44ad54f208cd29006a4b624edd585c508ba885a56d62c35ade786e10f3

SHA512
8f988196acf5449686d40587b22dc30934f3ee8e7b300e01ed752e4784a032b49da73db0bb6f0df0f5d4751f486c733673d13589a0c855adc5eb17262fe7c12d

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
896KB

MD5
2bafcda8251f7056c3f67accdc049405

SHA1
8384ea39b2d8852065fe84b2a291b2e59590cf5d

SHA256
6b3f47c2cb0ee93b40aaecd239ce22ded65463fe8165cf9401369db65665ee13

SHA512
867f8dd836098056bfdfaa2c69583d5435218c5a71d045886ee3fa7a8033c1bc0122a6dab1de4a5e92c17904a07edc712495b431e34b4437cda9710e75d08fde

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
896KB

MD5
a52d0205230037bf5713776cf8259f52

SHA1
af46487d7c4f0f48212d5945cfbe33576f36a040

SHA256
deaa20e4cd7922d1be14f5ac6be34923750a870422741ddea42ea3880c7d06b9

SHA512
bc9ca358443227ad0e7167086551d94915cff756ee4c82249c3b336bdb846c50f52e0bb3206c278ed4dba2ffb8c68ecf71c58066f1acb8683052ebd095d55393

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
896KB

MD5
5f16ed38c2aff555ea5bb0530bd9bc42

SHA1
0f781f30665708c29dace51d6d697743328ad6ce

SHA256
93d5e503687b34bec9e8686553fe5cde4dfdffb479b00edf1fd19fe91e494638

SHA512
23051601e6d5ae2aecda2f5a94ba8a22bc01fe38fd8e5fd4feaddc182fed8c0cbfaa620d141cdf69b6f90725970ed533745b3df8b9e508f29e93c873f70026ec

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
896KB

MD5
fdaee7e20ca4036a2538f33cacb6979d

SHA1
b3b1247a709eb51ee117e897b7cd5e4cbd47dfa4

SHA256
39ef54fb5fcf9cdef58a8b3350d86e1679424ddfa45598e10c9b7771a01ba83b

SHA512
a4bcb4a0f35eabe97800601e050dc9b6ec1e4554c9de5d71c1c5220ad7a8b36c3f206860878bd4fcc078a62dc4c17dbdb74dc3a9d7a3e46384df0539248d4ad1

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
896KB

MD5
14546ea8daf449cf5ef7f8da59adbcec

SHA1
8c713f44606ae3a74a7b181a49f38cd480a16afa

SHA256
5e24eb7a546b0de4a048fecf3da2fd72d4fff18cd58c04b2e1fe4bec739b8d6e

SHA512
ff01a9a50a18da133673296c4e1578b407691affc16b2fc138d9593ef8eb00998adc5abd7cef83afb3a3e0ade6226387d2fc944cf4eeb27e19ebd446e24c399b

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
896KB

MD5
225453dd368f6a2710bdfbd6ce7b990c

SHA1
f4cc5eff53c1433b4dbcd8a06f43e3f18d392d1d

SHA256
48884f25389da5ad3e715ecc73d207c7109a0b635c06510c63d6983259477648

SHA512
d185aefbabfa097fd8ef49afc1264e273bb06275a93980785e838911f13766584d5ee3fee0bfa53d3fdd29bc9d31dd4451e95dc25f31837e186f00a9f21488a2

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
896KB

MD5
94df7f02e6eb0da0140b5edca872bd6c

SHA1
773dd493b2cd4d415d25752c5996540bc35cfeec

SHA256
fb124327fff68029533697e47cb8dc15f961e96a3c8e573f547273cb07d301f7

SHA512
5f036a1908569e68785d7929a566f117d755b0415d2eea49e670cf683e737a8b1ebb2127c8195d1cf6dbd51d4a1074655a174009b33362f40f74d8881908e43f

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
896KB

MD5
d344d80e369d2cd08468b27c9ea1fac9

SHA1
3e19156b0dc2b273979002b8550ac4aef290a53d

SHA256
14f46bcf41bc921a076380782254123e201ba5b1869c5f289a1b7c1ef6694d2b

SHA512
131777467ad8dc2a41d31e5fdd941378c1ae1c5831acde8e0122d77f9f3476ef2c4feae7f7bbe90b4c8000548c595331a87487e78ec4ea52c7363f6d84e0bd8d

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
896KB

MD5
af38489618753627ae86818a7e859540

SHA1
542e95b251a06e408a518e46e399070ed263906f

SHA256
fee2e1bbfc595b09af9834710060ce5456f4fcb31230f65e295945bfaa0d52ee

SHA512
75d790f7d8b4db36775121835e2b829721cb2416b02bb5fa450608842f4d33f8d1193ed446bc565dda5ae4a92b2e4967aa701c00a9d3fdd4339e2e62590dfd67

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
896KB

MD5
b29119b330b59821d55c7e1451f0689b

SHA1
20085c8e7660b9e7d7074285a1d709b31e856539

SHA256
010bbd4ed8852c08cf26eebbac41de163e38eceecd244c07e6e712d1ecc08de7

SHA512
57cbb5d4870c8a0574f271dbfd13d11321993c91f6f8c8204b3685453b5e661313673d276c694303d769a52cf8b538d7f0a561209a1380aca016928b6c2dc151

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
896KB

MD5
c59282155230f6a2af1f14788f1578a8

SHA1
ae61e8a79a9810cbc0dac7ed213d0d8feb975ade

SHA256
cd52748af95710d5e140c9e80c7d7dccb8742d7076530efeeab686da5ae57d94

SHA512
ac1598c4c32f231c73212bff19343f74bbd412fb535bb6e4fd7668e3af7c3ad976deef782fc260c0612b60bdc9add5fdddc7337fad8d15bd4432248fbad79543

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
896KB

MD5
2ed9e806d697207fb691b245dcde689d

SHA1
982bf61d6782c489d8cab5e43b1dc882784bd63c

SHA256
0eedc654a827c71e373949e5a5f3dd3c73951ec35eb3622d4bbae74c36b5a20e

SHA512
f5e3bce6834bca30598e44e00d904d2050554d314b863f26a64db8ea22d7291b15b261ab3660e8f727c3ddeb1d90a99bb843bee29ef86238089ab86a9c062d84

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
896KB

MD5
2dbf12e2f909ccd347de83a68ed69eb0

SHA1
5f44ea1866529e6c8bb0cfbe4f361fdd7131aaa6

SHA256
a503a7cf945bf66623d35008833a43b0275ea02cf5cc73d409ded804fea7a0e7

SHA512
c9637985a299f44dcb8ea6b11066b578ea8cacfb3727dbcac3fa0cdceeec35f7d7689165379db34b2fd416bd2522f36ef008c82f4f4a7a873ee129abf77df0de

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
896KB

MD5
710a1b5a8f38d29694ca8257d77cbca1

SHA1
2b51fa19871e7cf2ed95803cb6b3ce1eee713477

SHA256
0b5839f256bbb52fb0e6f6c32ca4664b4d48b03b1e4e2bb7bc6b0db1efcb8f7f

SHA512
3ba24127e403d270ddc7e6eefc7ff8ba410e6dab056016819024e93f294e2a0dbec915d08f3a8a7c5daa1a7031dda5da3a5ba600becfa233cde1faad63230c50

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
896KB

MD5
26d9d03f058bd288b8e392c216fb88ac

SHA1
d104f445adb1bf19d2ea56ae8132db70aa86206f

SHA256
2161eccc5043a17ac61569ce96571dc8675819fc148b7ff58349fb97a93c45a2

SHA512
40d32437f662ac039a780676767ba38728e2e1ce8328a06628abe21dd2f731e2060c86a22eb7ed19e1329858b7fb154512767bcf7d15999c5d513e7af694398b

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
896KB

MD5
175e550de887bd265e720636e0685b0d

SHA1
23467a76e3e671acc0810103a0bab478de240848

SHA256
9ab5ac06ec3056103113ec2d60a30453f03917eacf5d17b658408cb7b316e7ad

SHA512
8f8c474ecc4e7672d224a89ca7bb83b1818aa7da9119152390b194c553be73a4a79bf5b20d55463fd919e0d4404687890409546df4de1f703d54f7915a14f85e

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
896KB

MD5
26ec73a16f709442356bf40161379dfd

SHA1
ec0b16cdef02bfb178630f29d83f26bbdb1444bb

SHA256
e1be8de1ac45094af0190917dc824707184e959d4493cd66e4413b173384b4bf

SHA512
6eaa18f7ebe297eb09e07752fbf683151884b169e64f1cb8bd645974fab959194416f45d8eb90382e8c76c43ab372dd8ba133710e55a004b77cc53982028833c

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
896KB

MD5
494bd9a00e75336b0ba148098badc516

SHA1
2fb6847652f556199547ecbf864ed4c6ea246906

SHA256
c90fbf62bba49e7eb29e1e06e490e56fbfb3122152b2a38a129a77caa02dc15f

SHA512
c66e69efa04c28083bd8e5ee1307e6206f32d37ee0928f874d19f0f112b7c60ecb6937211b7ad17cac118525ae60061d65842c2284bd743329633ad5458e39b2

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
896KB

MD5
632f3f7f24919d6021cf14ffbf337abb

SHA1
f45f1d66b3f22077ff9e11f9c89202589aee4d29

SHA256
9dadc06ace6b150f82b24b22cf1bfcff4e214c46987e0e91383aa04e0841d2ef

SHA512
d4aa77f257e87c47eb6a206330318cf7077942a88b76fb28ef1670ad52ce8b2090931e0f91127282aec15c0e49339c7712a432b61644269be14d21e50c717b6e

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
896KB

MD5
e89e7aaea77c149bb9c47ad3427da6d9

SHA1
18f03f25be8057dc1e23681e4221207f9b78f151

SHA256
883d4ffab064718c57b2aa3b402fbedede50edf9e76f285491f3c91b4bfa7b4f

SHA512
29b5c9dd734b08600728cadf5dc2609e3a982f9b467a1943c54834eaca5f063f40b77a5185606738c289115673f71bc22f139d5e13e8056be84fba305ca35737

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
896KB

MD5
7023e47884b1e13fca95bca5d4449d0a

SHA1
e29ac03645d59683877b21510edf85761054ac6e

SHA256
5790ed455ad84d6974528cc730a1c20c9d58d010003690f7b25c76e6bd156a52

SHA512
5eae552649847c3786f5a32b52948ce5163656419d1f3f232807aa18e9c85b5db9758d437ab754e1542fbed1e9024f3935970d6fa115ac11a53860728f090ff8

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
896KB

MD5
fa9b7d25f4e5fd17580fc7d33b27e1c8

SHA1
69331c3445db381bed3a99143e62a3ffe22f1fff

SHA256
888dc49e40b2734e7f871b31ad2b061527c7eadd19516c6a6995a423edf5e843

SHA512
24a85586c00762ac32612fdc80e738fb2ca24f6e3fd3e7ebdada1c13859d4c4f210e5d399a356c1be5990a870e3be951d1aa5291f30ee0a0881ce2fc3a47afe3

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
896KB

MD5
76bf0d5873d60b725edb1df53f19e473

SHA1
12887c6cdb96d9445f3a42437c8c911befe64122

SHA256
53e91b78a3249b7265fbbf669d9e283f83c42ce8ca15d6b2f5d4806e74904e64

SHA512
1594198ff9ae24a7aafc2972d27d8570c3905e06a5a6f7984de5c5abe9761299821926370d9164e6e4531faa413d339bea001d22e98047aab7f46c796b939f0a

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
896KB

MD5
faabdc07d3b0db3fe6f146f3ccce3bee

SHA1
079fdbc7d7df1359cce95d50e78db08ed2e8dd30

SHA256
c45961098d94e45b24c8ce48b7c5e0eae9e059f0492ea5a9ed5504a1dc205127

SHA512
a5d722b78b0dd9ced85c42beeb5b13d50a6a5724fa2a31b865df9bf8be630f8ffd4a9d348bd7f1c5150441b61220b2947ebbbed63952a1318d4753e13acae45a

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
896KB

MD5
ada28717863233a886f1b7ff4e708194

SHA1
d9757741605b3e07ac5c122ce4a7dd46c9da87c9

SHA256
0f7fd5ca235dd345158ea02922247d0803cf60e02e541a50ce6a583ba2c6b3c1

SHA512
c53b6f33240210809f52eeefeccb6d44ea8d6286a4a80e067dabf417136276d9fd75d4567b71420fdada1a519efbc700a33997764603d6d98e4f7c850dc6525e

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
896KB

MD5
647658d60abf328c9f76547677e57ee9

SHA1
b1724d3cb2e4af673323ae58f5c8546f37690c9d

SHA256
e4c4d482e7e0422e9bf131a02e5ecc1bc4bf5c1c1ef1061189184781b136e75a

SHA512
5161901e56694ebca6929035a04d26d713a86b2f3488e6fc8b4e9d54c691c9367d8d75cd88d8a88e9168d2e97a669c1723131bbd78ef2cbf9fb11f99256a4615

Download Submit
memory/60-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/616-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/616-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2248-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads