0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Size

52KB
MD5

7f23b9c62704939cf3d2c12a28cd87d2
SHA1

5e7f256a4d1ca7a4e57154210f22e08edae0b7b8
SHA256

0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6
SHA512

e3d5004923a465117b668bdb0a57daea8f235bf2ccf8f5276b547f54db22925bfc8477dad51c5801813102af2b71b6e4043975b02ed5f0fb448795d030cd9e13
SSDEEP

768:o/tiwMwPHoqiNMOkNImTgzucyGF6XOtRx894qsICBx26Eh+Kv7BQ/1H5z:o/timIFQ1TOu6OXvU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe

Executes dropped EXE 22 IoCs

pid	Process
1540	Qjnmlk32.exe
2548	Amnfnfgg.exe
2524	Agdjkogm.exe
2112	Ackkppma.exe
2588	Aigchgkh.exe
2464	Abphal32.exe
2892	Alhmjbhj.exe
1192	Aeqabgoj.exe
1360	Bpfeppop.exe
1232	Blmfea32.exe
1936	Bajomhbl.exe
364	Bonoflae.exe
1860	Behgcf32.exe
1640	Bjdplm32.exe
1336	Bdmddc32.exe
2156	Bmeimhdj.exe
1976	Cdoajb32.exe
824	Cilibi32.exe
1356	Cpfaocal.exe
1960	Cinfhigl.exe
1352	Cddjebgb.exe
1800	Ceegmj32.exe

Loads dropped DLL 48 IoCs

pid	Process
2216	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
2216	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
1540	Qjnmlk32.exe
1540	Qjnmlk32.exe
2548	Amnfnfgg.exe
2548	Amnfnfgg.exe
2524	Agdjkogm.exe
2524	Agdjkogm.exe
2112	Ackkppma.exe
2112	Ackkppma.exe
2588	Aigchgkh.exe
2588	Aigchgkh.exe
2464	Abphal32.exe
2464	Abphal32.exe
2892	Alhmjbhj.exe
2892	Alhmjbhj.exe
1192	Aeqabgoj.exe
1192	Aeqabgoj.exe
1360	Bpfeppop.exe
1360	Bpfeppop.exe
1232	Blmfea32.exe
1232	Blmfea32.exe
1936	Bajomhbl.exe
1936	Bajomhbl.exe
364	Bonoflae.exe
364	Bonoflae.exe
1860	Behgcf32.exe
1860	Behgcf32.exe
1640	Bjdplm32.exe
1640	Bjdplm32.exe
1336	Bdmddc32.exe
1336	Bdmddc32.exe
2156	Bmeimhdj.exe
2156	Bmeimhdj.exe
1976	Cdoajb32.exe
1976	Cdoajb32.exe
824	Cilibi32.exe
824	Cilibi32.exe
1356	Cpfaocal.exe
1356	Cpfaocal.exe
1960	Cinfhigl.exe
1960	Cinfhigl.exe
1352	Cddjebgb.exe
1352	Cddjebgb.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amnfnfgg.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
File opened for modification	C:\Windows\SysWOW64\Aeqabgoj.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Qniedg32.dll	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Blmfea32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Blmfea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1772	1800	WerFault.exe	49

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blmfea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ackkppma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1540	2216	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe	28
PID 2216 wrote to memory of 1540	2216	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe	28
PID 2216 wrote to memory of 1540	2216	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe	28
PID 2216 wrote to memory of 1540	2216	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe	28
PID 1540 wrote to memory of 2548	1540	Qjnmlk32.exe	29
PID 1540 wrote to memory of 2548	1540	Qjnmlk32.exe	29
PID 1540 wrote to memory of 2548	1540	Qjnmlk32.exe	29
PID 1540 wrote to memory of 2548	1540	Qjnmlk32.exe	29
PID 2548 wrote to memory of 2524	2548	Amnfnfgg.exe	30
PID 2548 wrote to memory of 2524	2548	Amnfnfgg.exe	30
PID 2548 wrote to memory of 2524	2548	Amnfnfgg.exe	30
PID 2548 wrote to memory of 2524	2548	Amnfnfgg.exe	30
PID 2524 wrote to memory of 2112	2524	Agdjkogm.exe	31
PID 2524 wrote to memory of 2112	2524	Agdjkogm.exe	31
PID 2524 wrote to memory of 2112	2524	Agdjkogm.exe	31
PID 2524 wrote to memory of 2112	2524	Agdjkogm.exe	31
PID 2112 wrote to memory of 2588	2112	Ackkppma.exe	32
PID 2112 wrote to memory of 2588	2112	Ackkppma.exe	32
PID 2112 wrote to memory of 2588	2112	Ackkppma.exe	32
PID 2112 wrote to memory of 2588	2112	Ackkppma.exe	32
PID 2588 wrote to memory of 2464	2588	Aigchgkh.exe	33
PID 2588 wrote to memory of 2464	2588	Aigchgkh.exe	33
PID 2588 wrote to memory of 2464	2588	Aigchgkh.exe	33
PID 2588 wrote to memory of 2464	2588	Aigchgkh.exe	33
PID 2464 wrote to memory of 2892	2464	Abphal32.exe	34
PID 2464 wrote to memory of 2892	2464	Abphal32.exe	34
PID 2464 wrote to memory of 2892	2464	Abphal32.exe	34
PID 2464 wrote to memory of 2892	2464	Abphal32.exe	34
PID 2892 wrote to memory of 1192	2892	Alhmjbhj.exe	35
PID 2892 wrote to memory of 1192	2892	Alhmjbhj.exe	35
PID 2892 wrote to memory of 1192	2892	Alhmjbhj.exe	35
PID 2892 wrote to memory of 1192	2892	Alhmjbhj.exe	35
PID 1192 wrote to memory of 1360	1192	Aeqabgoj.exe	36
PID 1192 wrote to memory of 1360	1192	Aeqabgoj.exe	36
PID 1192 wrote to memory of 1360	1192	Aeqabgoj.exe	36
PID 1192 wrote to memory of 1360	1192	Aeqabgoj.exe	36
PID 1360 wrote to memory of 1232	1360	Bpfeppop.exe	37
PID 1360 wrote to memory of 1232	1360	Bpfeppop.exe	37
PID 1360 wrote to memory of 1232	1360	Bpfeppop.exe	37
PID 1360 wrote to memory of 1232	1360	Bpfeppop.exe	37
PID 1232 wrote to memory of 1936	1232	Blmfea32.exe	38
PID 1232 wrote to memory of 1936	1232	Blmfea32.exe	38
PID 1232 wrote to memory of 1936	1232	Blmfea32.exe	38
PID 1232 wrote to memory of 1936	1232	Blmfea32.exe	38
PID 1936 wrote to memory of 364	1936	Bajomhbl.exe	39
PID 1936 wrote to memory of 364	1936	Bajomhbl.exe	39
PID 1936 wrote to memory of 364	1936	Bajomhbl.exe	39
PID 1936 wrote to memory of 364	1936	Bajomhbl.exe	39
PID 364 wrote to memory of 1860	364	Bonoflae.exe	40
PID 364 wrote to memory of 1860	364	Bonoflae.exe	40
PID 364 wrote to memory of 1860	364	Bonoflae.exe	40
PID 364 wrote to memory of 1860	364	Bonoflae.exe	40
PID 1860 wrote to memory of 1640	1860	Behgcf32.exe	41
PID 1860 wrote to memory of 1640	1860	Behgcf32.exe	41
PID 1860 wrote to memory of 1640	1860	Behgcf32.exe	41
PID 1860 wrote to memory of 1640	1860	Behgcf32.exe	41
PID 1640 wrote to memory of 1336	1640	Bjdplm32.exe	42
PID 1640 wrote to memory of 1336	1640	Bjdplm32.exe	42
PID 1640 wrote to memory of 1336	1640	Bjdplm32.exe	42
PID 1640 wrote to memory of 1336	1640	Bjdplm32.exe	42
PID 1336 wrote to memory of 2156	1336	Bdmddc32.exe	43
PID 1336 wrote to memory of 2156	1336	Bdmddc32.exe	43
PID 1336 wrote to memory of 2156	1336	Bdmddc32.exe	43
PID 1336 wrote to memory of 2156	1336	Bdmddc32.exe	43

C:\Users\Admin\AppData\Local\Temp\0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
"C:\Users\Admin\AppData\Local\Temp\0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\Qjnmlk32.exe
  C:\Windows\system32\Qjnmlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Amnfnfgg.exe
    C:\Windows\system32\Amnfnfgg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\Agdjkogm.exe
      C:\Windows\system32\Agdjkogm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        23⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abphal32.exe

Filesize
52KB

MD5
25345105b10923d72b519406400ca46e

SHA1
ad7abfb8223d4c1707c9255c71c1469d8daff98f

SHA256
b5e88fb48b26a012f6a8cae97c578f9b04f212456efa2bfeb2d8fb39e79da925

SHA512
ba4484ddc3ea29dba4c4a2c9388d89748484865b0a973d09f0a370de6deb7792b9517b4865a01570f4beefbf12fc422f136b74ebc04b775e8c31f8bfe647ff14

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
52KB

MD5
7df44b92daaa3344687f077e4a605d4c

SHA1
1c7c390e6c4a66861c28d6c1eacfe2238ae23cdf

SHA256
49ee1efff17d1f973463a360bdbb25a7c6b7f795693025077bef945c40d64215

SHA512
cabe71016047d14d5e8774be22205918b99c12ade7330a33eb805b8978f854436ca31e717d9a5c5600dc5b8af512b48708abb51ce6c96e0d2ce752b3ecc19765

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
52KB

MD5
5d949373894221d3f423e025390ebb1f

SHA1
678301d9ccf803bcbe2d6209524cf247d50b8375

SHA256
bf641bd33fafadd89d4ea491ddfdac3eb3c1adf7a8eb6889714717db6bd2d378

SHA512
ff808502dc4855c2bde89a507c28e91b66bc0c86c819c77779aeb1ddb17eb7d4a6c5e36f2a478d1d37c1d033dd0110e640217326c6086128344410ef8c8f9c3b

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
52KB

MD5
4402bf2a33ccf6de917351c11348593a

SHA1
fb79721063cd3a3f1c2221a90219f76b7a914b76

SHA256
7ca02aa83f900db42a68b44c91064cd5d3cf114260ec8ec482759bcec5b438a3

SHA512
0e661aca7c2648410c0e301c3c502ddbe904de81e3a2e681e8859b6468e3a45f994c278b30fe7ee6efe2e560a8d9f3c578f51e6fb5daf88dd28ec0ba070c5e9d

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
52KB

MD5
c2cf8623195e491240c06ea643b7404c

SHA1
e5dccec04e4321d807957580df9aa77caaf3a4ef

SHA256
ce52aa7210cff3ded058b70375a1827b1a1a9a9bc508482163211e731c70a6db

SHA512
fb4f918a683488f67884a2a4169b929aa51947183fe6a2f66d6b1191aa57e668f9e03d4876f3c4a77fc3ec6adbbcfddfc7d821aacfc1a5e59fe4d2aba84cd3ee

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
52KB

MD5
94d5a4417a20f6db58e35bde0e321512

SHA1
169a625c555b44aec02ddd7fad592d0f67748c25

SHA256
f5ede90b716b6f8115d0b1f87db0d57c39cabaa45a79445d2bc21b6de106c6dc

SHA512
6634cc7ee6b81b9b2fd98fe04f6a958178582979a92e0c1ef1f54c28375ade580dd6e94d1313dc2c153f2330b881723f3a0a96627d5a88aab07ba923ca63fb63

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
52KB

MD5
bc68d5ed48cfc1adc32579a268a3fc44

SHA1
850a31563bd7ae8754faa771a656cc1d858a6efa

SHA256
3aece3431ede622774b3a8aafc6af7239ef7bbb69e307fd6b1cc8f9800c28361

SHA512
e0c678a24f5be121af8f9702991f4e1671375498508eb6df4bd2033c3a72873ef2ee87a7d549682c75a26e1bf306b05cf3c3be94ca8f4a53e8b9bec0d534e85b

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
52KB

MD5
329e0add12e39919a4876dd4ca65de10

SHA1
2d87db321511f953ead31cfff8e98e26afefdc37

SHA256
27711f76df9da61fab0ffad270943f0529ac190afe06cac97f1cc0160bba0c86

SHA512
abea6ce97ecc344a1b75772d845f4f71e8e1bd904008903ca529c29776e5f3ac969cde418db7e0ba84593e8fef4772c4865d7eab3f84d04606e35283a31fc9df

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
52KB

MD5
9bc460445dcb4970aea1b5279fa59ed9

SHA1
f2b1fd3012e2aa2a09908445a2383ed178aca271

SHA256
fb05ae8c719b7e711b150976ac042c6c30ffe891d947f05434c8edbc1a75c726

SHA512
1eec9e4d46f51458fdf5031baecb20194815cfaa5327efb6cc412a235d1fdbe592872b770108944a3e12fc2b8af92077eff9e8552456019baa9faea90a919105

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
52KB

MD5
0b1458c41a41dcd801c12a4b74eff99d

SHA1
b3214fd1b0be3364fd5a02de1b87aabf45ef59d4

SHA256
565b4af308368e68adb0c64e78b20fc498222ff04a8db82fb68d3564a245001f

SHA512
d8f0d5ac7709ce0ea331fb6ca1e5836d204bd3c63ef898c42d2848091178d388b7e3407fe6a5773a61e3874ad7393e85532f24de9ceaf6c25565a3f82df93ba7

Download Submit
\Windows\SysWOW64\Ackkppma.exe

Filesize
52KB

MD5
4ae371b9b7db186ec22418e47e5c92e3

SHA1
4b043b5fb6575b82a58a13a65facfdb44a8f982b

SHA256
fbc37e7fac2799fcdb870d1831eb914efce4d60a8ca4e417ac0ff042f080572c

SHA512
e9cc33be50c5607049fbd8465e5d11f9e6d05490225dcc4a1fae6ba1aefbd58333d3111cf4a0fa32f43f004db1cf4fa906f57ce6a565ce1bbe97740d832333fc

Download Submit
\Windows\SysWOW64\Aeqabgoj.exe

Filesize
52KB

MD5
9771aef8072b045829a9675f27d37c01

SHA1
9b4930114837cda42e0837c02058347f7e89c55d

SHA256
c0a15f0cb3b0498331a0328bf56cf944ccf7ec043daefe08511957475f816450

SHA512
1020231f2423569fc8a8a9c017d40c5074d275b840d7edbfe941e76d5f3c63535188a4a430aaa242ca6906ab4f33e3a890d236267c02707d5af4f893a4b59c61

Download Submit
\Windows\SysWOW64\Agdjkogm.exe

Filesize
52KB

MD5
63dd1da2da318fa11d10aa9947018af4

SHA1
ffe7a4cc12a2386be6c5a3d44b3116e716e16b1a

SHA256
ada63b920d67ed6e4fbf2d5e5f798d7fbd208b0883b8f6c4a390d980ce77052e

SHA512
ce96b548dd290a3489513f5745a3f7a3bc5420ead035bb6b14acd7379a5cdd17b5d16165e2304bd7ef0dffc288dbcd78cd0b57297b0ea8746b069d1708bfe53d

Download Submit
\Windows\SysWOW64\Alhmjbhj.exe

Filesize
52KB

MD5
69fd4a294305035f78f6b1181f2096e8

SHA1
3a0435c9a860a13b1b6b7468fad3a0e653990c6f

SHA256
69823687e0f9c22a84abeb1c0df99197246d9fd59df50c155bfd444897e22ba9

SHA512
046efaf40bc9a22542f387122f146db3f9f75e2b39d182f02076d874d4e83c201034d06fd51c3e951535a49abc41037efd994aaac2ac66ecd98904db4bf8a100

Download Submit
\Windows\SysWOW64\Amnfnfgg.exe

Filesize
52KB

MD5
e36e59ae70abf82dfa75bc50e3e1ae02

SHA1
34823fe9cf7cedf92a71e5935f710dbc522742ff

SHA256
cfcb25a383905f131c42b92a7721fcf9c0561acc6f4ea35abffd6879bd388d5a

SHA512
94bd8855b88d352e7edc50c0894413314add30b2af7214fe5b5af77d892150dfaff19857e608e2f8a71ca6158d99967b27ab8d91cb38bcac3025f03b1df58f97

Download Submit
\Windows\SysWOW64\Bajomhbl.exe

Filesize
52KB

MD5
209d9e7e9c0142ecf5bf8a52b69157cd

SHA1
2bf25f9f111cc83cbfb9f28d7b9719ebb678afb6

SHA256
d51a4e77a890de4aff789ceee955f645fa4c27d2f858170cc1b99293bad474ec

SHA512
01f07664f1897d2f23e019f0242583b3b53b4bc6c0c7b53e24486ba10ecea3bb48befbc6b8929787f02a8e28e9c71728ccc4d90f315b3baa0c04cee064c655a4

Download Submit
\Windows\SysWOW64\Bdmddc32.exe

Filesize
52KB

MD5
45f71c4dc19ab7c8079079d55d880bee

SHA1
a212bd628051f10f99a59db2246689e7ef78244f

SHA256
d9f0a0291b01ad5d4427f79ab444ec3cc6ce1ddcfe3b36c104df9e5a3ad969cb

SHA512
505e7cdcc2ed67f2d2f4c7d8d1f3cb1b9383bc08e8b51f0b3586e2f625074043ec9eda00c38f52c6abc026fb976044fac9798615e6a37234ad8681c262abd2aa

Download Submit
\Windows\SysWOW64\Behgcf32.exe

Filesize
52KB

MD5
c7bddc072ae927a5b5a4389e86a6ddd3

SHA1
e5942602d3778c10736f3aa503008fbc12e33034

SHA256
4947339150759f013b2cefd3599b0f5b110248061ac8317075f6e1b18809d31e

SHA512
31c0a728c6dd63f5cea3eb8777fc67d9d749f3d3a97fe9a9f65f4b1dc3b44b4719adfc2ecd8862ba0137f38cbfccbef9c51731bb05f3fcc89367a6d63b9096d4

Download Submit
\Windows\SysWOW64\Bjdplm32.exe

Filesize
52KB

MD5
4603d5efea1a175e1d2c03a2095e197f

SHA1
c1e3be5fa4789089031a654b7c502d6fc88bfe08

SHA256
452eb41f950053133d786f599410d5fa8cb391bd126f1150e803907b5453244e

SHA512
feb95805d5a49d1b36d5f84f8348d980e2b0d8f5b04d0e81b25677c83c96b56aa29f4c34c276bef5a6e65aa14b1a09cf032a0d85fafa395cc68477d67e4faf1e

Download Submit
\Windows\SysWOW64\Blmfea32.exe

Filesize
52KB

MD5
efaf07822f2068af96fff132adec44b4

SHA1
aa633cfb411a31a8d2c31bcf532c6845162f0c62

SHA256
197c8ddab4521204d3000847fc1357d0a0e9da6de3236570ef3b0682eb77a4ec

SHA512
f5fa34652e7fc7a1be762b7f9afeb64126bc858f9ceca1f12bc57e2cc4f6decf534dfde9d817e3bfc59c74abb576bdad5ad546f200b72a79caacf59e8af06ca4

Download Submit
\Windows\SysWOW64\Bmeimhdj.exe

Filesize
52KB

MD5
e24ee5994b23eccd704a87127f0da56a

SHA1
122e75dc8900a342f8ef3724e6422a93f4f12d59

SHA256
e44f1aa027ca3333bc3d0694ad0f6ceaf56e6ddb0fd9e37cfa050f49101b96cd

SHA512
22a77012ec69b54530b91b44dfefe180cfaf6d66bdfd0f289192d8bcc84e8d1bc6b2b32cfbd7e613c9d531edf4944b504650ea7833a7e2d30d210946d8b9cf55

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
52KB

MD5
5b09b3d7480065605d4bbfa5030e9e34

SHA1
0f8cd929701c7439c37bf5a16a1283a6da1d8d69

SHA256
646544987b106e1df2300b7ecf5ba13da714f39f7f29fec8c917dd41758c682b

SHA512
9ac07be9cab0e719ba08bea18737baff82fd8ddb1f469d1464e37ebd9e339fa3060762485d754578d3e4126a60e8286ab0ece605da8c74da51579243f786b7a2

Download Submit
memory/364-287-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/364-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/824-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/824-293-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/824-244-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1192-141-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/1192-114-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1232-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1232-150-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1232-145-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1336-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1336-212-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1336-290-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1352-265-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1352-296-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1356-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1360-122-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1360-134-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/1360-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1540-25-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1540-276-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1540-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1640-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1640-289-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1800-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1860-288-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1860-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1936-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1960-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1960-295-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-237-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/1976-292-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2112-279-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2112-67-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2112-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2156-291-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2156-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2216-6-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2216-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2216-275-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2464-81-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2464-281-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2464-89-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/2524-53-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2524-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2548-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2588-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2892-106-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/2892-113-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/2892-282-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads