a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Size

377KB
MD5

1851f2181521212a61d3f5f3de1e5830
SHA1

de5b06df9fff1418859cc8193bd63314d779342b
SHA256

a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca
SHA512

650616125225928e53900876f97f9c14b8f807aa13d06460acc50835ccd15543e7097562f82fc3808b64cb013714e662b9bb34f4d83162d09b240c5da06c35c5
SSDEEP

6144:FAT4F6kJBApmdNp5O4KxVdGGSgnohijgAUv5fKx/SgnohignC5V:FAN9cO5HdjdMTv5i1dayV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cbmlmmjd.exePkklbh32.exeQpbgnecp.exeApimodmh.exeBmimdg32.exePcfmneaa.exeMaaekg32.exeMdbnmbhj.exeNakhaf32.exeObidcdfo.exeObnnnc32.exeAehbmk32.exeCepadh32.exea1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exeJeaiij32.exeMkgmoncl.exeNbbnbemf.exeBlgddd32.exeKdmlkfjb.exeLhpnlclc.exeFqphic32.exeJlanpfkj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmimdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepadh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaekg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apimodmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmoncl.exe

Executes dropped EXE 22 IoCs

Processes:

Fqphic32.exeJlanpfkj.exeJeaiij32.exeKdmlkfjb.exeLhpnlclc.exeMkgmoncl.exeMaaekg32.exeMdbnmbhj.exeNakhaf32.exeNbbnbemf.exeObidcdfo.exeObnnnc32.exePkklbh32.exePcfmneaa.exeQpbgnecp.exeApimodmh.exeAehbmk32.exeBlgddd32.exeBmimdg32.exeCbmlmmjd.exeCepadh32.exeDbkhnk32.exe

pid	process
1104	Fqphic32.exe
2072	Jlanpfkj.exe
1688	Jeaiij32.exe
1636	Kdmlkfjb.exe
3036	Lhpnlclc.exe
3852	Mkgmoncl.exe
2028	Maaekg32.exe
2460	Mdbnmbhj.exe
1336	Nakhaf32.exe
4776	Nbbnbemf.exe
1648	Obidcdfo.exe
3508	Obnnnc32.exe
1836	Pkklbh32.exe
964	Pcfmneaa.exe
1812	Qpbgnecp.exe
3636	Apimodmh.exe
2304	Aehbmk32.exe
4252	Blgddd32.exe
456	Bmimdg32.exe
4388	Cbmlmmjd.exe
4604	Cepadh32.exe
4208	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

Processes:

Pkklbh32.exea1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exeJeaiij32.exeLhpnlclc.exeMkgmoncl.exeMdbnmbhj.exeNakhaf32.exeObnnnc32.exeApimodmh.exeBlgddd32.exeBmimdg32.exeObidcdfo.exeFqphic32.exeJlanpfkj.exeMaaekg32.exeAehbmk32.exeKdmlkfjb.exeNbbnbemf.exePcfmneaa.exeQpbgnecp.exeCbmlmmjd.exeCepadh32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kannaq32.dll	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
File created	C:\Windows\SysWOW64\Kdmlkfjb.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Eoggpbpn.dll	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Emnhomim.dll	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Nakhaf32.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Eiebmbnn.dll	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Pkklbh32.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Aehbmk32.exe	Apimodmh.exe
File opened for modification	C:\Windows\SysWOW64\Bmimdg32.exe	Blgddd32.exe
File created	C:\Windows\SysWOW64\Ehepld32.dll	Blgddd32.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Bmimdg32.exe
File opened for modification	C:\Windows\SysWOW64\Nbbnbemf.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Obidcdfo.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Maaekg32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Blgddd32.exe	Aehbmk32.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Bmimdg32.exe	Blgddd32.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Obidcdfo.exe	Nbbnbemf.exe
File created	C:\Windows\SysWOW64\Kmqbkkce.dll	Nbbnbemf.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Obidcdfo.exe
File opened for modification	C:\Windows\SysWOW64\Aehbmk32.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Pcfmneaa.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Apimodmh.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Ckdlidhm.dll	Fqphic32.exe
File created	C:\Windows\SysWOW64\Fbkcnp32.dll	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Pbphca32.dll	Pcfmneaa.exe
File opened for modification	C:\Windows\SysWOW64\Apimodmh.exe	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Kdmlkfjb.exe	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Maaekg32.exe	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Fqkiecpd.dll	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Cepadh32.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
File opened for modification	C:\Windows\SysWOW64\Obidcdfo.exe	Nbbnbemf.exe
File opened for modification	C:\Windows\SysWOW64\Blgddd32.exe	Aehbmk32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Cepadh32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Cepadh32.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Mdbnmbhj.exe	Maaekg32.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Mdbnmbhj.exe
File opened for modification	C:\Windows\SysWOW64\Qpbgnecp.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	Bmimdg32.exe
File created	C:\Windows\SysWOW64\Mdbnmbhj.exe	Maaekg32.exe
File opened for modification	C:\Windows\SysWOW64\Pkklbh32.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Ibinlbli.dll	Apimodmh.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Mkgmoncl.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Nbbnbemf.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Boipkd32.dll	Aehbmk32.exe
File created	C:\Windows\SysWOW64\Lhpnlclc.exe	Kdmlkfjb.exe
File opened for modification	C:\Windows\SysWOW64\Nakhaf32.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Fflnkhef.dll	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmoncl.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Maaekg32.exe	Mkgmoncl.exe
File opened for modification	C:\Windows\SysWOW64\Cbmlmmjd.exe	Bmimdg32.exe
File created	C:\Windows\SysWOW64\Cepadh32.exe	Cbmlmmjd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4976 4208 WerFault.exe Dbkhnk32.exe

pid	pid_target	process	target process
4976	4208	WerFault.exe	Dbkhnk32.exe

Modifies registry class 64 IoCs

Processes:

Jeaiij32.exeMaaekg32.exePkklbh32.exeAehbmk32.exeBlgddd32.exeApimodmh.exea1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exeNakhaf32.exeObidcdfo.exeObnnnc32.exeCbmlmmjd.exeFqphic32.exeBmimdg32.exeCepadh32.exeJlanpfkj.exeMdbnmbhj.exePcfmneaa.exeMkgmoncl.exeKdmlkfjb.exeNbbnbemf.exeQpbgnecp.exeLhpnlclc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blgddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apimodmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflnkhef.dll"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkcnp32.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibinlbli.dll"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll"	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepadh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emnhomim.dll"	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphca32.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiebmbnn.dll"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boipkd32.dll"	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehepld32.dll"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll"	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befogbik.dll"	Cbmlmmjd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exeFqphic32.exeJlanpfkj.exeJeaiij32.exeKdmlkfjb.exeLhpnlclc.exeMkgmoncl.exeMaaekg32.exeMdbnmbhj.exeNakhaf32.exeNbbnbemf.exeObidcdfo.exeObnnnc32.exePkklbh32.exePcfmneaa.exeQpbgnecp.exeApimodmh.exeAehbmk32.exeBlgddd32.exeBmimdg32.exeCbmlmmjd.exeCepadh32.exe

description	pid	process	target process
PID 2100 wrote to memory of 1104	2100	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe	Fqphic32.exe
PID 2100 wrote to memory of 1104	2100	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe	Fqphic32.exe
PID 2100 wrote to memory of 1104	2100	a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe	Fqphic32.exe
PID 1104 wrote to memory of 2072	1104	Fqphic32.exe	Jlanpfkj.exe
PID 1104 wrote to memory of 2072	1104	Fqphic32.exe	Jlanpfkj.exe
PID 1104 wrote to memory of 2072	1104	Fqphic32.exe	Jlanpfkj.exe
PID 2072 wrote to memory of 1688	2072	Jlanpfkj.exe	Jeaiij32.exe
PID 2072 wrote to memory of 1688	2072	Jlanpfkj.exe	Jeaiij32.exe
PID 2072 wrote to memory of 1688	2072	Jlanpfkj.exe	Jeaiij32.exe
PID 1688 wrote to memory of 1636	1688	Jeaiij32.exe	Kdmlkfjb.exe
PID 1688 wrote to memory of 1636	1688	Jeaiij32.exe	Kdmlkfjb.exe
PID 1688 wrote to memory of 1636	1688	Jeaiij32.exe	Kdmlkfjb.exe
PID 1636 wrote to memory of 3036	1636	Kdmlkfjb.exe	Lhpnlclc.exe
PID 1636 wrote to memory of 3036	1636	Kdmlkfjb.exe	Lhpnlclc.exe
PID 1636 wrote to memory of 3036	1636	Kdmlkfjb.exe	Lhpnlclc.exe
PID 3036 wrote to memory of 3852	3036	Lhpnlclc.exe	Mkgmoncl.exe
PID 3036 wrote to memory of 3852	3036	Lhpnlclc.exe	Mkgmoncl.exe
PID 3036 wrote to memory of 3852	3036	Lhpnlclc.exe	Mkgmoncl.exe
PID 3852 wrote to memory of 2028	3852	Mkgmoncl.exe	Maaekg32.exe
PID 3852 wrote to memory of 2028	3852	Mkgmoncl.exe	Maaekg32.exe
PID 3852 wrote to memory of 2028	3852	Mkgmoncl.exe	Maaekg32.exe
PID 2028 wrote to memory of 2460	2028	Maaekg32.exe	Mdbnmbhj.exe
PID 2028 wrote to memory of 2460	2028	Maaekg32.exe	Mdbnmbhj.exe
PID 2028 wrote to memory of 2460	2028	Maaekg32.exe	Mdbnmbhj.exe
PID 2460 wrote to memory of 1336	2460	Mdbnmbhj.exe	Nakhaf32.exe
PID 2460 wrote to memory of 1336	2460	Mdbnmbhj.exe	Nakhaf32.exe
PID 2460 wrote to memory of 1336	2460	Mdbnmbhj.exe	Nakhaf32.exe
PID 1336 wrote to memory of 4776	1336	Nakhaf32.exe	Nbbnbemf.exe
PID 1336 wrote to memory of 4776	1336	Nakhaf32.exe	Nbbnbemf.exe
PID 1336 wrote to memory of 4776	1336	Nakhaf32.exe	Nbbnbemf.exe
PID 4776 wrote to memory of 1648	4776	Nbbnbemf.exe	Obidcdfo.exe
PID 4776 wrote to memory of 1648	4776	Nbbnbemf.exe	Obidcdfo.exe
PID 4776 wrote to memory of 1648	4776	Nbbnbemf.exe	Obidcdfo.exe
PID 1648 wrote to memory of 3508	1648	Obidcdfo.exe	Obnnnc32.exe
PID 1648 wrote to memory of 3508	1648	Obidcdfo.exe	Obnnnc32.exe
PID 1648 wrote to memory of 3508	1648	Obidcdfo.exe	Obnnnc32.exe
PID 3508 wrote to memory of 1836	3508	Obnnnc32.exe	Pkklbh32.exe
PID 3508 wrote to memory of 1836	3508	Obnnnc32.exe	Pkklbh32.exe
PID 3508 wrote to memory of 1836	3508	Obnnnc32.exe	Pkklbh32.exe
PID 1836 wrote to memory of 964	1836	Pkklbh32.exe	Pcfmneaa.exe
PID 1836 wrote to memory of 964	1836	Pkklbh32.exe	Pcfmneaa.exe
PID 1836 wrote to memory of 964	1836	Pkklbh32.exe	Pcfmneaa.exe
PID 964 wrote to memory of 1812	964	Pcfmneaa.exe	Qpbgnecp.exe
PID 964 wrote to memory of 1812	964	Pcfmneaa.exe	Qpbgnecp.exe
PID 964 wrote to memory of 1812	964	Pcfmneaa.exe	Qpbgnecp.exe
PID 1812 wrote to memory of 3636	1812	Qpbgnecp.exe	Apimodmh.exe
PID 1812 wrote to memory of 3636	1812	Qpbgnecp.exe	Apimodmh.exe
PID 1812 wrote to memory of 3636	1812	Qpbgnecp.exe	Apimodmh.exe
PID 3636 wrote to memory of 2304	3636	Apimodmh.exe	Aehbmk32.exe
PID 3636 wrote to memory of 2304	3636	Apimodmh.exe	Aehbmk32.exe
PID 3636 wrote to memory of 2304	3636	Apimodmh.exe	Aehbmk32.exe
PID 2304 wrote to memory of 4252	2304	Aehbmk32.exe	Blgddd32.exe
PID 2304 wrote to memory of 4252	2304	Aehbmk32.exe	Blgddd32.exe
PID 2304 wrote to memory of 4252	2304	Aehbmk32.exe	Blgddd32.exe
PID 4252 wrote to memory of 456	4252	Blgddd32.exe	Bmimdg32.exe
PID 4252 wrote to memory of 456	4252	Blgddd32.exe	Bmimdg32.exe
PID 4252 wrote to memory of 456	4252	Blgddd32.exe	Bmimdg32.exe
PID 456 wrote to memory of 4388	456	Bmimdg32.exe	Cbmlmmjd.exe
PID 456 wrote to memory of 4388	456	Bmimdg32.exe	Cbmlmmjd.exe
PID 456 wrote to memory of 4388	456	Bmimdg32.exe	Cbmlmmjd.exe
PID 4388 wrote to memory of 4604	4388	Cbmlmmjd.exe	Cepadh32.exe
PID 4388 wrote to memory of 4604	4388	Cbmlmmjd.exe	Cepadh32.exe
PID 4388 wrote to memory of 4604	4388	Cbmlmmjd.exe	Cepadh32.exe
PID 4604 wrote to memory of 4208	4604	Cepadh32.exe	Dbkhnk32.exe

C:\Users\Admin\AppData\Local\Temp\a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe
"C:\Users\Admin\AppData\Local\Temp\a1073431325a943961a2e68915f957fe6fa4ee376d65cea106744ecccb8b47ca.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\Fqphic32.exe
C:\Windows\system32\Fqphic32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\Jlanpfkj.exe
C:\Windows\system32\Jlanpfkj.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\Jeaiij32.exe
C:\Windows\system32\Jeaiij32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\Kdmlkfjb.exe
C:\Windows\system32\Kdmlkfjb.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\Lhpnlclc.exe
C:\Windows\system32\Lhpnlclc.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\Mkgmoncl.exe
C:\Windows\system32\Mkgmoncl.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\Maaekg32.exe
C:\Windows\system32\Maaekg32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\Mdbnmbhj.exe
C:\Windows\system32\Mdbnmbhj.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\Nakhaf32.exe
C:\Windows\system32\Nakhaf32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\Nbbnbemf.exe
C:\Windows\system32\Nbbnbemf.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\Obidcdfo.exe
C:\Windows\system32\Obidcdfo.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\Obnnnc32.exe
C:\Windows\system32\Obnnnc32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\Pkklbh32.exe
C:\Windows\system32\Pkklbh32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\Pcfmneaa.exe
C:\Windows\system32\Pcfmneaa.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\Qpbgnecp.exe
C:\Windows\system32\Qpbgnecp.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\Apimodmh.exe
C:\Windows\system32\Apimodmh.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\Aehbmk32.exe
C:\Windows\system32\Aehbmk32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\Blgddd32.exe
C:\Windows\system32\Blgddd32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\Bmimdg32.exe
C:\Windows\system32\Bmimdg32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\Cbmlmmjd.exe
C:\Windows\system32\Cbmlmmjd.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\Cepadh32.exe
C:\Windows\system32\Cepadh32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\Dbkhnk32.exe
C:\Windows\system32\Dbkhnk32.exe
23⤵
- Executes dropped EXE
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 400
24⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4208 -ip 4208
1⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aehbmk32.exe
Filesize
377KB

MD5
77100439d07d0a87de8c2d88b889227f

SHA1
161f795b37ccb6e31e008f3fba71b570b3c7253d

SHA256
f5a39c789191f98c8649846a1cd1413a2fbc6d747ab72b255be4a4ef35a819d9

SHA512
ff447d3560fc52d6e54dd8fb33af0973f5619d0800cba300c31c1c7a3533d58f19b008cee363f3e793964767992519a51375f9f02b1114788be348a3a1750da5

Download Submit
C:\Windows\SysWOW64\Apimodmh.exe
Filesize
377KB

MD5
1e45a74b8cdb4604e56f3a44ddc3894c

SHA1
056e03986c0a87c679e8d4937728b7206dad07a9

SHA256
e1372feb3803837cf3d6c62702c7b28a1722199c77b77db672db3e85ca5a6b79

SHA512
c42409a6e88a247dfd2a203c8e3a55e62c6296a00751173ccf59ad65033ed12fafecd2b6a755c3d36690628d87c584eedf181e8f20d7d16240c0184eb52ee028

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe
Filesize
377KB

MD5
5a424d5a1bd18252412de7c2bf6c228d

SHA1
f956e83df766176146157f08eff28351ceb99918

SHA256
72c5df3f2bfde6d25602dcbd116e7793cd683a546ffb783fc4194b8aa4e6e300

SHA512
95c601bfa5f1b206f0194de4b53e19545172c583576cc5feabf62afd3047c667071e5144685a5701b70cf23c078767af863ec390d48d6cc754ccd2fc64c75305

Download Submit
C:\Windows\SysWOW64\Bmimdg32.exe
Filesize
377KB

MD5
f586ba293a2eaa15ff537381d7cfdd26

SHA1
36f1f3aee10f650071b145b5cfaf088934e59f8a

SHA256
834d6898175bec89518c0415a7e61e165dd6eca9fbc35ecf6388733904189678

SHA512
59e9c3316de8506935308ec3081f13993f76e4f15ebb9f1db9e53c3336a3abbbca5107dbac8eba822f7fcf3f964de0f3cb262dee9891f578cf4683033f4c3bf5

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe
Filesize
377KB

MD5
69a0a73f2449ed6a5559f9ef4d3912b9

SHA1
a48756ef051c974045ef3e9db93e080c0726e1a9

SHA256
28657251b81534579ca5327343893cf0a25c8035719ab22e6eb69be0f23d45a7

SHA512
5e5ede2dd29fcde98d98712c0d0236b0262f0275c1829c064443426303bba42aa70a6a130a04b2681ccb76b57c1aec8ac403ef0d154e6205607ea3608faf515e

Download Submit
C:\Windows\SysWOW64\Cepadh32.exe
Filesize
377KB

MD5
2a76aeb29a3a098da5b0c51c33d92a7f

SHA1
1c277acca0661939e9710daa559b73669970387e

SHA256
b4290a6b7ea3f66f38973a83b92a594fddc74a99302d3d494100822ef4c25ee0

SHA512
c52cac39e446ba58a23319905cc403a6c975a15e946395fad724b9b98491d6787c57e5e30d76571e045dc481aa1de4e4ffbe21bbacdf208b3b49494e282fdc74

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe
Filesize
377KB

MD5
616f1e7c8e894f78cc7a365777656a5f

SHA1
11325e8ad553b557820445864f9d22e57b8a9c1c

SHA256
ce0b88deb1fbc302a3579a6a6dfc500a974ebfc503c33526ec6b0c24accbaad4

SHA512
0a8039258394429661545a931f59f294a3858cb2ae877d530f7f7bb89c336e4151959b2bb20dc19ec04ff083aa6b819cb0e20215f37138d6e8012f4e4ef7b756

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe
Filesize
377KB

MD5
b003301dbddbcf9d999e4a1ba6de2069

SHA1
2a3e096405c90fc8b97027d8cf83e094df73fb73

SHA256
050fd82ad1ee4dcb4bbd8610a7c8d223f3b22bb55f575772800c1bab90da1529

SHA512
e74301654ae480a0db6b26f685d4d47f80b00eb6ecbfa13fbe7b9856566fa66172cfa334e5756f0b96672a1ec5b55a8204aa4c18385e1383d9cf006150d48d98

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe
Filesize
377KB

MD5
873917ba3a80afc1b41feda17bceb80e

SHA1
d21875bf3fad4f5bfcaadd0b23bb7ef90e2a77e7

SHA256
2a0c61380b081e09c6e28b7299c4f007b3b86f10a4239387637127e7d4db3bc0

SHA512
2670e72cb5c30f76357f8ebebae4c0396deb997dd89bbcb4e37b1623209bb146f09332982d22ce019a9a8ba1e00aa660999c39f72e94f000764173b444f9a258

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe
Filesize
377KB

MD5
6125c50f672c85d00040c1ed57e05191

SHA1
2bfc9f4029f926c068d7752e77c35fab8ba91f68

SHA256
ca7a5f1684b1bf823d0fd8d0e82aba08b765523736c7204606b9c9538b5ea132

SHA512
42653700ae3b141b3343bb9af0b159878c18b4a6b759633cb8805480fde03326e76d1c0635f06c0e6b1d8bedbd0fd76c0b3082648984a06d00a04c67c1c8d0ea

Download Submit
C:\Windows\SysWOW64\Kdmlkfjb.exe
Filesize
377KB

MD5
607dd540033f855547e36af2797c91bb

SHA1
bc244330744bdc536ff413f87c0f160224c0b040

SHA256
375780f357a39592f63c9f229b442275e841563272bef53efc78fb9e52dfa060

SHA512
19e82398193cf22e8c25edb3b1186accd8f501cda532ff642f0ba837aa42a62713de901fec64215d1394453ad150d0e570ddf5fd530dd47e4d2786179a165f88

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe
Filesize
377KB

MD5
64c74a7d1b674ef80224eb480369d83a

SHA1
6302c25f8940ed0d2732e2d3ae3edcf7762e88ee

SHA256
c3f037262fcf12095cea7ebbc58a68466394ffad407208d1a707d0dd0013abc2

SHA512
284a79723e906e6231f6304a9c5cc79fb362fa4a94124aced162040c27149dc28c1c30c2419934c74883a0d4c6c23bb5fc79b68b0fafa68027d68b90be8594fb

Download Submit
C:\Windows\SysWOW64\Maaekg32.exe
Filesize
377KB

MD5
7c3bad8177dae8282909faa29561d8ef

SHA1
1b9ee2d90e4b31bab50444f6329ef261fcc6dd51

SHA256
0a58df8848d1aca39d95baf4e0e1fb685cacc50087bad1998140090db5f96c7c

SHA512
86f5601699f0d212f3bc7b6bc6e0cf709da1d3c47cc97f0c770e880410c4c84d1f4790fa9fab1a4cdb6fc22af0978539a5cfe5c39b9a503ebdbda899ad5d8a93

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe
Filesize
377KB

MD5
1dca172d7214d0c439c9319bd6c59711

SHA1
81dc8240431a36cabfabd8212b69bf6b454ffe49

SHA256
7956d104ce8da54a66cc2a6bc6e7232901239e57037574414591faab69a59707

SHA512
aa28dbd0d55b99b4380585b0b8883616ee328cbbd892a307851c27fbe2521046995192f4e4629d673ce07b1602871e2e70414f88fc7f16d651bcb6e4e320eebb

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe
Filesize
377KB

MD5
eac57394c613f59e7591efba42afa8ac

SHA1
d761da56deb11bcaeec0ad406032039dab6c56fb

SHA256
021ea106f95d7a3ba793a39bd74ff12d8d0cb39e6be9a5d4a8190e8f5c771dcf

SHA512
de117f5413cb9d82d6b6d5943c44b16c3a2d4b4ff0778b22762f388062e78cc8f77b83b8b02f91c5b49403cf164aaf9b6e241e592c18a428810ffe129ac9ff32

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe
Filesize
377KB

MD5
11b24fed8e4d130b62b6b783e9acc85e

SHA1
a02b9a36939ea53056a0e7cd1347d5bb6226c025

SHA256
9e47b34ed85396d14b282032cb6cccc6ed6647fdf221626fa862da361c4586e0

SHA512
4cd2136b0d3c0e24757c9ca960ef242c99e0a0f1ec364fe9f22ac74b959dd4517a4d7bd3d125d0563c0c34c0ccb67b6b8735cb988b5c5213333c4b61cbba0884

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe
Filesize
377KB

MD5
5d0de6f22dc09352cda20addc3faba0a

SHA1
4b97f6b65d567b8411c39781c157d84bab058d46

SHA256
fc722ad07395ff0424ca74c506a4095e89c034ba528442c86f304a3c23629140

SHA512
b09608b38fcb14b79f2138dcc05699b2f92a34874e3e77bb1cd21c3c4b74224b73c2ad5f4ae054b79e237cd00f8b936a4112511a4108c309d9c607dfa7c1a405

Download Submit
C:\Windows\SysWOW64\Obidcdfo.exe
Filesize
377KB

MD5
745c4db37eec6731b6b72453b8b3291b

SHA1
857de6ff0f2e0267885b7e9c850fe207e62c852b

SHA256
1b1602371b48f599f05b3bd4f3373a413aaa7513e3e8e39207490c55f076d06f

SHA512
eb243d1bb33e33127863120b1be6c5840d7201361f940ec1df401d25c879954e741e530c8a88c0f8ad77b5e0f7c371ba1af99df35fae18f5ef8ea12a68fdf4c8

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe
Filesize
377KB

MD5
c1825259a9a5710e6061cdfbde7b4cc9

SHA1
104c984d49713c306e5e2cee94daee921051df1c

SHA256
d5c6211293faea44ff9962cca1024bef393baffcaf76bcac9c2e4c991d8d2501

SHA512
a0d7dc2bb81e3a68de1a6e811ad01d766f8edce2bf6964810684f948ae7aa16901ed16544d413eae216e37870c3ff0c840a79f1fe89744a16ca7c3d6de91578e

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe
Filesize
377KB

MD5
ef6bdf3201c7b3fcb17e58bffd5e56c8

SHA1
2a15ba4bafda7cbf3fd047bc006b955cea9e845e

SHA256
6ffe87a2fa367e59aede04f83020a4fb4d6b81ae493d66b8b49a3a44724d60ef

SHA512
bb14c08d99abb977c116760ac8a633b07693c347e3d9362f8c9d0e3fe7a2f3bc3ce181ea9e51ae1013803b475f7a4530411c7bac367e690f81e40ab113352e77

Download Submit
C:\Windows\SysWOW64\Pkklbh32.exe
Filesize
377KB

MD5
e654508a290e3b58693bb0d0cf2abcb1

SHA1
bd21a6d8cfaa26c076dae48d039754133fd80a11

SHA256
4571587e6759709425713fcd3572dd86dea12960d6fd0db3827f80b26fb8faa8

SHA512
3e24625b3c87c06592850a26904eb0ab28b4a29b9a39db3e99be8443c3fec971f4bcd621fdd87ddb6c5927aa7dbe8104afe57f027830a696c175081ed7474d6a

Download Submit
C:\Windows\SysWOW64\Qpbgnecp.exe
Filesize
377KB

MD5
017638fcf6c59e47f9ce2a95de93b346

SHA1
e158c291e91b1394a80b1132c7b4944bb079a649

SHA256
573bce272295e788092591bfa715baf6513b8e128eb06e186f52fee56ddd698e

SHA512
b23015af664931cf1fcc70e9a38e38b6145db9dd5a0018f7bc08e8f6c5b15c8855c09a163fdea3cf244314af476ac6a5c1aee3f391cae487b51c423f729fd61d

Download Submit
memory/456-154-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/456-278-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/964-114-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/964-267-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1104-10-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1104-234-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1336-253-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1336-73-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1636-242-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1636-33-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1648-89-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1648-256-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1688-237-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1688-30-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1812-121-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1812-269-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1836-265-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1836-105-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2028-58-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2028-248-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2072-239-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2072-17-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2100-238-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2100-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2100-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2100-240-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2304-137-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2304-273-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2460-250-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2460-65-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3036-244-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3036-41-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3508-97-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3508-258-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3636-275-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3636-129-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3852-50-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3852-246-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4208-285-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4208-177-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4252-145-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4252-274-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4388-279-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4388-162-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-170-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-281-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4776-254-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4776-81-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download