75148fbc43cce8fceee59d1ac0fb1f6eaa19532c20811c58eb900f3ea43f3b64

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f454430c6b89f6c5ed34ce7eca2ca2fd.exe
Size

467KB
MD5

f454430c6b89f6c5ed34ce7eca2ca2fd
SHA1

e34e1cc63399b123a98fd3a2e351a650378b3eef
SHA256

75148fbc43cce8fceee59d1ac0fb1f6eaa19532c20811c58eb900f3ea43f3b64
SHA512

27f4d81e52f10c49224fbfbb9c1aac5bf564ad7c800a0676d89620ee22ed8438235fc141e8c85b5f5d6bb8952e6631088b4cdbc7fe2054de84b51b81eb8712d1
SSDEEP

12288:jFdif2o8wE39uW8wESByvNv54B9f01ZmHByvNv5:5C2o8wDW8wQvr4B9f01ZmQvr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f454430c6b89f6c5ed34ce7eca2ca2fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f454430c6b89f6c5ed34ce7eca2ca2fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe

Executes dropped EXE 46 IoCs

pid	Process
4672	Lbdolh32.exe
1696	Lmiciaaj.exe
3292	Mdckfk32.exe
2232	Mdehlk32.exe
1744	Mgkjhe32.exe
1056	Nngokoej.exe
1012	Nphhmj32.exe
2592	Nloiakho.exe
2956	Njefqo32.exe
3744	Odkjng32.exe
4932	Ojgbfocc.exe
1720	Ocpgod32.exe
2168	Oneklm32.exe
3388	Odocigqg.exe
4572	Ofqpqo32.exe
2124	Olkhmi32.exe
3620	Acqimo32.exe
2236	Ajkaii32.exe
4252	backgroundTaskHost.exe
2088	Agoabn32.exe
2484	Bcebhoii.exe
3304	Bnkgeg32.exe
4532	Bchomn32.exe
1608	Balpgb32.exe
5032	Bmbplc32.exe
2848	Bclhhnca.exe
1832	Bapiabak.exe
3092	Cfmajipb.exe
3600	Cabfga32.exe
448	BackgroundTransferHost.exe
3056	Cnffqf32.exe
2860	Cfbkeh32.exe
3312	Cnicfe32.exe
4696	Ceckcp32.exe
2548	Cjpckf32.exe
4448	Cajlhqjp.exe
3508	Cjbpaf32.exe
4052	Calhnpgn.exe
4196	Dfiafg32.exe
4068	Danecp32.exe
4612	Dkifae32.exe
3584	Daconoae.exe
4452	Dfpgffpm.exe
3400	Dogogcpo.exe
2972	Dhocqigp.exe
5140	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	BackgroundTransferHost.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	f454430c6b89f6c5ed34ce7eca2ca2fd.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	backgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	f454430c6b89f6c5ed34ce7eca2ca2fd.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	f454430c6b89f6c5ed34ce7eca2ca2fd.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	backgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5252	5140	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f454430c6b89f6c5ed34ce7eca2ca2fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f454430c6b89f6c5ed34ce7eca2ca2fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Agoabn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4672	5060	f454430c6b89f6c5ed34ce7eca2ca2fd.exe	89
PID 5060 wrote to memory of 4672	5060	f454430c6b89f6c5ed34ce7eca2ca2fd.exe	89
PID 5060 wrote to memory of 4672	5060	f454430c6b89f6c5ed34ce7eca2ca2fd.exe	89
PID 4672 wrote to memory of 1696	4672	Lbdolh32.exe	91
PID 4672 wrote to memory of 1696	4672	Lbdolh32.exe	91
PID 4672 wrote to memory of 1696	4672	Lbdolh32.exe	91
PID 1696 wrote to memory of 3292	1696	Lmiciaaj.exe	90
PID 1696 wrote to memory of 3292	1696	Lmiciaaj.exe	90
PID 1696 wrote to memory of 3292	1696	Lmiciaaj.exe	90
PID 3292 wrote to memory of 2232	3292	Mdckfk32.exe	105
PID 3292 wrote to memory of 2232	3292	Mdckfk32.exe	105
PID 3292 wrote to memory of 2232	3292	Mdckfk32.exe	105
PID 2232 wrote to memory of 1744	2232	Mdehlk32.exe	104
PID 2232 wrote to memory of 1744	2232	Mdehlk32.exe	104
PID 2232 wrote to memory of 1744	2232	Mdehlk32.exe	104
PID 1744 wrote to memory of 1056	1744	Mgkjhe32.exe	103
PID 1744 wrote to memory of 1056	1744	Mgkjhe32.exe	103
PID 1744 wrote to memory of 1056	1744	Mgkjhe32.exe	103
PID 1056 wrote to memory of 1012	1056	Nngokoej.exe	93
PID 1056 wrote to memory of 1012	1056	Nngokoej.exe	93
PID 1056 wrote to memory of 1012	1056	Nngokoej.exe	93
PID 1012 wrote to memory of 2592	1012	Nphhmj32.exe	102
PID 1012 wrote to memory of 2592	1012	Nphhmj32.exe	102
PID 1012 wrote to memory of 2592	1012	Nphhmj32.exe	102
PID 2592 wrote to memory of 2956	2592	Nloiakho.exe	101
PID 2592 wrote to memory of 2956	2592	Nloiakho.exe	101
PID 2592 wrote to memory of 2956	2592	Nloiakho.exe	101
PID 2956 wrote to memory of 3744	2956	Njefqo32.exe	95
PID 2956 wrote to memory of 3744	2956	Njefqo32.exe	95
PID 2956 wrote to memory of 3744	2956	Njefqo32.exe	95
PID 3744 wrote to memory of 4932	3744	Odkjng32.exe	100
PID 3744 wrote to memory of 4932	3744	Odkjng32.exe	100
PID 3744 wrote to memory of 4932	3744	Odkjng32.exe	100
PID 4932 wrote to memory of 1720	4932	Ojgbfocc.exe	99
PID 4932 wrote to memory of 1720	4932	Ojgbfocc.exe	99
PID 4932 wrote to memory of 1720	4932	Ojgbfocc.exe	99
PID 1720 wrote to memory of 2168	1720	Ocpgod32.exe	98
PID 1720 wrote to memory of 2168	1720	Ocpgod32.exe	98
PID 1720 wrote to memory of 2168	1720	Ocpgod32.exe	98
PID 2168 wrote to memory of 3388	2168	Oneklm32.exe	97
PID 2168 wrote to memory of 3388	2168	Oneklm32.exe	97
PID 2168 wrote to memory of 3388	2168	Oneklm32.exe	97
PID 3388 wrote to memory of 4572	3388	Odocigqg.exe	96
PID 3388 wrote to memory of 4572	3388	Odocigqg.exe	96
PID 3388 wrote to memory of 4572	3388	Odocigqg.exe	96
PID 4572 wrote to memory of 2124	4572	Ofqpqo32.exe	106
PID 4572 wrote to memory of 2124	4572	Ofqpqo32.exe	106
PID 4572 wrote to memory of 2124	4572	Ofqpqo32.exe	106
PID 2124 wrote to memory of 3620	2124	Olkhmi32.exe	144
PID 2124 wrote to memory of 3620	2124	Olkhmi32.exe	144
PID 2124 wrote to memory of 3620	2124	Olkhmi32.exe	144
PID 3620 wrote to memory of 2236	3620	Acqimo32.exe	142
PID 3620 wrote to memory of 2236	3620	Acqimo32.exe	142
PID 3620 wrote to memory of 2236	3620	Acqimo32.exe	142
PID 2236 wrote to memory of 4252	2236	Ajkaii32.exe	151
PID 2236 wrote to memory of 4252	2236	Ajkaii32.exe	151
PID 2236 wrote to memory of 4252	2236	Ajkaii32.exe	151
PID 4252 wrote to memory of 2088	4252	backgroundTaskHost.exe	140
PID 4252 wrote to memory of 2088	4252	backgroundTaskHost.exe	140
PID 4252 wrote to memory of 2088	4252	backgroundTaskHost.exe	140
PID 2088 wrote to memory of 2484	2088	Agoabn32.exe	139
PID 2088 wrote to memory of 2484	2088	Agoabn32.exe	139
PID 2088 wrote to memory of 2484	2088	Agoabn32.exe	139
PID 2484 wrote to memory of 3304	2484	Bcebhoii.exe	138

C:\Users\Admin\AppData\Local\Temp\f454430c6b89f6c5ed34ce7eca2ca2fd.exe
"C:\Users\Admin\AppData\Local\Temp\f454430c6b89f6c5ed34ce7eca2ca2fd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\Lbdolh32.exe
  C:\Windows\system32\Lbdolh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\Lmiciaaj.exe
    C:\Windows\system32\Lmiciaaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1696

C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\Mdehlk32.exe
  C:\Windows\system32\Mdehlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2232

C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\Nloiakho.exe
  C:\Windows\system32\Nloiakho.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2592

C:\Windows\SysWOW64\Odkjng32.exe
C:\Windows\system32\Odkjng32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\Ojgbfocc.exe
  C:\Windows\system32\Ojgbfocc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4932

C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\Olkhmi32.exe
  C:\Windows\system32\Olkhmi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\Acqimo32.exe
    C:\Windows\system32\Acqimo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3620

C:\Windows\SysWOW64\Odocigqg.exe
C:\Windows\system32\Odocigqg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\Nngokoej.exe
C:\Windows\system32\Nngokoej.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1832
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3092

C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2860
- C:\Windows\SysWOW64\Cnicfe32.exe
  C:\Windows\system32\Cnicfe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3312

C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4448
- C:\Windows\SysWOW64\Cjbpaf32.exe
  C:\Windows\system32\Cjbpaf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3508
- - C:\Windows\SysWOW64\Calhnpgn.exe
    C:\Windows\system32\Calhnpgn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4052
  - - C:\Windows\SysWOW64\Dfiafg32.exe
      C:\Windows\system32\Dfiafg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:4196
    - - C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
      - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452

C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3400
- C:\Windows\SysWOW64\Dhocqigp.exe
  C:\Windows\system32\Dhocqigp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2972

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
1⤵
- Executes dropped EXE
PID:5140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 416
  2⤵
  - Program crash
  PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5140 -ip 5140
1⤵
PID:5204

C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2548

C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4696

C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3056

C:\Windows\SysWOW64\Chmndlge.exe
C:\Windows\system32\Chmndlge.exe
1⤵
PID:448

C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3600

C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2848

C:\Windows\SysWOW64\Bmbplc32.exe
C:\Windows\system32\Bmbplc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5032

C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4532

C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3304

C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
1⤵
PID:4252

C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
4KB

MD5
805be308a91ed61b80ede4f71b722571

SHA1
7e88567f948ef7aad1c62474c1d81adbb7ee3ba0

SHA256
0c00ecf63c4c11233175b75c72de6b1488820939f3bf7a76449b65a094eb21d5

SHA512
b9ea707e9051a79cb2695cfdf16b049fcc73955f3a9fa6b1f01b7fb1d093c4e7ad9636fbdd16fe48127761640d5da5dc27f2b88652b8c552f86cf8c672fd8cc7

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
53KB

MD5
91d6ba354b94c80f528ab90331c20812

SHA1
a52fc26164b96da1d97f32b37da3588016a8b0b1

SHA256
1784088089f6e7de9001647e9c9e6a4b97112f2feec881cfcbe83b0389af4632

SHA512
a57fba766b7b9f06561f76784c9de3fa88a26669136d5c7796662b5e5f34cf45913cc182982d23f32cdc27f3f3f81ba5c5e8147d18b7347316ba3cb241c6c865

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
32KB

MD5
1157ef6b9d0227d5d72a50e878b82dd7

SHA1
f8edd00fe792739674a05a10e5676a141bab7ea7

SHA256
97ee2cf2a02f7efb44131f417bab148dd7c20be7e2127852c047d7ae54375561

SHA512
f361f0ed888800d4ea714fa3e8e00e32da9a4feb820bdc7a2707eec67d5db28109d12cc86bb0abefb58fc7b974f34864ad08deb0e4c7bab790aeeb320e51febc

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
32KB

MD5
ad6d2567198796ddf63411960cf39b5f

SHA1
7ca31fe7b5bd043f6d2380820c72c9e35a2372b7

SHA256
e05b9ee16aa98068d8ec02d61bc629b31f698d760b9990f8551857c7fe5f4006

SHA512
aa54a2213eb5b05c5359aa9a9f4f784bf45127b9d1283ba3799043f867667eb93755fe4160e664d6e0b7bfac9479887b31b6308ab088ccce8c5cb0f2fde72500

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
2KB

MD5
40de02fbf7e5026d6418547f3b86e015

SHA1
af30f69c274786a598019e4deb7a7c3bb70878f7

SHA256
e595a6c1ae86460c79d5e64cd53224c329c9fe154ac54038807ab533301e2f3c

SHA512
8ab2c9130bed3e6614dec0eae572e09ef3ae158175d733b572b7e56f57e4a6843564fcdf1012cdb73f317f72eabc1f46f6ffceb5abc99be2c15424f075f6b47d

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
4KB

MD5
24e1cb58fa96ea6b30c8fc7defbb60e7

SHA1
415fc2e139d2dac575f35df46379d202ca107d46

SHA256
c45cc8d9b9565d276cbc4e20c5b8715c17ed1fcc4226459fd97fdddf88c04e53

SHA512
c5d0b87c8c106da894abfdb1f3fca5080588b6e1a9b7230492912b9991b8460617ae744447e9b6eb6f050a3e0f0b03379af657f3e56494f526daebbc09a643b1

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
467KB

MD5
d2d97268627c8d59cb0a1b8ed4e96392

SHA1
a518cf43c54e755a850dab201662222b4ca4235b

SHA256
8b475b8c1c6f4d3160dad477fdda4bf26f7eac2c8f0ef6e6bc6fb851d3d6b4df

SHA512
71574865fcb07a9f2997d09f48cb0287829368433f4f33bc93f4340bab8f1dfbcf384edbbe783da2fb63c531ad6d20f34ec1fd47550097c3ee596b70bb2ec673

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
92KB

MD5
55d07919d871dafa1378bc2f865da7bf

SHA1
1f6d3c52a751ec9027e08dd329ffb13d734ab010

SHA256
ea0aaf20076dc61cb2e9553c2edd726f1a40755ed15c4937b9556d9003dfaf0e

SHA512
c54fa771bc77915fd813c663932777eab1ec0da2d6830831abfaf92e78f0475e6294c1e77e8cd1b09a1d33f0c06291deb3840c1b25a2647f8c1097063f9e74c5

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
92KB

MD5
3f5835598e1e441a9972d0715c50b413

SHA1
c09e8ab6b92f064bf1d9c74bd714299b27df7d33

SHA256
c247aeb95f4fe9adc77186a263168691f35d86b7a7f89f49a54640faf274354b

SHA512
09e0d4c01b349bcd550cc7dc2a2f931398557a71d8b8b1864c958618c6ad7eac644e426be3ebad3c3c717accf4f2fcfc498565815f0226a84a30a6826d7c46e6

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
76KB

MD5
da0dba43d35aa0a4aab795f1cb544973

SHA1
0038c74691b26fe447ef12929643062c07abf990

SHA256
458344a6e350c0fefea4562696146b3060c3d0baf49fd7d8af43f7c8f48b97d2

SHA512
ca2c4c03eaabc49ad779ce67ba2c69fe3004dc40c0dc1d4ae07ccffca7ed1bb9c8dd09fbcb0af6fc974ccca2066dd5eb08d19ebb29eefdfc1cd25a5118e1bdf0

Download Submit
memory/448-375-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/448-241-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1012-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1056-47-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1608-192-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1696-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1720-96-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1744-40-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1832-220-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2088-160-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2124-127-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2168-104-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2236-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-172-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2548-365-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2548-275-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-63-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2848-208-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2860-371-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2860-256-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2956-71-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2972-334-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2972-345-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3056-248-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3056-373-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3092-224-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3292-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3304-176-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3312-262-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3312-369-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3388-112-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3400-328-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3400-347-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3508-361-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3508-286-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3584-320-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3584-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3600-232-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3620-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3744-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4052-292-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4052-359-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4068-355-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4068-304-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4196-298-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4196-357-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4252-155-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4448-363-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4448-280-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4452-322-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4452-349-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4532-184-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4572-120-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4612-310-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4612-353-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4672-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4696-367-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4696-268-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4932-88-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5032-200-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5060-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5140-343-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5140-340-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads