e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Size

3.2MB
MD5

2353c3f467be78e36e934caf5f3c3b61
SHA1

a70e019d5d6ff33803f313a057163f08a4aa6d80
SHA256

c193a4570ffc3edd6762764d06225d56268367aa8ff0feb2f8d0f17f4ee16195
SHA512

078a9b68dea33fe3848ad39a38b07f0a94a455add594ad615eee20270a862dae451073e724245d302f33e55675e5f81a439d2df2c7ee3120ac75be905d8ad9e2
SSDEEP

98304:6lBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NTPKnllYUugy:6lBFLPj3JStuv40ar7zrbDlsa2VIlPW+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcabmga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnqqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnfhlin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqkqkdne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcabmga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqkqkdne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Naajoinb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alnqqd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aamfnkai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baakhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naajoinb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obafnlpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aamfnkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnfhlin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obafnlpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekhhadmk.exe

Executes dropped EXE 23 IoCs

pid	Process
1556	Mgnfhlin.exe
1980	Naajoinb.exe
1652	Oqkqkdne.exe
2396	Obafnlpn.exe
1688	Pjcabmga.exe
2912	Alnqqd32.exe
2716	Aamfnkai.exe
2740	Behnnm32.exe
1920	Baakhm32.exe
1472	Dhbfdjdp.exe
2648	Ehgppi32.exe
1720	Ednpej32.exe
1172	Ekhhadmk.exe
1416	Enfenplo.exe
1888	Edpmjj32.exe
1264	Efaibbij.exe
2212	Emkaol32.exe
2084	Eojnkg32.exe
1676	Ejobhppq.exe
1752	Emnndlod.exe
380	Echfaf32.exe
2108	Fidoim32.exe
2132	Fkckeh32.exe

Loads dropped DLL 50 IoCs

pid	Process
2856	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
2856	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
1556	Mgnfhlin.exe
1556	Mgnfhlin.exe
1980	Naajoinb.exe
1980	Naajoinb.exe
1652	Oqkqkdne.exe
1652	Oqkqkdne.exe
2396	Obafnlpn.exe
2396	Obafnlpn.exe
1688	Pjcabmga.exe
1688	Pjcabmga.exe
2912	Alnqqd32.exe
2912	Alnqqd32.exe
2716	Aamfnkai.exe
2716	Aamfnkai.exe
2740	Behnnm32.exe
2740	Behnnm32.exe
1920	Baakhm32.exe
1920	Baakhm32.exe
1472	Dhbfdjdp.exe
1472	Dhbfdjdp.exe
2648	Ehgppi32.exe
2648	Ehgppi32.exe
1720	Ednpej32.exe
1720	Ednpej32.exe
1172	Ekhhadmk.exe
1172	Ekhhadmk.exe
1416	Enfenplo.exe
1416	Enfenplo.exe
1888	Edpmjj32.exe
1888	Edpmjj32.exe
1264	Efaibbij.exe
1264	Efaibbij.exe
2212	Emkaol32.exe
2212	Emkaol32.exe
2084	Eojnkg32.exe
2084	Eojnkg32.exe
1676	Ejobhppq.exe
1676	Ejobhppq.exe
1752	Emnndlod.exe
1752	Emnndlod.exe
380	Echfaf32.exe
380	Echfaf32.exe
2108	Fidoim32.exe
2108	Fidoim32.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ekgednng.dll	Eojnkg32.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Echfaf32.exe
File created	C:\Windows\SysWOW64\Nchnel32.dll	Oqkqkdne.exe
File created	C:\Windows\SysWOW64\Bllbijej.dll	Pjcabmga.exe
File created	C:\Windows\SysWOW64\Aamfnkai.exe	Alnqqd32.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Khjjpi32.dll	Behnnm32.exe
File created	C:\Windows\SysWOW64\Ednpej32.exe	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Edpmjj32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fidoim32.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Emnndlod.exe
File opened for modification	C:\Windows\SysWOW64\Oqkqkdne.exe	Naajoinb.exe
File created	C:\Windows\SysWOW64\Bplpldoa.dll	Aamfnkai.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Cgllco32.dll	Efaibbij.exe
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Emnndlod.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ekhhadmk.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Enfenplo.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Obafnlpn.exe	Oqkqkdne.exe
File created	C:\Windows\SysWOW64\Naajoinb.exe	Mgnfhlin.exe
File created	C:\Windows\SysWOW64\Dhbfdjdp.exe	Baakhm32.exe
File created	C:\Windows\SysWOW64\Oghiae32.dll	Baakhm32.exe
File created	C:\Windows\SysWOW64\Bpbbfi32.dll	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Emkaol32.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Eojnkg32.exe	Emkaol32.exe
File opened for modification	C:\Windows\SysWOW64\Eojnkg32.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Obafnlpn.exe	Oqkqkdne.exe
File opened for modification	C:\Windows\SysWOW64\Pjcabmga.exe	Obafnlpn.exe
File created	C:\Windows\SysWOW64\Bmfmjjgm.dll	Alnqqd32.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Mgnfhlin.exe	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
File opened for modification	C:\Windows\SysWOW64\Naajoinb.exe	Mgnfhlin.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Efaibbij.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Oqkqkdne.exe	Naajoinb.exe
File created	C:\Windows\SysWOW64\Milokblc.dll	Obafnlpn.exe
File opened for modification	C:\Windows\SysWOW64\Alnqqd32.exe	Pjcabmga.exe
File created	C:\Windows\SysWOW64\Enfenplo.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Cmeidehe.dll	Mgnfhlin.exe
File opened for modification	C:\Windows\SysWOW64\Aamfnkai.exe	Alnqqd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbfdjdp.exe	Baakhm32.exe
File created	C:\Windows\SysWOW64\Amfidj32.dll	Ednpej32.exe
File created	C:\Windows\SysWOW64\Dakmkaok.dll	Naajoinb.exe
File created	C:\Windows\SysWOW64\Alnqqd32.exe	Pjcabmga.exe
File created	C:\Windows\SysWOW64\Emkaol32.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Fidoim32.exe	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnfhlin.exe	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
File opened for modification	C:\Windows\SysWOW64\Baakhm32.exe	Behnnm32.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Pjcabmga.exe	Obafnlpn.exe
File opened for modification	C:\Windows\SysWOW64\Ednpej32.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Ekhhadmk.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Oqkmbmdg.dll	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
File opened for modification	C:\Windows\SysWOW64\Behnnm32.exe	Aamfnkai.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
564	2132	WerFault.exe	50

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll"	Alnqqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll"	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aamfnkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnfhlin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll"	Pjcabmga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll"	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakmkaok.dll"	Naajoinb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcabmga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcabmga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Naajoinb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obafnlpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ednpej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchnel32.dll"	Oqkqkdne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aamfnkai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqkqkdne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnqqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll"	Aamfnkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obafnlpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqkmbmdg.dll"	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnfhlin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baakhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeidehe.dll"	Mgnfhlin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqkqkdne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alnqqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhbfdjdp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1556	2856	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe	28
PID 2856 wrote to memory of 1556	2856	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe	28
PID 2856 wrote to memory of 1556	2856	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe	28
PID 2856 wrote to memory of 1556	2856	[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe	28
PID 1556 wrote to memory of 1980	1556	Mgnfhlin.exe	29
PID 1556 wrote to memory of 1980	1556	Mgnfhlin.exe	29
PID 1556 wrote to memory of 1980	1556	Mgnfhlin.exe	29
PID 1556 wrote to memory of 1980	1556	Mgnfhlin.exe	29
PID 1980 wrote to memory of 1652	1980	Naajoinb.exe	30
PID 1980 wrote to memory of 1652	1980	Naajoinb.exe	30
PID 1980 wrote to memory of 1652	1980	Naajoinb.exe	30
PID 1980 wrote to memory of 1652	1980	Naajoinb.exe	30
PID 1652 wrote to memory of 2396	1652	Oqkqkdne.exe	31
PID 1652 wrote to memory of 2396	1652	Oqkqkdne.exe	31
PID 1652 wrote to memory of 2396	1652	Oqkqkdne.exe	31
PID 1652 wrote to memory of 2396	1652	Oqkqkdne.exe	31
PID 2396 wrote to memory of 1688	2396	Obafnlpn.exe	32
PID 2396 wrote to memory of 1688	2396	Obafnlpn.exe	32
PID 2396 wrote to memory of 1688	2396	Obafnlpn.exe	32
PID 2396 wrote to memory of 1688	2396	Obafnlpn.exe	32
PID 1688 wrote to memory of 2912	1688	Pjcabmga.exe	33
PID 1688 wrote to memory of 2912	1688	Pjcabmga.exe	33
PID 1688 wrote to memory of 2912	1688	Pjcabmga.exe	33
PID 1688 wrote to memory of 2912	1688	Pjcabmga.exe	33
PID 2912 wrote to memory of 2716	2912	Alnqqd32.exe	34
PID 2912 wrote to memory of 2716	2912	Alnqqd32.exe	34
PID 2912 wrote to memory of 2716	2912	Alnqqd32.exe	34
PID 2912 wrote to memory of 2716	2912	Alnqqd32.exe	34
PID 2716 wrote to memory of 2740	2716	Aamfnkai.exe	35
PID 2716 wrote to memory of 2740	2716	Aamfnkai.exe	35
PID 2716 wrote to memory of 2740	2716	Aamfnkai.exe	35
PID 2716 wrote to memory of 2740	2716	Aamfnkai.exe	35
PID 2740 wrote to memory of 1920	2740	Behnnm32.exe	36
PID 2740 wrote to memory of 1920	2740	Behnnm32.exe	36
PID 2740 wrote to memory of 1920	2740	Behnnm32.exe	36
PID 2740 wrote to memory of 1920	2740	Behnnm32.exe	36
PID 1920 wrote to memory of 1472	1920	Baakhm32.exe	37
PID 1920 wrote to memory of 1472	1920	Baakhm32.exe	37
PID 1920 wrote to memory of 1472	1920	Baakhm32.exe	37
PID 1920 wrote to memory of 1472	1920	Baakhm32.exe	37
PID 1472 wrote to memory of 2648	1472	Dhbfdjdp.exe	38
PID 1472 wrote to memory of 2648	1472	Dhbfdjdp.exe	38
PID 1472 wrote to memory of 2648	1472	Dhbfdjdp.exe	38
PID 1472 wrote to memory of 2648	1472	Dhbfdjdp.exe	38
PID 2648 wrote to memory of 1720	2648	Ehgppi32.exe	39
PID 2648 wrote to memory of 1720	2648	Ehgppi32.exe	39
PID 2648 wrote to memory of 1720	2648	Ehgppi32.exe	39
PID 2648 wrote to memory of 1720	2648	Ehgppi32.exe	39
PID 1720 wrote to memory of 1172	1720	Ednpej32.exe	40
PID 1720 wrote to memory of 1172	1720	Ednpej32.exe	40
PID 1720 wrote to memory of 1172	1720	Ednpej32.exe	40
PID 1720 wrote to memory of 1172	1720	Ednpej32.exe	40
PID 1172 wrote to memory of 1416	1172	Ekhhadmk.exe	41
PID 1172 wrote to memory of 1416	1172	Ekhhadmk.exe	41
PID 1172 wrote to memory of 1416	1172	Ekhhadmk.exe	41
PID 1172 wrote to memory of 1416	1172	Ekhhadmk.exe	41
PID 1416 wrote to memory of 1888	1416	Enfenplo.exe	42
PID 1416 wrote to memory of 1888	1416	Enfenplo.exe	42
PID 1416 wrote to memory of 1888	1416	Enfenplo.exe	42
PID 1416 wrote to memory of 1888	1416	Enfenplo.exe	42
PID 1888 wrote to memory of 1264	1888	Edpmjj32.exe	43
PID 1888 wrote to memory of 1264	1888	Edpmjj32.exe	43
PID 1888 wrote to memory of 1264	1888	Edpmjj32.exe	43
PID 1888 wrote to memory of 1264	1888	Edpmjj32.exe	43

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Mgnfhlin.exe
  C:\Windows\system32\Mgnfhlin.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\Naajoinb.exe
    C:\Windows\system32\Naajoinb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\Oqkqkdne.exe
      C:\Windows\system32\Oqkqkdne.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\Obafnlpn.exe
        
        C:\Windows\system32\Obafnlpn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\SysWOW64\Pjcabmga.exe
        
        C:\Windows\system32\Pjcabmga.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Alnqqd32.exe
        
        C:\Windows\system32\Alnqqd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Aamfnkai.exe
        
        C:\Windows\system32\Aamfnkai.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Behnnm32.exe
        
        C:\Windows\system32\Behnnm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Baakhm32.exe
        
        C:\Windows\system32\Baakhm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Dhbfdjdp.exe
        
        C:\Windows\system32\Dhbfdjdp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        24⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aamfnkai.exe

Filesize
3.2MB

MD5
abc788a128b424f70a10fa1db000e95c

SHA1
6cfc78bddf492c53c9223980e46ba26b8a431a9e

SHA256
68bf02faa30a48a7464898e2cfdbad30e2c59401634f73edc892e729371a6757

SHA512
5b1fae359fed91f15ea18f85a6b9ff8d78ff48ea53d819c7cfd1327b38965de706bf947c199e4e1798a977a4ceab97dae7961609436bf1b118539e70fd34c986

Download Submit
C:\Windows\SysWOW64\Alnqqd32.exe

Filesize
3.2MB

MD5
2fc7fb864eb8d870161db53c7c1f3408

SHA1
ee4d3ea897394f9c8e24c9602a4f3abec851025e

SHA256
553d4e844cc16d69e5b45c2b70c79acdeaee04c276183791235ac4cda94193e2

SHA512
61df16b45ff7ecf7ac4aa455ae92c7b579851bd471f4ea2478df9cb6fe3f5e26066f7000c2f9a83a25942ee52b06350379654135af54ad3abf4487de7cd0cd8c

Download Submit
C:\Windows\SysWOW64\Baakhm32.exe

Filesize
3.2MB

MD5
3508568cfe0674a08828ed5274c954c3

SHA1
0afa2358af546a8e64313208650924279dadc8ec

SHA256
ae6bd606098f6c9a25bff650090f4a82765a0a7a6ea15734db1f6ff6efe8df08

SHA512
bf19a1b35b044f5dbbc1a37cd3d3f6fdeb32d51052f8b4a92a7207a540bd7070e1a7d1525c200b82abc905e5541fb5c9a362f5202c3c6871216e8af6295110a0

Download Submit
C:\Windows\SysWOW64\Behnnm32.exe

Filesize
3.2MB

MD5
c6ea2e81a7a912334af7e20f679e6e78

SHA1
e87e4532a28e62d009de6ba344d52b7d3c6913d3

SHA256
1afcc15b9f953375b8f581c0cd86f9948d889485ad68363e7c2fb2bbf30fad4a

SHA512
65530f0ed30e2a4207947a3f299dfaa52346047ce1befa4c7596b2e71876647aead7205c3e2943eabc6d10532fe0c320823407b2428d6ba5ff81752568eca010

Download Submit
C:\Windows\SysWOW64\Dhbfdjdp.exe

Filesize
3.2MB

MD5
cfe7ecc6caf8f91c5dc22cdf5a11a213

SHA1
65cc17eea26e36ee0fc0d71bd9b4bebafbcf4f32

SHA256
654d387a253a29f37106d2538daadb88ab67aab2fa5b12fad63dfb4a86f3f5af

SHA512
fcbf4891df9249e55201605639abd5c670cb58a0b16027b4b8eeea290d716d2146be1d4a2f8ac45f4d319ec74f08cc8b050b591d71560f955533c1482c68abd8

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
3.2MB

MD5
d00b8ee4648df213d673128179080c72

SHA1
08e4e808f9190e7b9616c41f59b282554a5063f8

SHA256
606813a466871b8d1a3584ba0e4da225ccad5d9f84a1d89bbf77baf90762cfd4

SHA512
77bce99004801beaf4d8a91fa3f7539332cab97a3d7444279c30575651a14ddee0a014a11111665b5f464869bbc7685831e2e00edab30f400b1c2bb96e4d2043

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
3.2MB

MD5
ca0e95f87f2d0fc03a1b1120c332e1fe

SHA1
15944f2c8dd349f7b7902b07a23c6bd5a75ece49

SHA256
34cf1c5d0a397e055847d7315e6a18f63f85e5fa679a10632f27fbb959472a0d

SHA512
0d530daff327104d1f392a6aca040d229623f04db448d59f3bf72a005122bca609804f98e172c829dd690d660cabd625ed9bc33c6766bf88dfc31ad52138a184

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
3.2MB

MD5
b2f612397aeff599f5d143a200d0af4b

SHA1
1810f4f682eea84c57fe9a30be21c509020c683f

SHA256
265fbad6afaf00d50cca5525dc3243fcf9d85d4885dada8eb2e651dbc066fe95

SHA512
a7d6d65e168cbdeb9a59ec6e7624da4478ded638becb35535095ea9f73ece3c4642ed0da6e1dea79b9ab8967b36c98fba37c1677d9c9ae3662928b2b6f470e14

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
3.2MB

MD5
4b25b101c09f6739f88b53f6c2591e10

SHA1
a726355a6c6b86e6dc55f7dd5236c666763a4cef

SHA256
09284fef94a4e54906a43b40e7ec94fb2db9576674ba55e2217a4e96f2b28b08

SHA512
bf21b815c73cdff839d53002768ffe0a9143d7ee682858fdd6ebf435c1b78c13313aa32c404d2551784758037858fd391fbd936ac3864fde85a9565258fac7c0

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
3.2MB

MD5
fa46c6256e337fc74fd2971e969b8f45

SHA1
ddb9b24d8bd012fe12f5768e58ced906aed8931b

SHA256
3dd260b56f7a295eb0b884fd4e55d42f54501969023e2dd5766c3a82ce75b04d

SHA512
98b096b460cd9fede40f313961b0d5aa37a4bf049d5978a306cf0ef33bfe7a6bab42a7e98970ea9b4124d7052a409105eee6a7123f8d9bb05829d5f097f3026c

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
3.2MB

MD5
4d24a17bfae399fcc5083434b4f23c39

SHA1
13663dc2452f98bf4e2a01e1bd6b396e65531578

SHA256
81eff4c7a0fecbdb2f42bae1dcb3b49f4a540c61f2ffa24302921cc82764a279

SHA512
01c2b9aa8f0f567a4e9534aa372859545190a1bab38d1ba085cdc2ee075a320e56ca31ac728ae13083b2d5d57a92b365bbc93258bafa1952f67b20e953c1c936

Download Submit
C:\Windows\SysWOW64\Ekhhadmk.exe

Filesize
3.2MB

MD5
87efed30849666fcc722a6616995fcf3

SHA1
53a8e197de9ca9a34bc244e0c6e176085307b05c

SHA256
79f941fc09a25b533106c5fc8f60aaa206051c64661ebc5490d7bf476e35fa40

SHA512
bc3a840b512b1fd854873554c2a4b2de62e9f24493ad5511615dcb49826debdf3399f9c772569b41d7c9e9f15fc1ee2ad68435afe1ab09b8edc5887feb0e0c87

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
3.2MB

MD5
38367352dd54881911c236d4bbab01e3

SHA1
931a428332282e608da6c0aadaf648f200f64be2

SHA256
f685005bfdd5a9c755b877e8203d8dee4545e19ae84bb0fcb7cafdb26b648ba5

SHA512
20a431ae2b32016fc4e4a147b1e82a4dc50cb46699963a75ee8ccc7e552cf1c330beb8528dc76b38964f73d88f3a2516197958314621657be3a9fe1d358e025b

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
3.2MB

MD5
81db1bf5eab187dc07975b0cb7d86186

SHA1
996b6c3afabdfd56592fe77451155843ffb76763

SHA256
e73dae801e894e5572bdb53198c89361ff5f61a1231a7cc7da67776872e05281

SHA512
4ad7c766cef8319660cfcd99fbde30b310b97a9cdfd088d6e7866301d6a458ab1090784627c2572cc2e6586f774f91f632daa943eda6f6b8ff88dac4386ac349

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
3.2MB

MD5
598462ffad09b18485cfdc5e6a2da3d0

SHA1
38e34030a276bb966dd738b63481f5ef0492c09b

SHA256
c3e902ae4e55c47bdfa33f2ba1c42e3b2e3ec66d3a48d5e62bb7edf320c73834

SHA512
ffa11133c115bacc98bcd8b81079dcf229e6fc1fe2542fb2d12987e378fc23106f41aa42efc4e5f96a6326c6828eeb35464628399f395910f8d1293ac7796bcc

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
3.2MB

MD5
ba1beb8a18fdd8c93ae695d394bfa986

SHA1
747b95384147a3fa150ae023c266008aaacdb468

SHA256
bbbbf2f3b71b763234d5210b5f312b2941f4f3a430f43ce90e237a3ce8625332

SHA512
747a6490bae3736ef317bdf7c875783d0740b5e9003886d32d8c9e54b8e8d432d48da0368ecf0793851cb37e9fa6dc5f5a49a40d91029bf30b0546043f724f2d

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
3.2MB

MD5
3311aa3dd47f0c5e580e4cd8fb13550e

SHA1
19265ac5ff782bb66ab208349dd792f47a4198aa

SHA256
c2c523d5a61bb24985b8a0cd1415f154268d2c0bdb51fc0de80e906f7209a26d

SHA512
7e352d94066d8cfb902521a47b7cb0786bf275947a8b9f7c7e252f0e7736c23c54c097932d74a89e7034a27466dcaa11cfa1e712c4237f6e5124df9ce444b7bc

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
3.2MB

MD5
de9653e0b82a618a30c2fab0222cca7a

SHA1
66f068c734505bbe23051c60d603cc47fe924914

SHA256
d7035f28611d41c6e0152604bb412a7d113e52d762c4fd3109dcd851c48a5256

SHA512
34a263295256bf21a0103a642026b182b9bf9390843919427cd78fd77be0c0d8d9f4b39b43f98766c6e77f9a41702d0dadc5af6ee5847c0bd19af4c1c75a3e33

Download Submit
C:\Windows\SysWOW64\Milokblc.dll

Filesize
7KB

MD5
ce943976c80ab9d93e23b824a02ab9d2

SHA1
c82db5ec8f1c71847b7f0f73521c65e591b6db04

SHA256
18c40d9adb5f0da0b05f7c32393568f104958bf539a5bc5b88ffd8f4dd9fb6ed

SHA512
7e05376441c39461d24838e984b8bdf01cd1d7192f94486904526555aedb2424ec349d159bd111777023330dea0c3ff9569a6112a2d87147d78593b43e566227

Download Submit
C:\Windows\SysWOW64\Naajoinb.exe

Filesize
3.2MB

MD5
d86fb043806f8db2ee2e4124cea787be

SHA1
582d0eec2671fac214bc64bd53554531bc527a44

SHA256
7931d17970bcd40e5919fdd0c6071d2222eec892ed94be3849ef075614bfe5fa

SHA512
d78651f701f11c786ae668b89b1453f1878f815dfa0b5fe82237873456e0f2447943090eca2a5d318eea1aa622267d48975514e8741a32a9b339ab61af6c7afa

Download Submit
C:\Windows\SysWOW64\Pjcabmga.exe

Filesize
3.2MB

MD5
64ed7f0ac2c0ec4d6224d7e24b4aef3d

SHA1
6034fccf76e2e15ddc06be4feaf08fd847ca3ff2

SHA256
221492265615d61c3ee65c95303abc7b384e8eff3e85e9c0873f55fa530d0ba0

SHA512
fd817e5ab8d3cefc56bc356241218bab5c77c9c82ce7ef7d962f1c5c96826e7aa4395838c4f83af8eb97dd58a65180fdc34e350deef951b4c04e40e981c957f3

Download Submit
\Windows\SysWOW64\Mgnfhlin.exe

Filesize
3.2MB

MD5
24c1b4d71694db5faeebc97675e45f82

SHA1
b23aa4d41a67fc72661858fd2edbbe16da36713d

SHA256
485b5037f22f8ba43288330274b373cd695f835d2415ce1d23745cea191dc7c1

SHA512
bcf6d2e6f83448b55db0911d65cd815b10e38ab181d204534f1a57e9c6463598d94b9c5990558ff05564027feae83da0fcaf079bc0fdae93f9e7a5d190cd631a

Download Submit
\Windows\SysWOW64\Obafnlpn.exe

Filesize
3.2MB

MD5
0e7fb6bff51b43352c585d082eade5c5

SHA1
4eab36fa112507fecdc421ca9b1c44cec95fb948

SHA256
e4cd78883744a777cb18d4b7581e99aa0df29a731901ff016b6f10ee1702c32c

SHA512
3290e6dab8ff2f7d2c0558d125a754cffdc798a6897c4632e22f0164916c682da47631b25166572958d6b56c1010e180bda04ef9bf939dc956c2d76c79fd59c3

Download Submit
\Windows\SysWOW64\Oqkqkdne.exe

Filesize
3.2MB

MD5
dc7f8fd49549d52b67d42077b6b67e2f

SHA1
faaf8380d5de47993bc902e73a66c5227aa9046d

SHA256
f9eee200adb53f9d529ff4d69fa6c9186ea7ac65020a836c3a0a1facb53bf55e

SHA512
ec98e192e23c8915b255194c75e4a6b9de732664b26304af488ff2cfe337563235bb577f17971d61154719cb03895c13d79c3b2a948ced2fde82fa1b21e2aa3a

Download Submit
memory/380-296-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/380-295-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/380-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/380-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1264-237-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1264-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1264-238-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1416-213-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1416-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1416-212-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1416-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-160-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1472-159-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1472-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1556-25-0x0000000000370000-0x00000000003A6000-memory.dmp

Filesize
216KB

Download
memory/1556-26-0x0000000000370000-0x00000000003A6000-memory.dmp

Filesize
216KB

Download
memory/1556-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-67-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1652-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-68-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1676-274-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1676-273-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1676-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-185-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1720-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-184-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1752-284-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1752-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1752-285-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1752-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-231-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1888-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1980-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1980-41-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1980-35-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1980-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-263-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2084-264-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2108-303-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2108-304-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2108-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-252-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2212-253-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2212-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2396-71-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2396-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-117-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2716-118-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2716-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-126-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2740-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-127-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2856-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-6-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2856-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2912-97-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2912-98-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2912-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads