72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf

Analysis

max time kernel
141s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Size

71KB
MD5

0ffb0c3a81d9e12fd168a6211c7e4957
SHA1

bf2920910bccdedf4eda359f594448f6ca6f4989
SHA256

72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf
SHA512

efda9a80e1d2040eecc8e1468254490933e6de5853a6c3849248b30f5dcb1fc5d58298c5b617f3c63e6b6843b84333d30b617bd75d6f478fb3b20daf199b8947
SSDEEP

1536:61b/xANMQ24nxA/Z681uQBzRcdezDVsuPBNDx/ReRQiiDbEyRCRRRoR4Rk:61NoMQRA/Z1uuRcWDVsMdxpeeXEy032t

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhimhobl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebfign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iogopi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mablfnne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebfign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhimhobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mablfnne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkmjaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klpakj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ockdmmoj.exe

Executes dropped EXE 24 IoCs

pid	Process
1132	Qacameaj.exe
2752	Bobabg32.exe
4612	Boldhf32.exe
3036	Ebfign32.exe
2088	Fkmjaa32.exe
4016	Geoapenf.exe
936	Hajkqfoe.exe
5056	Hhimhobl.exe
3856	Ilfennic.exe
2296	Iogopi32.exe
452	Ieccbbkn.exe
4780	Jaonbc32.exe
232	Jpbjfjci.exe
3516	Jbccge32.exe
4484	Klpakj32.exe
4620	Klekfinp.exe
552	Kcapicdj.exe
4700	Lebijnak.exe
1268	Lchfib32.exe
228	Ljdkll32.exe
2032	Mjggal32.exe
1824	Mablfnne.exe
4544	Ockdmmoj.exe
1160	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkmjaa32.exe	Ebfign32.exe
File created	C:\Windows\SysWOW64\Jbccge32.exe	Jpbjfjci.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Bcoaln32.dll	Boldhf32.exe
File opened for modification	C:\Windows\SysWOW64\Klpakj32.exe	Jbccge32.exe
File created	C:\Windows\SysWOW64\Mablfnne.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Mjggal32.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmmoj.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
File opened for modification	C:\Windows\SysWOW64\Geoapenf.exe	Fkmjaa32.exe
File created	C:\Windows\SysWOW64\Iogopi32.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Jklliiom.dll	Iogopi32.exe
File created	C:\Windows\SysWOW64\Lphdhn32.dll	Jpbjfjci.exe
File opened for modification	C:\Windows\SysWOW64\Fkmjaa32.exe	Ebfign32.exe
File created	C:\Windows\SysWOW64\Ablmdkdf.dll	Jbccge32.exe
File created	C:\Windows\SysWOW64\Klekfinp.exe	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Ilfennic.exe	Hhimhobl.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Lebijnak.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Fcndmiqg.dll	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Lbfecjhc.dll	Fkmjaa32.exe
File created	C:\Windows\SysWOW64\Gifffn32.dll	Hajkqfoe.exe
File created	C:\Windows\SysWOW64\Ilfennic.exe	Hhimhobl.exe
File created	C:\Windows\SysWOW64\Eeclnmik.dll	Kcapicdj.exe
File opened for modification	C:\Windows\SysWOW64\Mjggal32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Hhimhobl.exe	Hajkqfoe.exe
File created	C:\Windows\SysWOW64\Hjaqmkhl.dll	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Kcapicdj.exe	Klekfinp.exe
File opened for modification	C:\Windows\SysWOW64\Hajkqfoe.exe	Geoapenf.exe
File created	C:\Windows\SysWOW64\Himfiblh.dll	Ilfennic.exe
File created	C:\Windows\SysWOW64\Ieccbbkn.exe	Iogopi32.exe
File created	C:\Windows\SysWOW64\Jaonbc32.exe	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Jpbjfjci.exe	Jaonbc32.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Klekfinp.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
File opened for modification	C:\Windows\SysWOW64\Ieccbbkn.exe	Iogopi32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Klpakj32.exe	Jbccge32.exe
File opened for modification	C:\Windows\SysWOW64\Klekfinp.exe	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Ljdkll32.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Mablfnne.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Hiplgm32.dll	Geoapenf.exe
File opened for modification	C:\Windows\SysWOW64\Jaonbc32.exe	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Onogcg32.dll	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Lchfib32.exe	Lebijnak.exe
File created	C:\Windows\SysWOW64\Caecnh32.dll	Mjggal32.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bobabg32.exe
File opened for modification	C:\Windows\SysWOW64\Iogopi32.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Kldgkp32.dll	Klekfinp.exe
File opened for modification	C:\Windows\SysWOW64\Lebijnak.exe	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Ljdkll32.exe	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Jbccge32.exe	Jpbjfjci.exe
File created	C:\Windows\SysWOW64\Ipamlopb.dll	Lebijnak.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Boldhf32.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Ebfign32.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Hajkqfoe.exe	Geoapenf.exe
File created	C:\Windows\SysWOW64\Lebijnak.exe	Kcapicdj.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1968	1160	WerFault.exe	115
5088	1160	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifffn32.dll"	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himfiblh.dll"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhimhobl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lebijnak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mablfnne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihice32.dll"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbccge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onogcg32.dll"	Klpakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klekfinp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll"	Ebfign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll"	Hhimhobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhimhobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfecjhc.dll"	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkmjaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebfign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbmgdb.dll"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaqmkhl.dll"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcapicdj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1132	4756	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe	92
PID 4756 wrote to memory of 1132	4756	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe	92
PID 4756 wrote to memory of 1132	4756	72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe	92
PID 1132 wrote to memory of 2752	1132	Qacameaj.exe	93
PID 1132 wrote to memory of 2752	1132	Qacameaj.exe	93
PID 1132 wrote to memory of 2752	1132	Qacameaj.exe	93
PID 2752 wrote to memory of 4612	2752	Bobabg32.exe	94
PID 2752 wrote to memory of 4612	2752	Bobabg32.exe	94
PID 2752 wrote to memory of 4612	2752	Bobabg32.exe	94
PID 4612 wrote to memory of 3036	4612	Boldhf32.exe	95
PID 4612 wrote to memory of 3036	4612	Boldhf32.exe	95
PID 4612 wrote to memory of 3036	4612	Boldhf32.exe	95
PID 3036 wrote to memory of 2088	3036	Ebfign32.exe	96
PID 3036 wrote to memory of 2088	3036	Ebfign32.exe	96
PID 3036 wrote to memory of 2088	3036	Ebfign32.exe	96
PID 2088 wrote to memory of 4016	2088	Fkmjaa32.exe	97
PID 2088 wrote to memory of 4016	2088	Fkmjaa32.exe	97
PID 2088 wrote to memory of 4016	2088	Fkmjaa32.exe	97
PID 4016 wrote to memory of 936	4016	Geoapenf.exe	98
PID 4016 wrote to memory of 936	4016	Geoapenf.exe	98
PID 4016 wrote to memory of 936	4016	Geoapenf.exe	98
PID 936 wrote to memory of 5056	936	Hajkqfoe.exe	99
PID 936 wrote to memory of 5056	936	Hajkqfoe.exe	99
PID 936 wrote to memory of 5056	936	Hajkqfoe.exe	99
PID 5056 wrote to memory of 3856	5056	Hhimhobl.exe	100
PID 5056 wrote to memory of 3856	5056	Hhimhobl.exe	100
PID 5056 wrote to memory of 3856	5056	Hhimhobl.exe	100
PID 3856 wrote to memory of 2296	3856	Ilfennic.exe	101
PID 3856 wrote to memory of 2296	3856	Ilfennic.exe	101
PID 3856 wrote to memory of 2296	3856	Ilfennic.exe	101
PID 2296 wrote to memory of 452	2296	Iogopi32.exe	102
PID 2296 wrote to memory of 452	2296	Iogopi32.exe	102
PID 2296 wrote to memory of 452	2296	Iogopi32.exe	102
PID 452 wrote to memory of 4780	452	Ieccbbkn.exe	103
PID 452 wrote to memory of 4780	452	Ieccbbkn.exe	103
PID 452 wrote to memory of 4780	452	Ieccbbkn.exe	103
PID 4780 wrote to memory of 232	4780	Jaonbc32.exe	104
PID 4780 wrote to memory of 232	4780	Jaonbc32.exe	104
PID 4780 wrote to memory of 232	4780	Jaonbc32.exe	104
PID 232 wrote to memory of 3516	232	Jpbjfjci.exe	105
PID 232 wrote to memory of 3516	232	Jpbjfjci.exe	105
PID 232 wrote to memory of 3516	232	Jpbjfjci.exe	105
PID 3516 wrote to memory of 4484	3516	Jbccge32.exe	106
PID 3516 wrote to memory of 4484	3516	Jbccge32.exe	106
PID 3516 wrote to memory of 4484	3516	Jbccge32.exe	106
PID 4484 wrote to memory of 4620	4484	Klpakj32.exe	107
PID 4484 wrote to memory of 4620	4484	Klpakj32.exe	107
PID 4484 wrote to memory of 4620	4484	Klpakj32.exe	107
PID 4620 wrote to memory of 552	4620	Klekfinp.exe	108
PID 4620 wrote to memory of 552	4620	Klekfinp.exe	108
PID 4620 wrote to memory of 552	4620	Klekfinp.exe	108
PID 552 wrote to memory of 4700	552	Kcapicdj.exe	109
PID 552 wrote to memory of 4700	552	Kcapicdj.exe	109
PID 552 wrote to memory of 4700	552	Kcapicdj.exe	109
PID 4700 wrote to memory of 1268	4700	Lebijnak.exe	110
PID 4700 wrote to memory of 1268	4700	Lebijnak.exe	110
PID 4700 wrote to memory of 1268	4700	Lebijnak.exe	110
PID 1268 wrote to memory of 228	1268	Lchfib32.exe	111
PID 1268 wrote to memory of 228	1268	Lchfib32.exe	111
PID 1268 wrote to memory of 228	1268	Lchfib32.exe	111
PID 228 wrote to memory of 2032	228	Ljdkll32.exe	112
PID 228 wrote to memory of 2032	228	Ljdkll32.exe	112
PID 228 wrote to memory of 2032	228	Ljdkll32.exe	112
PID 2032 wrote to memory of 1824	2032	Mjggal32.exe	113

C:\Users\Admin\AppData\Local\Temp\72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe
"C:\Users\Admin\AppData\Local\Temp\72327a945d8655e3d1b66f5f66fdf2ab354e995e5bbdfdd58b9fbad5e2c636bf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\Qacameaj.exe
  C:\Windows\system32\Qacameaj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\Bobabg32.exe
    C:\Windows\system32\Bobabg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\Boldhf32.exe
      C:\Windows\system32\Boldhf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        25⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 228
        26⤵
        Program crash
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 228
        26⤵
        Program crash
        
        PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1160 -ip 1160
1⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baampdgc.dll

Filesize
7KB

MD5
dc90aac7411dba54899fcd35d78c7f96

SHA1
8226216b51ec47a4653183b963c80cecfd4643f0

SHA256
ebc498a18866a76ca8e66b5621f36d194a2a0470555f3a1a0ebcf4b6603adb5e

SHA512
0f95678bb0fad6323a865a30ade0feaf7b88a490124dd7d6663041f8581f8243e0509e13055b8cfaa42d8da898cfd81f1a410cb8834ffb7fd0ddceb6778cf89b

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
71KB

MD5
16f8ced21231b48bfa212dd2583f09a9

SHA1
262b0cde16caafa02128c27aa552757cc6f10999

SHA256
ecc4c670e3952fe212c9d666e4c3a19762d86f4b9c6213da883b8f0830199b77

SHA512
0f09bfb7d6ea2f50a09866f3b86c5a4b537ad64589193d5e106752d4b8a6c5577e7fc0d36ce9a64d2c2dd8ac7ad36dac77d6ece7df354a7e3c2ea63d988a46cf

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
71KB

MD5
99e8fd482ff677dc691700078b9e0f0f

SHA1
0be14f02af4b3d57bf9c948311400c45b3e446e9

SHA256
15c4206b64c8a61d52c08cc7f03165ffc65446506cd974357f2353016bb4c754

SHA512
3a7bff50752917a820cbdebbc72b335ec64b32a26dbc87aa02bd34b731089983e7c31ca3f4bfadf8b982a1d9c987f8ac72f0cb077193fae30c45f1102d04502b

Download Submit
C:\Windows\SysWOW64\Ebfign32.exe

Filesize
71KB

MD5
4e2993169c7fc1b345cb5ee8bc3ad9b3

SHA1
4a40150c9834b59918f80d82e89f75b2887debf7

SHA256
c0b4c097f652a45bdd1d1f138b644f8e5db3e8472c4501d293ac1de9e3bcc048

SHA512
3f3cfd3515cb9a6d1c6a1dbcbd3dfb486b354435c98e17bae10d6f3be95d7a6d4e3f5fbc5773183cb3ffe06adbb7966f1b6b71f5a8a7632e12e7716d7f89642d

Download Submit
C:\Windows\SysWOW64\Fkmjaa32.exe

Filesize
71KB

MD5
2d460104f8e287a75d6e323a5dcc3abc

SHA1
75a41ec3969f04e27b18247c3c5db5e1277a6073

SHA256
d87e437fe346cf3642a06d1cbb73f07cfdd7517da353cde370ef5eb2dc1375c0

SHA512
83232a0b57440646b08621fa1ef3e31e3846108830cb2baee7eb3c94db08a92d7549aa1192e5a778cf33aead5c01b95ff6d480e020e015ddad574775fa942cc8

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
71KB

MD5
d904bcc065e16c763865b17856280242

SHA1
3c72eaa68d0b724f03053543a5599edf2aafa753

SHA256
aa72a6ab53110711356cd1f7fb636fe318745e109cb74fb4f6bd7d2e739674b7

SHA512
4320c4177f0c6f5487c776bb7b2357d96f008f3f73feb4cea01f29be432f016ec01e78edb505bedf67409c7eceea882c240ffe58fd3891fcf34400c0cd2d5b8e

Download Submit
C:\Windows\SysWOW64\Hajkqfoe.exe

Filesize
71KB

MD5
b41278ee5dbc8eb46ec74aea400c37d3

SHA1
7110f17dda8fede2aec73ca91d84b814adeef69d

SHA256
b080c96391a9f1158fe9d8ed872efda6f6405feabb62183f132aa004004c7d84

SHA512
5e99d4c5c3f498d5cf8496e909a51f9112d264aaf9b3132d8d4f896665bfe60ea76dbd8f8fd896b095701d52fdf73959ab6e36e3475d972bc840b73bc74bff68

Download Submit
C:\Windows\SysWOW64\Hhimhobl.exe

Filesize
71KB

MD5
bbd54546917b84038d7c3981613f23d6

SHA1
ca7b44da076e6bf1e394185c1e6a5d7728273a31

SHA256
3390e1e993d455d949315b5b682f792d7cc0f935452dc137b4a07f232f73e61c

SHA512
4b664a701b9855b0702009231476a31623bcacb1a2b88bcf3a2bb35e38072365ff5d4cb4e704a6c78c14d7588a2cd539cb70bee9ccdc6cf357fed253f3a2b253

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
71KB

MD5
a6ac8f64669a77cf693719d30b2c01dd

SHA1
8c61b2ca00b2076990da30f36dc89e16b4f61d01

SHA256
9846a2976fca255600ffd7df211d397d1a4f68707edfcdf4d91f50ccc65147c2

SHA512
fc8c3e5126b14c08f6070f591d0052d35f2c6aeae43f319b7d0ff865ab203a9bbc61e0a85bdb3da63d3f9cdeda4a3c2716368604dc85e8a29ff04381e660a929

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
71KB

MD5
3535ae12c8deb93b835126a0093860b3

SHA1
f5b2c300ab428b9736cb8d9af2d44665afef8e92

SHA256
6505672e5547848b11cb0ba21b43e65f6583d54250d964c320bab3436d34cfc0

SHA512
1061e66339c670d84dd3da6de4041c72a86745f229ff4173ddeb8f96d42a595120e03060661b676c59d9f8b34f8d29df70b961d35cd524d02a11bb372aa81c3f

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
71KB

MD5
7fdc581eba1a180719bfee2283d36c53

SHA1
fac4eb2ff12c7a7e0a47099f8982afc8346346b4

SHA256
631cfe211e619399670549fda775cd24a6be6e174b1f6831ce87698630cb0f97

SHA512
da6b8570a6731ce13987a6e9826b6b690ca9d5379cb24c45c318c010f7219b09fc0e7ca537574432e6502b8956b2375e0415c64194f4ee237c2589dba9c14085

Download Submit
C:\Windows\SysWOW64\Jaonbc32.exe

Filesize
71KB

MD5
79fc6284dee668b1d3d4f82cd0d5eda8

SHA1
ddbc1fde46cf238cf98f6908bbe1c4e81e967bb7

SHA256
2a9a32ce3cb248c5c3a029c754aa0f721177eff1e9b5f2da01d08fb93a056e05

SHA512
71ce0fdcf7a02823d172dca742c149ac97c2bc6529d80523341770941bab03475490123444b56b404d5b722bfe54b324759e5f5d368e6e74b50b3cb74fbdd718

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
71KB

MD5
08b5e3d5b343149c276e0df0b22213e6

SHA1
2561263a7013a3c0680b30c8eadcf6005d5e5db0

SHA256
526a19ce11b251b1ba9c7d7f67a0dd481390efa1641a7eb95a6c65310e233cad

SHA512
28a6edbbfab4e36de27388465722785e6d4cce4362fe4b86d22667bd00d29e81f68bafcfddb8d33ce03c22060e2e3bfaa057b22a7267f72bcd9fd3c49784af10

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
71KB

MD5
8ab4abb86e588ebeebf1e21a2b71d2de

SHA1
807b5e5b4d1beb6426cda5ff4c1ce3044db34f4d

SHA256
a75150b03cf0718c5c35b9fa76deb6bf1f4dcc1e5121a1c2f6c829c97eee975b

SHA512
b1456875b4f68ae7c67382bcd279dbd80dfc6e35ba29a8b5dc435688388230afcc9653f9d70237aab5cf2c03b50d8700af83115a64113240ed5cc82e2e0ce982

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
71KB

MD5
7e86ad30b6de8c32ab54b9cd3eea1e78

SHA1
3fd1be2a0d00d6d5c9cab25cba553c0d7bce0bb6

SHA256
98aa8d7d9d85213422326e8cdfaa67988f4154a4792e394a119fc8b67d613c21

SHA512
dc6b54b58465750e887073e342b3634446ca6541933e799b2c15487569e357030f2586dff8a377b883f62e25c39a5536b63fce1326f80f393754327a51af7583

Download Submit
C:\Windows\SysWOW64\Klekfinp.exe

Filesize
71KB

MD5
5601d8b85500bcb6b85b76a3da2e54df

SHA1
d041045e19ce9a35d3d2772070be2172e5eef29f

SHA256
a94e146baa7df2fba6cae85b74ed3f1380b7cdbea588bcb143b108456ac8856f

SHA512
4ea7b9992b729c4d62ac5fc0738a3499a4c0bd8eda8f0989b363904a30d42e24d21421d03d3ff5d9774ca3b188815dd41cc32bfa6b816ac2384ca4024dd74e42

Download Submit
C:\Windows\SysWOW64\Klpakj32.exe

Filesize
71KB

MD5
75914f3ddcc01050b412d55bbc60d55b

SHA1
27a78cdda152b4b68c3c259f24de59c179fde844

SHA256
c3948883545d49afa05e4e169fb43da6c159bb257c736a99810695eab4379a48

SHA512
a776073b2e84db04e696c043915e4a81e3e7cbd53799e15c8dca9cc7b23c328eedf530af98a7d8ac5bef2bcf90a008b3d8c016d6cbdc95cf32cbc9d27d5ffff4

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
71KB

MD5
a8002355ab95f6f629abb1fa36312fb0

SHA1
86e57be24b8bd6f763c0227db13d67568ae44f7b

SHA256
61bc28ea2abcdc022aa4d7ca5fb22eea77cd6c7fcf0cac214dec61bf7138c2ef

SHA512
2c1e463a7de6bd2ee1f37653147f8163a8aa343afb4e3718ce6bbab5a84da6b9570bc86646384afca488f87be06e5fdbc689b9c07d4f61185c01ffa47a90c541

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
71KB

MD5
629f22f33a2b8c98b137b020d51dfb61

SHA1
f12c1f0c814d9f9dbd439151d0b322d1beb5aeb6

SHA256
b2e7563eccfaf7e42d3b352bc8ca3168163c5397fad3b8d811842e0463fc49d6

SHA512
ee71613c91b195778dc4e5ac8da9778ab8aef883439359f4e279389424a7b934e23143f6c880aad454d28ba97e98165e7e0929d4530b9681f9cba51b4a45eff1

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
71KB

MD5
947d3c683eca474de9a50b641bed1647

SHA1
7072d705fa22e0335863fe3586ef61194c077d84

SHA256
1052de78fb85d1d9b0645b0161fd195ba266c641ce1fe9b7095be58093149108

SHA512
ced0ccecdcb3b469c13b5aac6e40f5a98aa82c9a42e814e1e80a78b3b23586b200ff05dd8e8335033848649578b6316dfa5fbf43fb81fb5118ed816e2978a4c9

Download Submit
C:\Windows\SysWOW64\Mablfnne.exe

Filesize
71KB

MD5
e63bfb34e554c7121f41046f1de86afd

SHA1
d63967a8f7ba93596d9aa9ec93b19a4fb31e6345

SHA256
503f3547ee563656783b6f2b07ae540934ec13cf3bc64a56c7ea2a9c7f0c6349

SHA512
024ec80df645c52134d7b8801e6bb2743bcfe0a892c30263c52385669c11995414c31abaca1e1807bdcc74f55c7181bcd3715afc93c340767570edc4e7a746f6

Download Submit
C:\Windows\SysWOW64\Mjggal32.exe

Filesize
71KB

MD5
0befde9b4397d81c474fc616137749ed

SHA1
cb78bbdeb85b44933d025bad3b3257c335ada7df

SHA256
46fa724c7da73f783b673c26570ae809fa25ad1209646d6edd57a1e89a7c7f82

SHA512
04863ee4789cc4b6ccea3fd768c0eaa6f236eeb5da68d7ea822e7a3c2df16ee1c7d2816b0e362ac56ef22d226b68675e8712e95c1b60b24a79200c6e07ac6f5a

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
71KB

MD5
067164672a8a82fc8158edb96f0d731d

SHA1
0f394ea5e519ecfd577d717fd79c3435231c2d71

SHA256
f65462cc6210779ef9781d8b54b2fbf9248a81d6b3a21d0252478cd108f359ef

SHA512
e3cb73aa57eaa93cb2e672bab4d0eace7cc011e9cdf96109d6b6957d26b1db926cf80ee9dfa0731eb25af0b05f230d2b314a36fec43534370ee63e83aa95150b

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
71KB

MD5
f6caa31ba6b9b68d27fb54183fca3eec

SHA1
398f7fc9306206bb1640cfbcad984789cacbb2c8

SHA256
2aa6682296f2d4756e7cbe128efee0524b89838cafdb41e52a908c0d619a8aa8

SHA512
3ac025b81338865ce6fe2e31470afb155d139832881d1ae0ffd2e19ccd288a1fe51867dd41b38676a4de0aac88e903bc1c018fad787f9f46e95ef670e4b274dc

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
71KB

MD5
5a5c95f58c6b7c1188df53c4844288cd

SHA1
40ff6e9e7e857b76c47e3845264cca9d2bddd3b7

SHA256
f5a846e13abf2eda5a0027ec80c304cc855373f924c3c2b1846a6039269f05f2

SHA512
5fdd95f729675e9b85a24d40922a8f7bb76f18bc86a1dad09ae904f838a03ab1e8496618fafcf37954734cc4463b202a4540b67c7184ad0fb67e5949217db62d

Download Submit
memory/228-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/228-206-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/232-217-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/232-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/452-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/452-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-210-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/936-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/936-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1132-194-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1132-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1160-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1160-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1268-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1268-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-204-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-205-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2088-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2088-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2752-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2752-195-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3036-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3036-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-213-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-209-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4484-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4484-212-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4612-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4612-196-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-211-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4700-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4700-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-193-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4780-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4780-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads