f6896bc2defbe718e284e49ca5f1fb244d05c1e862006f55fb033c0205ed2de2

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a6da1e2c6395cccc68001d5475b71c54.exe
Size

80KB
MD5

a6da1e2c6395cccc68001d5475b71c54
SHA1

5e85e6e9a76c446bc43e37594afab712bf27862d
SHA256

f6896bc2defbe718e284e49ca5f1fb244d05c1e862006f55fb033c0205ed2de2
SHA512

5a90dbb684aecca3911d7b4ee4c44fee467687c92a2cb16d5747c6c3759732e288b02bc4cc844664cf43c52b38a7556b15a8a79498c3af2d740eb26861eb2678
SSDEEP

1536:FdSP72rpOazgTvm486sxOSs3W+2LVAS5DUHRbPa9b6i+sIk:I72rbzgTvm4LsU93cCS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a6da1e2c6395cccc68001d5475b71c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a6da1e2c6395cccc68001d5475b71c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe

Executes dropped EXE 23 IoCs

pid	Process
2820	Pqjfoa32.exe
2664	Piekcd32.exe
2396	Poocpnbm.exe
2696	Pdlkiepd.exe
2464	Poapfn32.exe
2568	Qeohnd32.exe
2500	Qgmdjp32.exe
564	Abeemhkh.exe
2796	Aganeoip.exe
2896	Aeenochi.exe
1976	Agfgqo32.exe
2204	Acmhepko.exe
816	Afkdakjb.exe
364	Apdhjq32.exe
1156	Bnielm32.exe
2484	Bphbeplm.exe
936	Bonoflae.exe
1816	Bhfcpb32.exe
344	Baohhgnf.exe
2284	Bkglameg.exe
3044	Baadng32.exe
1780	Cfnmfn32.exe
2976	Cacacg32.exe

Loads dropped DLL 50 IoCs

pid	Process
1380	a6da1e2c6395cccc68001d5475b71c54.exe
1380	a6da1e2c6395cccc68001d5475b71c54.exe
2820	Pqjfoa32.exe
2820	Pqjfoa32.exe
2664	Piekcd32.exe
2664	Piekcd32.exe
2396	Poocpnbm.exe
2396	Poocpnbm.exe
2696	Pdlkiepd.exe
2696	Pdlkiepd.exe
2464	Poapfn32.exe
2464	Poapfn32.exe
2568	Qeohnd32.exe
2568	Qeohnd32.exe
2500	Qgmdjp32.exe
2500	Qgmdjp32.exe
564	Abeemhkh.exe
564	Abeemhkh.exe
2796	Aganeoip.exe
2796	Aganeoip.exe
2896	Aeenochi.exe
2896	Aeenochi.exe
1976	Agfgqo32.exe
1976	Agfgqo32.exe
2204	Acmhepko.exe
2204	Acmhepko.exe
816	Afkdakjb.exe
816	Afkdakjb.exe
364	Apdhjq32.exe
364	Apdhjq32.exe
1156	Bnielm32.exe
1156	Bnielm32.exe
2484	Bphbeplm.exe
2484	Bphbeplm.exe
936	Bonoflae.exe
936	Bonoflae.exe
1816	Bhfcpb32.exe
1816	Bhfcpb32.exe
344	Baohhgnf.exe
344	Baohhgnf.exe
2284	Bkglameg.exe
2284	Bkglameg.exe
3044	Baadng32.exe
3044	Baadng32.exe
1780	Cfnmfn32.exe
1780	Cfnmfn32.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Poapfn32.exe	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Poocpnbm.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Qgmdjp32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Pqjfoa32.exe	a6da1e2c6395cccc68001d5475b71c54.exe
File created	C:\Windows\SysWOW64\Gneolbel.dll	a6da1e2c6395cccc68001d5475b71c54.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Piekcd32.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	a6da1e2c6395cccc68001d5475b71c54.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Poapfn32.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Poapfn32.exe	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bnielm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3064	2976	WerFault.exe	50

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a6da1e2c6395cccc68001d5475b71c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a6da1e2c6395cccc68001d5475b71c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a6da1e2c6395cccc68001d5475b71c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll"	a6da1e2c6395cccc68001d5475b71c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a6da1e2c6395cccc68001d5475b71c54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a6da1e2c6395cccc68001d5475b71c54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Apdhjq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2820	1380	a6da1e2c6395cccc68001d5475b71c54.exe	28
PID 1380 wrote to memory of 2820	1380	a6da1e2c6395cccc68001d5475b71c54.exe	28
PID 1380 wrote to memory of 2820	1380	a6da1e2c6395cccc68001d5475b71c54.exe	28
PID 1380 wrote to memory of 2820	1380	a6da1e2c6395cccc68001d5475b71c54.exe	28
PID 2820 wrote to memory of 2664	2820	Pqjfoa32.exe	34
PID 2820 wrote to memory of 2664	2820	Pqjfoa32.exe	34
PID 2820 wrote to memory of 2664	2820	Pqjfoa32.exe	34
PID 2820 wrote to memory of 2664	2820	Pqjfoa32.exe	34
PID 2664 wrote to memory of 2396	2664	Piekcd32.exe	33
PID 2664 wrote to memory of 2396	2664	Piekcd32.exe	33
PID 2664 wrote to memory of 2396	2664	Piekcd32.exe	33
PID 2664 wrote to memory of 2396	2664	Piekcd32.exe	33
PID 2396 wrote to memory of 2696	2396	Poocpnbm.exe	32
PID 2396 wrote to memory of 2696	2396	Poocpnbm.exe	32
PID 2396 wrote to memory of 2696	2396	Poocpnbm.exe	32
PID 2396 wrote to memory of 2696	2396	Poocpnbm.exe	32
PID 2696 wrote to memory of 2464	2696	Pdlkiepd.exe	31
PID 2696 wrote to memory of 2464	2696	Pdlkiepd.exe	31
PID 2696 wrote to memory of 2464	2696	Pdlkiepd.exe	31
PID 2696 wrote to memory of 2464	2696	Pdlkiepd.exe	31
PID 2464 wrote to memory of 2568	2464	Poapfn32.exe	29
PID 2464 wrote to memory of 2568	2464	Poapfn32.exe	29
PID 2464 wrote to memory of 2568	2464	Poapfn32.exe	29
PID 2464 wrote to memory of 2568	2464	Poapfn32.exe	29
PID 2568 wrote to memory of 2500	2568	Qeohnd32.exe	30
PID 2568 wrote to memory of 2500	2568	Qeohnd32.exe	30
PID 2568 wrote to memory of 2500	2568	Qeohnd32.exe	30
PID 2568 wrote to memory of 2500	2568	Qeohnd32.exe	30
PID 2500 wrote to memory of 564	2500	Qgmdjp32.exe	35
PID 2500 wrote to memory of 564	2500	Qgmdjp32.exe	35
PID 2500 wrote to memory of 564	2500	Qgmdjp32.exe	35
PID 2500 wrote to memory of 564	2500	Qgmdjp32.exe	35
PID 564 wrote to memory of 2796	564	Abeemhkh.exe	36
PID 564 wrote to memory of 2796	564	Abeemhkh.exe	36
PID 564 wrote to memory of 2796	564	Abeemhkh.exe	36
PID 564 wrote to memory of 2796	564	Abeemhkh.exe	36
PID 2796 wrote to memory of 2896	2796	Aganeoip.exe	37
PID 2796 wrote to memory of 2896	2796	Aganeoip.exe	37
PID 2796 wrote to memory of 2896	2796	Aganeoip.exe	37
PID 2796 wrote to memory of 2896	2796	Aganeoip.exe	37
PID 2896 wrote to memory of 1976	2896	Aeenochi.exe	38
PID 2896 wrote to memory of 1976	2896	Aeenochi.exe	38
PID 2896 wrote to memory of 1976	2896	Aeenochi.exe	38
PID 2896 wrote to memory of 1976	2896	Aeenochi.exe	38
PID 1976 wrote to memory of 2204	1976	Agfgqo32.exe	39
PID 1976 wrote to memory of 2204	1976	Agfgqo32.exe	39
PID 1976 wrote to memory of 2204	1976	Agfgqo32.exe	39
PID 1976 wrote to memory of 2204	1976	Agfgqo32.exe	39
PID 2204 wrote to memory of 816	2204	Acmhepko.exe	40
PID 2204 wrote to memory of 816	2204	Acmhepko.exe	40
PID 2204 wrote to memory of 816	2204	Acmhepko.exe	40
PID 2204 wrote to memory of 816	2204	Acmhepko.exe	40
PID 816 wrote to memory of 364	816	Afkdakjb.exe	41
PID 816 wrote to memory of 364	816	Afkdakjb.exe	41
PID 816 wrote to memory of 364	816	Afkdakjb.exe	41
PID 816 wrote to memory of 364	816	Afkdakjb.exe	41
PID 364 wrote to memory of 1156	364	Apdhjq32.exe	42
PID 364 wrote to memory of 1156	364	Apdhjq32.exe	42
PID 364 wrote to memory of 1156	364	Apdhjq32.exe	42
PID 364 wrote to memory of 1156	364	Apdhjq32.exe	42
PID 1156 wrote to memory of 2484	1156	Bnielm32.exe	43
PID 1156 wrote to memory of 2484	1156	Bnielm32.exe	43
PID 1156 wrote to memory of 2484	1156	Bnielm32.exe	43
PID 1156 wrote to memory of 2484	1156	Bnielm32.exe	43

C:\Users\Admin\AppData\Local\Temp\a6da1e2c6395cccc68001d5475b71c54.exe
"C:\Users\Admin\AppData\Local\Temp\a6da1e2c6395cccc68001d5475b71c54.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\Pqjfoa32.exe
  C:\Windows\system32\Pqjfoa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\Piekcd32.exe
    C:\Windows\system32\Piekcd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2664

C:\Windows\SysWOW64\Qeohnd32.exe
C:\Windows\system32\Qeohnd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\Qgmdjp32.exe
  C:\Windows\system32\Qgmdjp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\Abeemhkh.exe
    C:\Windows\system32\Abeemhkh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\Aganeoip.exe
      C:\Windows\system32\Aganeoip.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        18⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:3064

C:\Windows\SysWOW64\Poapfn32.exe
C:\Windows\system32\Poapfn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\Pdlkiepd.exe
C:\Windows\system32\Pdlkiepd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\Poocpnbm.exe
C:\Windows\system32\Poocpnbm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeenochi.exe

Filesize
80KB

MD5
284029952fb7bea20d94a3523b4a6b10

SHA1
183a7438496febdad2ffaa7cdf535c29d8965e98

SHA256
9d14ff8ea10df9950032adb7634b89f127c1db69b63d77759e79ab9f1c438f3c

SHA512
e384ab4c1035297d3dc4506e27546513e2327f21cd174ff1fb200ca0b6aaa28da70f053b75255f57322ddf022795eec85b1e399a4dee344b610b7fa41214e522

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
80KB

MD5
1d5473a35ba307ca6aebce0af3fbb801

SHA1
b9d22328229b40c669fc582a494986f2245b308f

SHA256
9eca08d89dcef451065cfaedd4d8a0f469d8c733c21b1cca22f7730d8daad2ba

SHA512
444adf3f96188c6c785c434f2a8f92a7669ae1e2e13898bf906687a0cec51ba67a17be920ea1e648e6dfc9f5642d18f9c77b6e317d1cc42ed010ed829b7ef69c

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
80KB

MD5
fa2ec45a15db9b63e5902c351e80f40e

SHA1
bc5a1cfa6f20464f500a6cf866226a7fbc9675f9

SHA256
ed25a22bba1bb4d310e8f6a67f6b132056751dfa3d23efac06b09e1107946a9c

SHA512
37313d8cfe283cb5658c307b251f2ada0645efed54ed6feb404cb8fcf72ffa963fb18e742651a6d62f1f97d8256b449dd4779b918d823f51a9de1b3112f1dd6a

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
80KB

MD5
d01d6b1dd14265911c02d1b07bf6a517

SHA1
54e5e00230a43dd27aadeca8269281ff3b643671

SHA256
75d8a412e82f3d3dd241ce379eabf7dd373074bb93d073cd41e531d3aec411f3

SHA512
f533e03388ab703a707ff3b925d8eb8870ce1253af144f938d30f79440a9c46746167d88170250f1c692e0d2b7c9f8c0e1c06754caafe30ac011e23c10212d56

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
80KB

MD5
39e76a7cfe37eec7659c5474f06c3f7b

SHA1
db717a6770253cd2ccdadea5895eeb433c28cd3e

SHA256
86f82656a5424cf8bcee272ab1448984dc4df04429484b3ec574699b5a984d96

SHA512
a2873fed0a44f3d7df249c3846ff89e3865494c2a3a5c95fa1e11344be823da8aa6c82a9cd94677005680da0bfe968b3f5b4ff313beb5f2ae9d496d42ff48f1a

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
80KB

MD5
3ce7ef1603fc56df9b5c7f9dcb0b4802

SHA1
734fd8c7ad9d42349828ad69d1e922a4946e3eef

SHA256
4ab6df2294b74877f78708de88863873515506dae2199bcef38077368c974a7d

SHA512
4dd5ffc4e85cd3a4043eb24d1bcc52d065fbec4742762b96db89a1213506764ae703a7021b492b06a7d0b6db65e66d3fc3ab9d74f2cbf24f09b4af2b417da63a

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
80KB

MD5
fdd57cdd7b9242051159b1b7806371fb

SHA1
13660b0d892b1441a5675fb3e137b2bf105a7588

SHA256
1550f490f229efb87a1fd465e1d5f1f2d42b4adad0bfd711766dff5fff4b3c47

SHA512
33b2222e5a940eb050ebcc0bbd674803de75fb67261ca34165897e26dc668fee49c2980f33177d9d5fffaa5549625aeb259c2183ff4ed114c96cda050bd37dfd

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
80KB

MD5
4a92deed23521c78282a036dfc8eab3f

SHA1
cf9288a136dbd93a47aecafcfce8e252e86a001c

SHA256
3485e2584b102f785aab43fad46e8798a01854964a2ef4c43ad4ac85cce1078f

SHA512
8dba57740a7f2c1c53d9f958b5b6edf7450110437a9b53eb6905eb7d79bbb039d91a0872371a0b182dddfb96c92f2d4cc0bbb1bce39259900fac8a7d192f9c27

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
789e1ee295f3e95e7ac1ebaffea23012

SHA1
075dad3ccf4718f7cf8397f3d858162029713957

SHA256
c5dbdb19251a2b278f6a0ffd0eb3ea2f40d820816f8633e664611783e8c2ff01

SHA512
21c1ed9621a7f79df7728291d1f94728b2b0b93e2d55c8f0ca85ac48ac41de1ba18a398a8fcb373d4b9beb6a5365d3e6ffd39a2c62051a0578ebaedc7d6e1633

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
80KB

MD5
5f8c4a305aa4ea7c5f9b3091c9cbccee

SHA1
a6d5557cf2990a0cd3aa035dbe0c548093569ca2

SHA256
ca6c49f4b8a45eb8df789ce40da780e79a2d4143abbb02774b352cdcd66fac38

SHA512
fe04376cd2c8a7f38c4fcde97e05f2fee06a431a8095b31f995742352da2f53e66292fae64729177a624113a7698d7fbf8d882749212da628fcdd5d33da011d9

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
80KB

MD5
c2a6ff35b4e1601b9af17a380d066d87

SHA1
abe764fba54812196679e1a2de5b04a7cb3a17f7

SHA256
1be98b9988cfd7420b27561ab08ddfde592ce0f7590e8c85f21db466c41298e2

SHA512
d954db7fde8e5cb93333b2cc77f6cd10c2f27eac81394a8958ea67602759806ca6eb247689d08cd347117322b7ce4ea868fbe5b5762ac588a876bed4434e8ed9

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
80KB

MD5
b4f7523c8d4105fdef9ea64c15d97282

SHA1
35dfbc20a8afab207a0b86f83d5dcb05b623fcec

SHA256
b745fb9e7a791e3e7fcca3d0e8dd8d5bb5db8b1a968def1cf897b445f416d3d9

SHA512
694ee5770d01b95493b0b5d9d99b6d0f12a9998e84a26c523e408b0da5dd1cea4ef53e5af371bdaaae4d4e1441906a4163ea6118588826869552f33beaee052c

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
80KB

MD5
82f350dd03e25dbe19710aba53303e73

SHA1
f096f89436b5f953bebaf4cedaf5435e00f9e152

SHA256
b1b2ef7b6bb2cdad8d6bcb45f94bda09b44dd11ae99b025c31241ceeb176e93f

SHA512
606b3ddb547f781a13df0da5a883fc024d0f80480e09973d7ecc0a20f8fccb2054bf7752c57ed1054501401d0d21d9720fd9a6635ccff5d05cc429e086d1c0d0

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
80KB

MD5
d958c8973a348762379be1e06c1fca9d

SHA1
6a3f0a3dd9796213b4fe7cf0fee4b4459c1b01c3

SHA256
43b2ea665d71a6c9e5eb3c30318cced8ae9411b0497f5a3486a5690566c57fbf

SHA512
2c6fd57bc37ed8cffe7941760417b9f6d6084724888ed0790c6a0f4d5c037f6e0adedbcc34ecc96689bf08c7c48736d6b454926ab314896cce7830afbf0c55f8

Download Submit
\Windows\SysWOW64\Acmhepko.exe

Filesize
80KB

MD5
99aa75fa54cbcbb7aeae4dbca90c5869

SHA1
5545c9faab289aa010855758d4dad1e2de643d5b

SHA256
a89abfe190f28f06d2288b02f27ff9cb0c2fad96338d64f7c7be7d2a28025fd6

SHA512
7dbc856248c8927f203271e180c917391f4753ed0d00bdc7b49d079a3ec77235ec20da0291e817c2fac812acdb37473afda0ff40f73e4b45e85cd99ba7c0db09

Download Submit
\Windows\SysWOW64\Afkdakjb.exe

Filesize
80KB

MD5
220a80247dc614d9cb30e33c1cf4d523

SHA1
e61e034af48e5d0be53161cee3d41bbb642f07c1

SHA256
1bfbd260928e2c3b6b836eee99892a923f6a4256806d2c09c7f953605bb23390

SHA512
b0143e0bb4ca1683d54c2bde250807dec15ef82f5f5371959f3b08f00c7c18e1c9f00f68f4c24e4417fcb9d9ee73c098a047add93eaab2245cd09048b8334fb6

Download Submit
\Windows\SysWOW64\Aganeoip.exe

Filesize
80KB

MD5
905d9c10f3ece8a123ef10a8e987b465

SHA1
2fdb86e3612d301264a60e6c439fed7f2b21d6a3

SHA256
ddedb33f6f0fff06077ee3dfe9e8d520d315c4fb4f902b530f6f7a3134fbec0d

SHA512
925643e774cb0a57db5f119901fe277cf1fe3add094df7136f87c50b47c2d6e2583962f4eeca344d5d6e64499e2349d1b69130dbd8493eb1981fbdc1545ae9d8

Download Submit
\Windows\SysWOW64\Agfgqo32.exe

Filesize
80KB

MD5
a0ae79bf00f9c50b8bb535d3103343d3

SHA1
aee1cdb15101fefb2b34249f52b0a89d67f255d4

SHA256
1bae2ec8c3eee1d4895ed55f7a5bd95342b140c4a450ff434b4aad8e68e0adad

SHA512
aba536e2567621a9d1a2f177a6a10692ae5d3bfd62375fbcb74faad8e072b83893e697ffba239fd7d09da5561256627878abc70617aa730c050b3ed11c15be96

Download Submit
\Windows\SysWOW64\Apdhjq32.exe

Filesize
80KB

MD5
95e48ec6e3ec36d5cda6eade52b982e1

SHA1
335102aa835e607100eaa5c942ee087827d2526b

SHA256
70fa12c5dfc6dbafc31aecec1681d403569993ee7baeccd0b065f6e053cd0190

SHA512
64576ed242f38b04ab674b7aa3e27329037b9b1954ba0f50afeeb625c7e72a068cec544f25f20fdd50086a7cbab84a00aedb0bc4803916252977412d11954670

Download Submit
\Windows\SysWOW64\Bnielm32.exe

Filesize
80KB

MD5
6ef1e3eedbcc796ce17357eacb35193d

SHA1
ba62d6dce89e3c74caf776aff27d1299d70d1590

SHA256
37227c3b2b8b547b16e1276988d75007977339c650785c81e682038af3e7ba71

SHA512
063b12f9effeba07243cf745dd7e5f1669366d821af2f7d4821d354401ef29c5e735d3ed2d3d5831e1a01461e1441e972592ffbac26ea2375c9e38a62b0e2af2

Download Submit
\Windows\SysWOW64\Pdlkiepd.exe

Filesize
80KB

MD5
42c8ca9a86d6b30bb7d199444407f057

SHA1
a30d89f988fb0a1be5b91c617ae7025b3dbbf4e9

SHA256
f8e76c16ef1cd4f7d76f975d0b3d348cc82aff63224bce00f695af1cf607cfda

SHA512
f4b60d107965ef6f093fc08d20e3f45ff2a27811dd7303775d7532e55158a0ac1a251fed80eeb17456ab3644da3236e7ea8e8d5e0659bee3674654be3def72bd

Download Submit
\Windows\SysWOW64\Poocpnbm.exe

Filesize
80KB

MD5
3a7905e8692413ed881a748556e2c2d3

SHA1
ad3e3028cd1d4627e732e2563029c7e64fbeea47

SHA256
ed8f0b12dc218f66057c144a4e43489c6301ba8c42fdf0d831f4f924d9e2edeb

SHA512
43e032187ac6380b1dd68c5fd9f9a446068d49f02f05ed48f64e7bf4a329cc3d1f59726176a6d03a7d1cfcf32e80543bd14ee5a71a09ab5c08ad30a3c32c5d1d

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
80KB

MD5
e869bc5e2e5507ccb2d3f0d5709581ff

SHA1
abc3ef7af4049732b809009089fb5c87dc82b0f5

SHA256
a4d98fcece7c720e0b21d8365bad8df604fcedb5b41ea278bc1315e8790d500a

SHA512
19c9e6b4e7a8506ea3f30442d6e8497f680e886fbb458b03eac6c29b7bb090fd6f13946375661d18944069b36487ea7fb5d76ab9c51fb553024c698a09aa5f82

Download Submit
memory/344-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/344-277-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/344-268-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/364-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/364-196-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/364-201-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/564-120-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/564-122-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/564-294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/564-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-183-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/816-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1156-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1156-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-13-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/1380-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-6-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/1780-286-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1780-289-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1780-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-244-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/1816-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-263-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2284-282-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2284-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-54-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2396-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-41-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2696-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-27-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2896-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-148-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2976-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3044-284-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/3044-288-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/3044-283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads