38ea86b3eb5f9ff479e52187754c612c426315b38fcbd7e7d8ea487ffff4674b

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b717dd0c8f323c8f8121af04f51b73c4.exe
Size

363KB
MD5

b717dd0c8f323c8f8121af04f51b73c4
SHA1

bf8297765b4088031ac7562cf56ee8fb40b0b813
SHA256

38ea86b3eb5f9ff479e52187754c612c426315b38fcbd7e7d8ea487ffff4674b
SHA512

88651d28211a4866ed2166b2bc6ca138eb836aef0d151f24ce68693de9e016f2e15539c72a42e0c7f65567ce3c3ae8afc19fb5c2a531331e15cad06381356c07
SSDEEP

6144:hnZUv1XazwWBA1IRwdA8MhwwWBA1OaoPllHwWBA1IRwdA8MhwwWBA1:ToX0wLHwqwLnuwLHwqwL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b717dd0c8f323c8f8121af04f51b73c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b717dd0c8f323c8f8121af04f51b73c4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiekog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjmni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hemmac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnfmbmbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnenlka.exe

Executes dropped EXE 24 IoCs

pid	Process
1728	Cogddd32.exe
3728	Eiekog32.exe
1908	Fnfmbmbi.exe
2756	Fiqjke32.exe
1528	Hpfbcn32.exe
2716	Hlblcn32.exe
2108	Hppeim32.exe
3092	Hemmac32.exe
1564	Ieagmcmq.exe
224	Jeapcq32.exe
4388	Mofmobmo.exe
1868	Nqaiecjd.exe
4452	Njjmni32.exe
3844	Nmjfodne.exe
4784	Oiagde32.exe
4084	Pjjfdfbb.exe
1496	Pcegclgp.exe
3428	Ppnenlka.exe
4860	Qjhbfd32.exe
1680	Abjmkf32.exe
532	Cbkfbcpb.exe
3948	Ckggnp32.exe
536	Cgmhcaac.exe
2688	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfibjl32.dll	Fiqjke32.exe
File created	C:\Windows\SysWOW64\Nqaiecjd.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Njjmni32.exe	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	b717dd0c8f323c8f8121af04f51b73c4.exe
File created	C:\Windows\SysWOW64\Ccegpn32.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Fnfmbmbi.exe	Eiekog32.exe
File created	C:\Windows\SysWOW64\Pgdhilkd.dll	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Hpfbcn32.exe	Fiqjke32.exe
File opened for modification	C:\Windows\SysWOW64\Hemmac32.exe	Hppeim32.exe
File created	C:\Windows\SysWOW64\Jeapcq32.exe	Ieagmcmq.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Hemmac32.exe	Hppeim32.exe
File opened for modification	C:\Windows\SysWOW64\Ieagmcmq.exe	Hemmac32.exe
File created	C:\Windows\SysWOW64\Cgmhcaac.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Pcegclgp.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Onnnbnbp.dll	Pjjfdfbb.exe
File opened for modification	C:\Windows\SysWOW64\Eiekog32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Hlblcn32.exe	Hpfbcn32.exe
File created	C:\Windows\SysWOW64\Nmjfodne.exe	Njjmni32.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Gbhhqamj.dll	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Nmjfodne.exe	Njjmni32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Jeapcq32.exe	Ieagmcmq.exe
File created	C:\Windows\SysWOW64\Fpnkah32.dll	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Ocgjojai.dll	Njjmni32.exe
File created	C:\Windows\SysWOW64\Hlkbkddd.dll	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Abjmkf32.exe	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Gakbde32.dll	Hpfbcn32.exe
File created	C:\Windows\SysWOW64\Ddlnnc32.dll	Hppeim32.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Oiagde32.exe
File created	C:\Windows\SysWOW64\Ofblbapl.dll	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Hppeim32.exe	Hlblcn32.exe
File opened for modification	C:\Windows\SysWOW64\Oiagde32.exe	Nmjfodne.exe
File opened for modification	C:\Windows\SysWOW64\Ppnenlka.exe	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Fnfmbmbi.exe	Eiekog32.exe
File created	C:\Windows\SysWOW64\Pjmnkgfc.dll	Hemmac32.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Fiqjke32.exe	Fnfmbmbi.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Nmjfodne.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Eiekog32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Ffeifdjo.dll	Fnfmbmbi.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Abjmkf32.exe	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Fiqjke32.exe	Fnfmbmbi.exe
File created	C:\Windows\SysWOW64\Hppeim32.exe	Hlblcn32.exe
File created	C:\Windows\SysWOW64\Dlofiddl.dll	Hlblcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	b717dd0c8f323c8f8121af04f51b73c4.exe
File created	C:\Windows\SysWOW64\Ieagmcmq.exe	Hemmac32.exe
File opened for modification	C:\Windows\SysWOW64\Nqaiecjd.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Fhcbhh32.dll	Ppnenlka.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Hpfbcn32.exe	Fiqjke32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3184	2688	WerFault.exe	121
4736	2688	WerFault.exe	121

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcbhh32.dll"	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b717dd0c8f323c8f8121af04f51b73c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b717dd0c8f323c8f8121af04f51b73c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll"	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlnnc32.dll"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	b717dd0c8f323c8f8121af04f51b73c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhilkd.dll"	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkbkddd.dll"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hemmac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b717dd0c8f323c8f8121af04f51b73c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hemmac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakbde32.dll"	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegpn32.dll"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofblbapl.dll"	Eiekog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1728	392	b717dd0c8f323c8f8121af04f51b73c4.exe	96
PID 392 wrote to memory of 1728	392	b717dd0c8f323c8f8121af04f51b73c4.exe	96
PID 392 wrote to memory of 1728	392	b717dd0c8f323c8f8121af04f51b73c4.exe	96
PID 1728 wrote to memory of 3728	1728	Cogddd32.exe	97
PID 1728 wrote to memory of 3728	1728	Cogddd32.exe	97
PID 1728 wrote to memory of 3728	1728	Cogddd32.exe	97
PID 3728 wrote to memory of 1908	3728	Eiekog32.exe	98
PID 3728 wrote to memory of 1908	3728	Eiekog32.exe	98
PID 3728 wrote to memory of 1908	3728	Eiekog32.exe	98
PID 1908 wrote to memory of 2756	1908	Fnfmbmbi.exe	99
PID 1908 wrote to memory of 2756	1908	Fnfmbmbi.exe	99
PID 1908 wrote to memory of 2756	1908	Fnfmbmbi.exe	99
PID 2756 wrote to memory of 1528	2756	Fiqjke32.exe	101
PID 2756 wrote to memory of 1528	2756	Fiqjke32.exe	101
PID 2756 wrote to memory of 1528	2756	Fiqjke32.exe	101
PID 1528 wrote to memory of 2716	1528	Hpfbcn32.exe	102
PID 1528 wrote to memory of 2716	1528	Hpfbcn32.exe	102
PID 1528 wrote to memory of 2716	1528	Hpfbcn32.exe	102
PID 2716 wrote to memory of 2108	2716	Hlblcn32.exe	103
PID 2716 wrote to memory of 2108	2716	Hlblcn32.exe	103
PID 2716 wrote to memory of 2108	2716	Hlblcn32.exe	103
PID 2108 wrote to memory of 3092	2108	Hppeim32.exe	104
PID 2108 wrote to memory of 3092	2108	Hppeim32.exe	104
PID 2108 wrote to memory of 3092	2108	Hppeim32.exe	104
PID 3092 wrote to memory of 1564	3092	Hemmac32.exe	106
PID 3092 wrote to memory of 1564	3092	Hemmac32.exe	106
PID 3092 wrote to memory of 1564	3092	Hemmac32.exe	106
PID 1564 wrote to memory of 224	1564	Ieagmcmq.exe	107
PID 1564 wrote to memory of 224	1564	Ieagmcmq.exe	107
PID 1564 wrote to memory of 224	1564	Ieagmcmq.exe	107
PID 224 wrote to memory of 4388	224	Jeapcq32.exe	108
PID 224 wrote to memory of 4388	224	Jeapcq32.exe	108
PID 224 wrote to memory of 4388	224	Jeapcq32.exe	108
PID 4388 wrote to memory of 1868	4388	Mofmobmo.exe	109
PID 4388 wrote to memory of 1868	4388	Mofmobmo.exe	109
PID 4388 wrote to memory of 1868	4388	Mofmobmo.exe	109
PID 1868 wrote to memory of 4452	1868	Nqaiecjd.exe	110
PID 1868 wrote to memory of 4452	1868	Nqaiecjd.exe	110
PID 1868 wrote to memory of 4452	1868	Nqaiecjd.exe	110
PID 4452 wrote to memory of 3844	4452	Njjmni32.exe	111
PID 4452 wrote to memory of 3844	4452	Njjmni32.exe	111
PID 4452 wrote to memory of 3844	4452	Njjmni32.exe	111
PID 3844 wrote to memory of 4784	3844	Nmjfodne.exe	112
PID 3844 wrote to memory of 4784	3844	Nmjfodne.exe	112
PID 3844 wrote to memory of 4784	3844	Nmjfodne.exe	112
PID 4784 wrote to memory of 4084	4784	Oiagde32.exe	113
PID 4784 wrote to memory of 4084	4784	Oiagde32.exe	113
PID 4784 wrote to memory of 4084	4784	Oiagde32.exe	113
PID 4084 wrote to memory of 1496	4084	Pjjfdfbb.exe	114
PID 4084 wrote to memory of 1496	4084	Pjjfdfbb.exe	114
PID 4084 wrote to memory of 1496	4084	Pjjfdfbb.exe	114
PID 1496 wrote to memory of 3428	1496	Pcegclgp.exe	115
PID 1496 wrote to memory of 3428	1496	Pcegclgp.exe	115
PID 1496 wrote to memory of 3428	1496	Pcegclgp.exe	115
PID 3428 wrote to memory of 4860	3428	Ppnenlka.exe	116
PID 3428 wrote to memory of 4860	3428	Ppnenlka.exe	116
PID 3428 wrote to memory of 4860	3428	Ppnenlka.exe	116
PID 4860 wrote to memory of 1680	4860	Qjhbfd32.exe	117
PID 4860 wrote to memory of 1680	4860	Qjhbfd32.exe	117
PID 4860 wrote to memory of 1680	4860	Qjhbfd32.exe	117
PID 1680 wrote to memory of 532	1680	Abjmkf32.exe	118
PID 1680 wrote to memory of 532	1680	Abjmkf32.exe	118
PID 1680 wrote to memory of 532	1680	Abjmkf32.exe	118
PID 532 wrote to memory of 3948	532	Cbkfbcpb.exe	119

C:\Users\Admin\AppData\Local\Temp\b717dd0c8f323c8f8121af04f51b73c4.exe
"C:\Users\Admin\AppData\Local\Temp\b717dd0c8f323c8f8121af04f51b73c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\Cogddd32.exe
  C:\Windows\system32\Cogddd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\Eiekog32.exe
    C:\Windows\system32\Eiekog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\Fnfmbmbi.exe
      C:\Windows\system32\Fnfmbmbi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        25⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 400
        26⤵
        Program crash
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 400
        26⤵
        Program crash
        
        PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2688 -ip 2688
1⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
237KB

MD5
719f3f6666c12e8367fd1cd7e7573b5f

SHA1
7de687bdf87ee5f0dba365a2d2718b53b795d7f0

SHA256
a820834d408187273ab6f2662d69480904d77faf90b1c512eaab1124e9bf6cc2

SHA512
371abd194f66a3fb8c00d3af5ceec36f896e82f9ab3da31cd7f3c3191bc4924c449bc64443b6fc44a0305c6377673ef4f3cf40c40f40af05a9c9d3a37ab77776

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
363KB

MD5
e12cb428ed0fb922da1d67d024c90d75

SHA1
d0f62230ee4d1a2396f5354d767815f5ad7af57f

SHA256
eac8187cdfaa3606e6129df89de1630b6a064c51e047883a59677ab2767c3025

SHA512
8f0b876d6a87551291c1588e4e77fc88f2bfec1ec1170f2d21b04f14097d3d5a6b9d7b6210b3623b7d7f4e34843c1828aad60a71670f2d40c3db0abad9538ae4

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
363KB

MD5
912525ad80848502581261c27d448c83

SHA1
3726b69f3f1e899f406334cd78f8278ddc806450

SHA256
852fe2995911d9780ad3bb473f465376a1158c04dc0dfb82b826685bfed178c3

SHA512
78a9a70e4c8fe64cd2281d04b3ce915fb79713bf87f7b4e9467b457b1848b44e47cfcdf7c09e45d03ff1caab0b065819fd1cd3c32ac43457b200127e6e72a5fe

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
363KB

MD5
b28ec72287181eac81e291d112c89d20

SHA1
9db0cf104e05e5dc9f13cb972d15112330d2749e

SHA256
f0325ae8d4b1d35630a90941f54669274f20efc61341110eea10a6f8489684e2

SHA512
b0c0695e65b2651008564a68c40e4f786e0b51bdd717ff2844d5db4dffcb248f82b2fa107931e199e13ab08f0fe55f19e980ec92fb9924224a7ac5d158d0478f

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
363KB

MD5
e2332ecf6fc2c38e9b7f4d0d73d99ddd

SHA1
fa434f7917f102e5511482a358c78e3125f07f69

SHA256
7890fd2800da32448eb6466ee893fa2b6cc50da5a521189ccb670638edb6b339

SHA512
d91a31f9b30ae7212a0a80dbbc427c2af722002c56f270deb0b3e0c6fc99ae28b8a0a54a411e62a24007ce4813c53dc3bf3c5b09074ff72e69b74d93643c6f6d

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
363KB

MD5
f1dc155f43c85214546ac2cd83fa6beb

SHA1
9942ada90dc2e462f41dcd5522753668058a04b2

SHA256
9173ee55b0e0e88fd7c1cc631f610c077fa4c21ceede7e327f03232cd72b850e

SHA512
0644d229fc71225eaa6bc75f2daf09f1641510d68ce6cc2012169f38242996f2326a5bea08026a3cb3dfc674ba38dd3cb0119e22213e371e892efd7093c426ff

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
363KB

MD5
685f64517f94100440eb74d22fec63cd

SHA1
15683a2e0859e6bbcc426001d9b7de733d5a1942

SHA256
261a01bbcf989e0da56b42f56533ff797586ef1897b4af058a881b4dc019a3a9

SHA512
cac04c4346ef206d75e0c5cecf8638c17f73bb4e1c0509c66ba4a7391b5f8e4cfd76e700a78ff3430183b3eca855639eee978305f255aa7b43727b71ec81d40f

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
363KB

MD5
f2fd780ace17f13a9b3104d873da6830

SHA1
371d142d32e0ce7cb67606638ef92a6e64e65ade

SHA256
6411b6408162b14ce0061006718c26885d65448d08f5c23dc181a0e781b1cd43

SHA512
1e0d1e555498a9c90b7f1c77de2d0bb3eb5b3c0909a031dc50ea49d679a5cdc2dde3adaac80e56cfa76bbcaf13e856fbec7edf52866580cc6ee5d0ceb9ea0ce3

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
363KB

MD5
4737d9b4683ee0c42a9c0fdba448609f

SHA1
5c563b2b748a2a4b98d77edab6f2e8a6e10d700d

SHA256
7eae000903f5058d79eca3b980bc61d9da3f0d0d84e907c8017dbbfe94457edb

SHA512
0b3a4c5cbb06007b87336e7e04abf078922704c3c7e8e51ea8496bcf58e699fdaee777664fe7993e78d74ebb5b1640a9efe1ecd41a61485421590c4e67c93854

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
363KB

MD5
d6aa2aaa3657f58f6c0c59e7c94be96c

SHA1
b3adf2eff915fb1fad754b4d0305c2abefa16d8a

SHA256
08ba95958cf322fe158fec3b783cdd2e4d9c6def37a87232f294e86557fe6dd2

SHA512
7f4f165a0c00cb5fee675575f74239e2c46c80729ccb05155763d7e981029a7e4dd9aefecc11ed60c56272d941279b7f353d787a31e7a6a3d0021779d7a16271

Download Submit
C:\Windows\SysWOW64\Hemmac32.exe

Filesize
363KB

MD5
88c24711853c0cc44bc179d02fceabf7

SHA1
d6d3965950989448ed1d1f7dd49a6b4a6a777187

SHA256
028284c4156da7aecf9dbd3980151bbbbf9f491e517f24c3dd4573162e5be15b

SHA512
a200a5510f881fcea63d12f69786078aa552cf42690183346b3b08daaabbf0f8ca4fc4ea545a4c481df1b56d975baa7a1473f0b248debf5539d46db1eba03f34

Download Submit
C:\Windows\SysWOW64\Hlblcn32.exe

Filesize
363KB

MD5
5e8460151f536881ef844c7e18128307

SHA1
05ec208a4e95295f65c10eb1c84f66cbd2efedf0

SHA256
32d6a69ee6e83479bb8da0b9f60a02e391fd43c3ba3b15d448cbfe09bdc07d90

SHA512
0d4871f3efb75f4079def4a94d55bc0e9b0650754dc1e26d81d1e09fe0767d0cdebf61f9dab2a07b2cbc538da3b439890f7e933bd9f6dc33ce910eca0679f464

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
363KB

MD5
2a0fa28998a9b2cf7d56dd7516a9b2d7

SHA1
a3b88b73f1ecce26a43d925729ad7db590f96af2

SHA256
999ab85603084bbbddfd3fa768f156b7f1cbe36034fc29d8d927ee4a935340cd

SHA512
32acfc4804e56ca320db1d7a809f0310d1acc7f10d67694f1742aea543b26279ba2608f07299159c4623f39f00391216813fa906b47f8ac77ed5bc6041bf7f92

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
363KB

MD5
f908b79aab8b77f0034931112513a36a

SHA1
ef4b9da2691a827cdfafd64d05096f7492369aee

SHA256
06caa1040a3d7843f490c0d26e13a317681c0e9332bc83862f5def4357b838e4

SHA512
48d229a95c094b7f5e2688dddf114d8365bb23326374771873cdd7610a18ee4de42ef790137b8cdd820a464c5b5e868ac61a714321cba2ae29711d11a8ca8456

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
363KB

MD5
26c39040a70eaf8f0116d01fdd7d3269

SHA1
1a368000633473e6b469fefd8b259f888eebd75e

SHA256
90d8bb52646139f20ad482bb05952c8672907071eb4605eb82f33b641f55a539

SHA512
711a0f939f3752e87bbe114482dd3db38db1b9285c5a4c0582e13a4b88e5083dc2d97431b060eff3f7a6a41f8dcf9ba503ec5c130f4e6bfcfac09ac0df680a45

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
363KB

MD5
72301dbea71cefb8423e7695d911ddfd

SHA1
1fedebe33a099f703f1a7f29435207b205983cb6

SHA256
55ba70e3e6bcf2128ae9b87b8fcfb3961f20b03ca19afac08ff48ec1b6cebd27

SHA512
5d29ecf8819639e33089447ec2e6b7e79062467a8e40010044b3ef48b8bf35d4ebb4853cf7d585f8bb275d11245a7cf7631c41114d562b1e4c500c9df41182a8

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
363KB

MD5
1ed5f58dd62d36c5bf98c68a99267691

SHA1
8092d159eac0df976137c808954ab9c774e61516

SHA256
98ae46aafb90562a64360f521c1495105420c3fba4bead5735dbf7776a7a534e

SHA512
8383693a02e935968c7031f54561bf783430f64fba732cb6f145b74fc39f2ce4dc28f016adb078dca5b397025e002f8512d000c4dd300e4fb04f048937deefd1

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
363KB

MD5
ad920a186cdf56c73cf858afe952448a

SHA1
ad5b540717d565503ab1cac29d79bc710caae5f2

SHA256
a7e2181dbb257c072fc85e6cf1c2324deb9401c9195d6b1ce8d9f0fb3859dee3

SHA512
c89f104be9e2f7abc27384f9c406e17afb77c2ef92de04defaf97a4920d48e14b440641f00e9bc17c807f90d125a9ef90cf2d04bda9855aece6d3adf455fe899

Download Submit
C:\Windows\SysWOW64\Nmjfodne.exe

Filesize
363KB

MD5
5a8322e05980520b6743279a8e675e4a

SHA1
4f1842ca4aea4331eadf90346d895fe30ddb39fc

SHA256
61ee360195bed894db242e47b86522b437faabc2075c314c831f6b03da4284ad

SHA512
89737bec127af16fd1f0e770d891e6f38ccb916b0fd1f80ea52f28051d084be2386f902a5039960691a2bbca609047d98dd7173c0636bae44b835fd3ee79d8da

Download Submit
C:\Windows\SysWOW64\Nqaiecjd.exe

Filesize
363KB

MD5
58fc406f5be8134b914eee5eee9b3805

SHA1
bbf0cdc0e41e15bb1f337a9370c8e787752397f5

SHA256
812fe93761c2c847ce92b41484b0c30f4511b6d15e1a7592a650012fb2fe486e

SHA512
66cc214e265fec530815db8d3c520708d0f083dd6b3eeea9b3539110f9d6cf88d1ae5e338113371400428bf9cdc772315013f4fc5d1d9436519a0b7c4cf25f1d

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
363KB

MD5
2c62157a7943de4443c78345c68f39bf

SHA1
16cda03fa373401e64618d292945ab0eb5d50ed5

SHA256
9dbe7bd4074b20d0750de54bd719a6e943c852aa23c889b90556a89c87762e33

SHA512
9dafc7a11d2f1062d2542fe0c41115c45e8f313fd0d05fb42c2ee99213bbe35e6dfb0e49ea0d102f94b137ae20a53acb8a94b4b32be696cdeca64e7ae0e90a20

Download Submit
C:\Windows\SysWOW64\Pcegclgp.exe

Filesize
363KB

MD5
b4bdf22458f6526ff83749eecf1e7452

SHA1
e9b6edd6aa6060ae85e3c11e0f75badd66d59c85

SHA256
b8eab5edf9b01657f2698417d860b75bfca32cbefbf2aa0e24a7871340ee5bd6

SHA512
21327715461bcfaf9e81ea03efe8c5381715ae4a3828c628b97ed140f5e1f0532706389f0b64076733aa1065dae32b5d0a653350710e13ddc2260b811cd51260

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
363KB

MD5
6e1b5c2a4a64dfd4b9fdadab3f487726

SHA1
133c60abbb6550b403c8383757f0022210854840

SHA256
c793cbbb76ccd179a26b1d2f2e2694c3734ba3ba15eea50916a068403ddf08cd

SHA512
0880ff5fde8b396aa4478e28ff9e53fb95fae2361d8bfe8b20441f0c0e5622406c398aec42b7e3bf04cf9c2bb87fead1f7496196d4ef9e358e8e1f509980e4b5

Download Submit
C:\Windows\SysWOW64\Ppnenlka.exe

Filesize
363KB

MD5
fcd88dcb44de616d59f7647e6c086708

SHA1
6dc0453fc06c025477f41c6facfd0bff059a3ba6

SHA256
bb8dd5cb074067b850d2c79fca8c9da5160585f9ee245d8240db822c1cc33cf0

SHA512
1d44f8fe98fdbd906acc1dc4530d33b1fea4c89cc3e013f70b8885702562e5149930595f3c6202023e2f2d2102ab47ac05c1e83c09b79830cc3c063673bebf8d

Download Submit
C:\Windows\SysWOW64\Qjhbfd32.exe

Filesize
363KB

MD5
b80ad022f0527a6bec8210b5e8943e92

SHA1
e1adcbb70ba53da025bd16059b22c48a180f0529

SHA256
e4d369652657899fd498f32408df049f9956274689ac76f3f92b52879107aba6

SHA512
eaf69537118a4a91d941be3feee049003a8aadd348ffad50d0b76e17a6f6fddb7ded92c9aa52bf8afff846058f561b9b91049ac4aac1c309b15e8c497055337c

Download Submit
memory/224-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-121-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads