f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Size

219KB
MD5

f48f6b005e3d391488099206326263be
SHA1

e1d798acf38c99fe733ca91a3691f756637a08dc
SHA256

f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e
SHA512

0c6d3dbc257a2477f6d4d23dc4f2530695a6dd6a49d5f10e3c9133ead5c9a9bbb2e8169746ff0e1b50f0c28312781044736dbc35765f88c15c84ac8dd3afea01
SSDEEP

3072:3fv/eh/IRGFdwRrMLdPzwuZkO0aDb/IBPCOQvU6z314EXrjvwSfYrwBt:Wh/QGjLNzDOO0aDD4PCxdXXwSfYrwB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe

Executes dropped EXE 24 IoCs

pid	Process
4308	Aclpap32.exe
2032	Amddjegd.exe
908	Agjhgngj.exe
4268	Ajhddjfn.exe
4988	Amgapeea.exe
5000	Accfbokl.exe
4976	Bmkjkd32.exe
764	Bganhm32.exe
1392	Beeoaapl.exe
4236	Beglgani.exe
4192	Bnpppgdj.exe
4184	Bfkedibe.exe
2424	Chjaol32.exe
324	Cmgjgcgo.exe
1952	Cjkjpgfi.exe
3000	Cdcoim32.exe
2828	Cmlcbbcj.exe
4188	Cjpckf32.exe
2072	Cjbpaf32.exe
548	Dhfajjoj.exe
3116	Dfknkg32.exe
2840	Dkifae32.exe
64	Dhmgki32.exe
4544	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amddjegd.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3504	4544	WerFault.exe	104

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 4308	732	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe	81
PID 732 wrote to memory of 4308	732	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe	81
PID 732 wrote to memory of 4308	732	f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe	81
PID 4308 wrote to memory of 2032	4308	Aclpap32.exe	82
PID 4308 wrote to memory of 2032	4308	Aclpap32.exe	82
PID 4308 wrote to memory of 2032	4308	Aclpap32.exe	82
PID 2032 wrote to memory of 908	2032	Amddjegd.exe	83
PID 2032 wrote to memory of 908	2032	Amddjegd.exe	83
PID 2032 wrote to memory of 908	2032	Amddjegd.exe	83
PID 908 wrote to memory of 4268	908	Agjhgngj.exe	84
PID 908 wrote to memory of 4268	908	Agjhgngj.exe	84
PID 908 wrote to memory of 4268	908	Agjhgngj.exe	84
PID 4268 wrote to memory of 4988	4268	Ajhddjfn.exe	85
PID 4268 wrote to memory of 4988	4268	Ajhddjfn.exe	85
PID 4268 wrote to memory of 4988	4268	Ajhddjfn.exe	85
PID 4988 wrote to memory of 5000	4988	Amgapeea.exe	86
PID 4988 wrote to memory of 5000	4988	Amgapeea.exe	86
PID 4988 wrote to memory of 5000	4988	Amgapeea.exe	86
PID 5000 wrote to memory of 4976	5000	Accfbokl.exe	87
PID 5000 wrote to memory of 4976	5000	Accfbokl.exe	87
PID 5000 wrote to memory of 4976	5000	Accfbokl.exe	87
PID 4976 wrote to memory of 764	4976	Bmkjkd32.exe	88
PID 4976 wrote to memory of 764	4976	Bmkjkd32.exe	88
PID 4976 wrote to memory of 764	4976	Bmkjkd32.exe	88
PID 764 wrote to memory of 1392	764	Bganhm32.exe	89
PID 764 wrote to memory of 1392	764	Bganhm32.exe	89
PID 764 wrote to memory of 1392	764	Bganhm32.exe	89
PID 1392 wrote to memory of 4236	1392	Beeoaapl.exe	90
PID 1392 wrote to memory of 4236	1392	Beeoaapl.exe	90
PID 1392 wrote to memory of 4236	1392	Beeoaapl.exe	90
PID 4236 wrote to memory of 4192	4236	Beglgani.exe	91
PID 4236 wrote to memory of 4192	4236	Beglgani.exe	91
PID 4236 wrote to memory of 4192	4236	Beglgani.exe	91
PID 4192 wrote to memory of 4184	4192	Bnpppgdj.exe	92
PID 4192 wrote to memory of 4184	4192	Bnpppgdj.exe	92
PID 4192 wrote to memory of 4184	4192	Bnpppgdj.exe	92
PID 4184 wrote to memory of 2424	4184	Bfkedibe.exe	93
PID 4184 wrote to memory of 2424	4184	Bfkedibe.exe	93
PID 4184 wrote to memory of 2424	4184	Bfkedibe.exe	93
PID 2424 wrote to memory of 324	2424	Chjaol32.exe	94
PID 2424 wrote to memory of 324	2424	Chjaol32.exe	94
PID 2424 wrote to memory of 324	2424	Chjaol32.exe	94
PID 324 wrote to memory of 1952	324	Cmgjgcgo.exe	95
PID 324 wrote to memory of 1952	324	Cmgjgcgo.exe	95
PID 324 wrote to memory of 1952	324	Cmgjgcgo.exe	95
PID 1952 wrote to memory of 3000	1952	Cjkjpgfi.exe	96
PID 1952 wrote to memory of 3000	1952	Cjkjpgfi.exe	96
PID 1952 wrote to memory of 3000	1952	Cjkjpgfi.exe	96
PID 3000 wrote to memory of 2828	3000	Cdcoim32.exe	97
PID 3000 wrote to memory of 2828	3000	Cdcoim32.exe	97
PID 3000 wrote to memory of 2828	3000	Cdcoim32.exe	97
PID 2828 wrote to memory of 4188	2828	Cmlcbbcj.exe	98
PID 2828 wrote to memory of 4188	2828	Cmlcbbcj.exe	98
PID 2828 wrote to memory of 4188	2828	Cmlcbbcj.exe	98
PID 4188 wrote to memory of 2072	4188	Cjpckf32.exe	99
PID 4188 wrote to memory of 2072	4188	Cjpckf32.exe	99
PID 4188 wrote to memory of 2072	4188	Cjpckf32.exe	99
PID 2072 wrote to memory of 548	2072	Cjbpaf32.exe	100
PID 2072 wrote to memory of 548	2072	Cjbpaf32.exe	100
PID 2072 wrote to memory of 548	2072	Cjbpaf32.exe	100
PID 548 wrote to memory of 3116	548	Dhfajjoj.exe	101
PID 548 wrote to memory of 3116	548	Dhfajjoj.exe	101
PID 548 wrote to memory of 3116	548	Dhfajjoj.exe	101
PID 3116 wrote to memory of 2840	3116	Dfknkg32.exe	102

C:\Users\Admin\AppData\Local\Temp\f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe
"C:\Users\Admin\AppData\Local\Temp\f34b58ce07f3ed03435a19e114a7eca03ad4605968165c53d9c78b81b3bd2a3e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SysWOW64\Aclpap32.exe
  C:\Windows\system32\Aclpap32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\Amddjegd.exe
    C:\Windows\system32\Amddjegd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\Agjhgngj.exe
      C:\Windows\system32\Agjhgngj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        25⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 216
        26⤵
        Program crash
        
        PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4544 -ip 4544
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
219KB

MD5
5974bad68b524bae85829c59f6f34812

SHA1
be6103d676340c1f244ac4e31b9e9ddcb9a3d79a

SHA256
7cbfb284068ab9159e0590fd19a8303267fdbea24dcd406b0406a52effdea238

SHA512
2d71d0fe72f7c6ef1f2d65c743efbe740fa790be64af3bee96a3f7ac55d949aa8c188d6d25c2a76f86ab9f704214e496da6e1cf3a0d3d05f65df154c6e4db315

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
219KB

MD5
d9f35e30af27235c1d8fa2d6d2273d5a

SHA1
ffe9b69a8d585296cdc934c88184ddab38b307c8

SHA256
d4cc33c8c669a0d6d493886efeaf8d3ef75a7212d9734d0fd5d9f7052a099b59

SHA512
1cd6518e129631a59cf29291b5e3e2eb2f3aaa50f0940feb232979dc50b8e5e96b38fc6b6cad06bf794f3adf8e3275a49d679e14bb4642ed431fc2e0bd9a3d53

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
219KB

MD5
b89023a5cfefe29bad9f109b54e0df7d

SHA1
084aff2e8a99f1c26b4469eac41cb3e564a8b6f9

SHA256
de2d23b94987a7189d07b24aaa8bd3a747fb9a1059218d4ec9a0b0daa3e50efe

SHA512
35f57c01d2e564adfc5351595a97d4cba1ce5ed1281e76b614d090b3739215f85398e20113a05a6a34464d3164eeb6e734e0bb5977834cec6a17cf786c9a59b9

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
219KB

MD5
386e5f810b68ad33ca20b679df7cad54

SHA1
f6f3845d0beaadb212b18da3d570894d5bdfc16f

SHA256
6f7c7bce6a5c0ace81c92ef22f480c51b2dd0dc24f90d9c400e863954d54b12b

SHA512
f269be0394ea0429307cc531a71d97c60d40f7e5eefc3a390a2fc8d3e243066dff23ea4f04fa8eb35286d598e6b4bfc4c65614fd7ff86d129a85232fcf143d4d

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
219KB

MD5
f8923e2123963cdf1760486e62ddb850

SHA1
b4a8a4f6177024fd1831f50adc1fdd4cfa61c285

SHA256
cf539327c761603d55f20d20355453b82594ed8b71806d5d60e8ebb15996774f

SHA512
073333322dc6ee2f311c286af2171709f78be81877bcd4886f96f2e3639ed7654c714bb7106f193088121d05ef1e51fd719e25e66fbdd29a731f740ada30a075

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
219KB

MD5
1e45eeb7d512d8237028e02bf8e8745b

SHA1
53d34fcf9b042b5c905e9e6fd4b9aa9054448b3f

SHA256
6a2d7853680bfacea19766dc1f18fbe7b96c86c638414882ac8426812e368c47

SHA512
9ad2380d2fa07a9b94b14ce65001dd203ac39d47a000505881909f374670d0d90a0cc5fa87c1010af3525f1abce779b5f57dcccbd7c13c96f4ef9d2432eeae57

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
219KB

MD5
1bedc4d9ef720f4b8d786c9c9e5c4b0c

SHA1
88ef1924b711fb64c4d5585201cda2555f548881

SHA256
edd172663fc400202e6590e39b70f509c2328c385d702567ab42879d1390afcd

SHA512
99fafd2ac6cb45d903cc539ccab8fe7ff241fa603ae9080ac8230a570ecc661f7235f625422133bad54439fbcbcdcdba554aa53f9ce0765d2b1cb85f7bca991f

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
219KB

MD5
9075c51831ff288da8a2f6110272a0fa

SHA1
17b93288bc1372e95be15ff6aee785be049570ca

SHA256
fb4c570b78efa043227d535e8c63e838611bd5b7b3a5e5f348bc1019a10b95d2

SHA512
d7e42cc08b6e0ed1e0159b3714f204ac2347e2d00530b0b24f387ee30b8135235da730b9118ded68f0e4b2e0634346076c1746c6f4a7ddce2f707fbedc2c46fe

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
219KB

MD5
6b32bd585db5d19a55e82dc2f3d327fb

SHA1
d6adbb0781ec9bc744896dcdf6d207b4fc885e72

SHA256
bfaf28ff53062a3702e6b5bc1aac4654052e58b47953ce99dd5d6512d23469aa

SHA512
8e4b9ad58bfb4236e832ad603e04fe3b7c314969703e99cb350cd88a3bd12718e003ede8528a65aee9af4c7bd1657a8fcb78847671aa8a08f449534be227702e

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
219KB

MD5
83063c9f51e9ed9b49167f71b4c1c83e

SHA1
a8222c5d77843fecd09593b0eb0361054f8bae9d

SHA256
ea27bc0090418e8d14ebeea8af06029e1ff652967c250c921186e97b0ef1b826

SHA512
95cc0615f81fca693a4642f0c0fefb47085efd8b61ed275e805129d59e32363fd342d5c55202dfe9baf1e81bec55a257ea0b990696a73f54cbaab94e0c8e0a34

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
219KB

MD5
fff5b6dc4bfce2edf19e267d45536578

SHA1
0eea066871669c947dff2572b556b9f8e3d9a1ec

SHA256
646441ad44a84c56307d1f020be6163a951e8df2cad885054b46ce7d10cc2b17

SHA512
7c0efc84f3533f01c63889025a70663f9875d4f98a8ddcac90b76f57e32cf905796cc0a6cbe2e35ab274cef6c52d9acba658703e75e318371f9b3ffb11b6598e

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
219KB

MD5
49613e22815aa5b040500a316854e499

SHA1
0963ea5718f30d95108139d3eeddd216b4a9a13e

SHA256
fc167c0c197fb7f779e24e2e5df74ed22c3f42db5549c6971fa7e071a94ad9b0

SHA512
c5c8ecb228dca669cb77fc71e2621e9b7b8b14cc54139f50844248d21e7e51dbae314dd0ff91cd41309a6330ba912a34a682b407da257cc8b577bedf3e0a1084

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
219KB

MD5
7d3486937e289aac73e408b063d6ef5f

SHA1
76fdb5598b30d289eb8635e8cd517b2f047b3843

SHA256
8f8e258de453b372fe65efbf928a2ba55b80b58f2f9afcd0667684d11fe3fa52

SHA512
07f3f24ac33afed06a1d44ce7b60bd80a6a2d6824752c586a3b4b38afaa66f316c3a09714c7034f70965b020cda9b53c7a6d4fc6cbeb1e4e79da40c5d7d9864d

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
219KB

MD5
0374695ff6d8613e5677e7b42229bad4

SHA1
e779c5cc6a1d8a1fb82183d50436b35fd7dedf5a

SHA256
0b045696abd96e5e0ff9ca0f5e2b3b382a8e08b355709614254caa9ada26e5e3

SHA512
2f094a354944c9dc36d6d95494fcbb880b7d7ab5284bf14524e480b1794e85ad683cf4073733542f7b74d7aaf1eef39d442fe03bcb17390213f319e6c97d894c

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
219KB

MD5
54a12d96f516def6277194bacd6297e9

SHA1
975e42561b4fbefb5cb63d71c449671c9776bb85

SHA256
d4f6d0f8bebf276d3c2a27e363eba2b9598c6d64ede7af9d8ab59a50c919a322

SHA512
2bd2284da526b9b2b404bdd0df430f22fcc290ba968ed1a5e39927cff1a05573178b10aa2996abe21b92d0d5f6e56229a007514a97353e6685a10bdb299e14c5

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
219KB

MD5
f378011e879403c516db7e1bc9f597f5

SHA1
65e8ef5c7b6e0d600ee81ded2858b7b11b1e930e

SHA256
903e169ae6f2a38d03979cfbff154d6da94f9eb6acf1ee2e95fd197de7900d04

SHA512
36d9f7d1dfa0fd3a21afc97096a0cd742868910ab6c905c2bc82d6cab2a8128e855472b8c434c51dfcf38d9b032beebea4367170efadf9d40c56a16b0cad2389

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
219KB

MD5
ee4d7dfde604850f578fdc8069737c72

SHA1
d2efb8c95cb7f31636f22ab73fb47ef433f2eb4f

SHA256
d1fe3f95941ea6c783c37f608855edc1e358a1e6827dc4e3c5b36bfdf7bc2352

SHA512
a39532fd9cfc3c29fdabec4ae3739e103086e05cdf17add3ae47538ecbea28da8a96791a714c58d3d683a4862ad1396f5de9e796a4c10fff81adb51c57b281f8

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
219KB

MD5
48930f43a34aee1c8dc9474b86fd133d

SHA1
cb367a0b078bb090d2e75dd5f06d54f92bcac1dc

SHA256
cfa220fe0833b2f589a6978db16f32e3f152791596ffae728add7e0861cdaa76

SHA512
dfea6dabd04a82cabcfd86344bf149eabc8748b3207d9a4cf21e8b8973b132fed94c88246e674dbebb490e1a4b778910efa5b1ddf82c2449f75762599778a924

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
219KB

MD5
a5d3d7fdc6c77634c3c0dae9f4897b65

SHA1
7849d2df4a84baa52b35bd62a0fe0b54aa51fa7f

SHA256
52ef58d8ab0ccb1cfcb021972ee3f9177c4730c2aad432c12614d43474d81967

SHA512
09a98415af6fb0faa0a7d5b6fcccb6782a299e90a0facf45a1bda56e51cc6d420f77179ab9d09fae16bc68207e95f75f4f069961139eff03b9242be3411f22ba

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
219KB

MD5
5ce8dc97670a25f42b1cc7fbb8ed25f9

SHA1
38e2e936d86a3b6dd12db194b99cbc5fea2b5aa8

SHA256
4210cc0623cb9f4b550b2556f52d2c3f84dd29cf9ed8eba5ab7bf144dc40e9d9

SHA512
18641728a2c6457282ac5772d2feba4e038c17e2bc13d6a2ffa2a6123218bf97e38629e7437ce6b9c54e6491aca290950db008a905940f310b67e3edc4a70fdd

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
219KB

MD5
b2b85d24f0c842c96a0b2e953dffa2ce

SHA1
950fbe80495e6edb9dbceccb0bb3e6677467e689

SHA256
8af7eefeed62c3f29b96b6a501f2a8a71bae8d673e68c889a2439332b85cc7bc

SHA512
4233f542f0e868f25e36b9bc66e3bcd1b1ae817e8cd117564b5ce99ed6fb6b6c8b8ccd9293e6807006a9f87e1ab35c1e5779fb8a6795984b64f61ebff0a6d87d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
219KB

MD5
0fbb7963de947d871467eebcaf41295c

SHA1
c7926a6c13db9d6494b09a449cfa985e9d3b55a5

SHA256
98e178c43c4059322c2f5408c256be61110737cd9918c5c081015128da08ad18

SHA512
dc7485424686a4efd6e3961246ae4645128175b4508ac758c2a3b3003287e94c81b4a5f069204868906eba5bf7e56be0c8af270ba0681a1c7fb4e2cf48bb77a3

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
219KB

MD5
9832278310663ea94fc01d3c98312223

SHA1
83fe1169c835763547c240138fd723eb3a55ff16

SHA256
124278f4722b958015db0f194b170d45f34d319ac0304a393aaf202e560b4035

SHA512
bc45d899d0ccd833c696e565c5f5ef20bf9e7510f97c27a4680dd9fb8bcb477c272de47ef2d07be011bf6637247ac9a47e9d9b230f0da7135307baf7d6bfc80f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
219KB

MD5
01e943361df5244649e0bf49da5ef77c

SHA1
e67ac9f96a38b0c59a73b21b223b4f22c6779be3

SHA256
07d9425b37cf252d763d7586a3eb78e343bc8b617cc2ba7082d8d3b5bd06d60e

SHA512
9959f0325becb85ababcc3d91208324ad326dd660324aeb91fac525de6c9fe8ce34f424edc9c968087d8ee95627963582b2042e2b92a9c20fe53dc0f3f95324d

Download Submit
memory/64-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/64-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/324-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/324-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads