14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Size

49KB
MD5

1197964fe4b791343553ced48542713e
SHA1

8b6de1e1a9c55c3f00b77d45af4c5ee361eeb51b
SHA256

14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558
SHA512

0a32130040d0930811f3330316433d677916cacdac27ad3276ff4c0cebd578cafd3379a1f07aa4a61ae0ef723eff2a733cc101f5dd3edc965d242ed16ed88318
SSDEEP

768:E5FAy1oY7x+YETfoJh8PxfuSD4mlbt5RqzUCj4/1H5uu2Xdnh:EfjoqrETfoJhoxm1mFtfqzt6cH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpjoloh.exe

Executes dropped EXE 20 IoCs

pid	Process
2948	Bagmdllg.exe
4196	Bdeiqgkj.exe
612	Cibain32.exe
1928	Cpljehpo.exe
2284	Cgfbbb32.exe
4660	Cmpjoloh.exe
3308	Cdjblf32.exe
2116	Cigkdmel.exe
732	Cancekeo.exe
4156	Ccppmc32.exe
2504	Ciihjmcj.exe
4600	Cpcpfg32.exe
1480	Ccblbb32.exe
1932	Cildom32.exe
4820	Cpfmlghd.exe
4352	Ccdihbgg.exe
1316	Dkkaiphj.exe
4904	Dphiaffa.exe
3976	Dgbanq32.exe
2352	Diqnjl32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfchag32.dll	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Cmpjoloh.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	2352	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Ccblbb32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2948	5088	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe	90
PID 5088 wrote to memory of 2948	5088	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe	90
PID 5088 wrote to memory of 2948	5088	14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe	90
PID 2948 wrote to memory of 4196	2948	Bagmdllg.exe	91
PID 2948 wrote to memory of 4196	2948	Bagmdllg.exe	91
PID 2948 wrote to memory of 4196	2948	Bagmdllg.exe	91
PID 4196 wrote to memory of 612	4196	Bdeiqgkj.exe	92
PID 4196 wrote to memory of 612	4196	Bdeiqgkj.exe	92
PID 4196 wrote to memory of 612	4196	Bdeiqgkj.exe	92
PID 612 wrote to memory of 1928	612	Cibain32.exe	93
PID 612 wrote to memory of 1928	612	Cibain32.exe	93
PID 612 wrote to memory of 1928	612	Cibain32.exe	93
PID 1928 wrote to memory of 2284	1928	Cpljehpo.exe	94
PID 1928 wrote to memory of 2284	1928	Cpljehpo.exe	94
PID 1928 wrote to memory of 2284	1928	Cpljehpo.exe	94
PID 2284 wrote to memory of 4660	2284	Cgfbbb32.exe	96
PID 2284 wrote to memory of 4660	2284	Cgfbbb32.exe	96
PID 2284 wrote to memory of 4660	2284	Cgfbbb32.exe	96
PID 4660 wrote to memory of 3308	4660	Cmpjoloh.exe	97
PID 4660 wrote to memory of 3308	4660	Cmpjoloh.exe	97
PID 4660 wrote to memory of 3308	4660	Cmpjoloh.exe	97
PID 3308 wrote to memory of 2116	3308	Cdjblf32.exe	98
PID 3308 wrote to memory of 2116	3308	Cdjblf32.exe	98
PID 3308 wrote to memory of 2116	3308	Cdjblf32.exe	98
PID 2116 wrote to memory of 732	2116	Cigkdmel.exe	100
PID 2116 wrote to memory of 732	2116	Cigkdmel.exe	100
PID 2116 wrote to memory of 732	2116	Cigkdmel.exe	100
PID 732 wrote to memory of 4156	732	Cancekeo.exe	101
PID 732 wrote to memory of 4156	732	Cancekeo.exe	101
PID 732 wrote to memory of 4156	732	Cancekeo.exe	101
PID 4156 wrote to memory of 2504	4156	Ccppmc32.exe	102
PID 4156 wrote to memory of 2504	4156	Ccppmc32.exe	102
PID 4156 wrote to memory of 2504	4156	Ccppmc32.exe	102
PID 2504 wrote to memory of 4600	2504	Ciihjmcj.exe	103
PID 2504 wrote to memory of 4600	2504	Ciihjmcj.exe	103
PID 2504 wrote to memory of 4600	2504	Ciihjmcj.exe	103
PID 4600 wrote to memory of 1480	4600	Cpcpfg32.exe	104
PID 4600 wrote to memory of 1480	4600	Cpcpfg32.exe	104
PID 4600 wrote to memory of 1480	4600	Cpcpfg32.exe	104
PID 1480 wrote to memory of 1932	1480	Ccblbb32.exe	105
PID 1480 wrote to memory of 1932	1480	Ccblbb32.exe	105
PID 1480 wrote to memory of 1932	1480	Ccblbb32.exe	105
PID 1932 wrote to memory of 4820	1932	Cildom32.exe	106
PID 1932 wrote to memory of 4820	1932	Cildom32.exe	106
PID 1932 wrote to memory of 4820	1932	Cildom32.exe	106
PID 4820 wrote to memory of 4352	4820	Cpfmlghd.exe	108
PID 4820 wrote to memory of 4352	4820	Cpfmlghd.exe	108
PID 4820 wrote to memory of 4352	4820	Cpfmlghd.exe	108
PID 4352 wrote to memory of 1316	4352	Ccdihbgg.exe	109
PID 4352 wrote to memory of 1316	4352	Ccdihbgg.exe	109
PID 4352 wrote to memory of 1316	4352	Ccdihbgg.exe	109
PID 1316 wrote to memory of 4904	1316	Dkkaiphj.exe	110
PID 1316 wrote to memory of 4904	1316	Dkkaiphj.exe	110
PID 1316 wrote to memory of 4904	1316	Dkkaiphj.exe	110
PID 4904 wrote to memory of 3976	4904	Dphiaffa.exe	111
PID 4904 wrote to memory of 3976	4904	Dphiaffa.exe	111
PID 4904 wrote to memory of 3976	4904	Dphiaffa.exe	111
PID 3976 wrote to memory of 2352	3976	Dgbanq32.exe	112
PID 3976 wrote to memory of 2352	3976	Dgbanq32.exe	112
PID 3976 wrote to memory of 2352	3976	Dgbanq32.exe	112

C:\Users\Admin\AppData\Local\Temp\14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe
"C:\Users\Admin\AppData\Local\Temp\14f6f0179b6cb097db50d2d0926ca721b0fc48c242d20026a65cb05805a8b558.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\Bagmdllg.exe
  C:\Windows\system32\Bagmdllg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\Bdeiqgkj.exe
    C:\Windows\system32\Bdeiqgkj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\Cibain32.exe
      C:\Windows\system32\Cibain32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:612
    - - C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 400
        22⤵
        Program crash
        
        PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2352 -ip 2352
1⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
49KB

MD5
9389a2e58d792658909e92ea5c911952

SHA1
02b48a2c27c47d61f280404d7600f5bf7e34c3be

SHA256
9853599e5bf098457d35299b21f946506b0d8b606730cb34b3b0928966cc2e79

SHA512
d3e53c848a70517c51e42e01e0b8fb2738bbbb3b666359bedbca6aac861e70a69a5f27eba7b0a0a07d29b62a3922fa0ba2549c8daaf65767da26a87e745e8e76

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
49KB

MD5
5e41bc4c87451fc21f8670bbbf07b13b

SHA1
7b60aa943114152a464920aee67be1b2c24a5639

SHA256
aea78a3370cb6473abf295c494c3649f8892be4fe1e5f456cda54cfc7da694e7

SHA512
d597b7e35b1f834b54eb1d26a4327fc2a31922eda100429da2d11cf5e2a7aff8b4af1d1c14379d627433e2de83c1e13778680149d5bf62fa33a708158196a85d

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
49KB

MD5
4e3ffb51d56865fa85811f5ee8626ff0

SHA1
0b997f358595f26a6e3db342818cd16453aff141

SHA256
a28ff963d4604bd5132d76232f498d6c9a57351bf2700890dced9a4c6af9d9c4

SHA512
11e3df1b5c28a77f862c2c4e7c8279b2053b72626ba217eed84f5976f2e62d30c9c647cf859f9f7cc34634f017c6d827434910955dd31c1bb15e49284e81bd51

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
49KB

MD5
993b6d5e0b4b0576c14ff50c011a52f9

SHA1
399122965de0464a112465cafa09c57d6631f39e

SHA256
ccc01a2c4a5dabf1c868abf1f2edc49ee307da05d1b3a173addddd82e2475f15

SHA512
f4948ddb96d3531cb3a579d1be23ba7356f7bc7b0ce33f51bb37c1e204f6658dbd448999dae946ed4232134de4cc644da692748fe2aaa4ad9ddbfb7c4e2da92f

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
49KB

MD5
e3e844aace8ee65d4db147ad30620fab

SHA1
484b5af5d2007414870ce95195a7ffb3cc23222b

SHA256
3d0aa3b7eef7ab7473793bf514e52bf1741f3b3453bcdb85272292bb12c0afa8

SHA512
da5acc6d961da695ac682812218d95f1f9d793712474573cc3eecac56002168c652a33048173b2ea307f166174937d4a1867a3d9e4b1ca27ccd9f48e5cf6f6fa

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
49KB

MD5
c289007973f6f22112b804c9389f2c49

SHA1
0770a4762fd44db5c073b1f9475eaf2c4482485c

SHA256
79370d2c3d2330c9da77816b46227b4590b01a78359fbe02a07620dffa139611

SHA512
b53c608ebeb32a36383501ffd1b1bae2851f6566ddf8be70dd2dbba80f43343d874008ce187285e14926366e130066316d36bcfdc6301de708528b929d6d61b2

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
49KB

MD5
cb52ae8f4d268bfdccda4c971e6287a7

SHA1
7e21dbe1373d11032830de130376a488b744de15

SHA256
a84debdd7fafb66e3392e1fea1cc9a7f811db507783a8cfcf6c337bebf953ef3

SHA512
8cad4088de2d19cafe8d1c3b691042cf63e57bd6cc5c7bf3f416f0d3d584edc295d54e50b10103f8bfc681ce626955dc9e4081ab9a1c8b1bea85a8ea02f5b14b

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
49KB

MD5
69628420a81c95f8b5842e8e50f9c55a

SHA1
be83a165b5ff685e19835dad76a3ffe3cfcc1655

SHA256
1292540bc868e55e34658f3d02db4612d2308ab25be7acadc3f8ac91a3b4cad3

SHA512
b1a6300e605c879b87252b65eb46a405c1104771db6bfe4bf3d7621480b71dbd65a4a9a7a1a4f53fe29689aa7289b20bb5d93f0748805cd02a58793d6c5cf8fb

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
49KB

MD5
c92f734c6100ffd2f106e7ae1bfca8f0

SHA1
308c2e52a0d2de65f9fc279212868e4fe456bfd6

SHA256
9f84feae7ef08632f8a6daec358de009f0cbee67e287848ef1930faf1a8b345f

SHA512
9bfa412623334aa68781b8393638df51d246de1220f101e1d2cf58c284c433bfe6d5fc87f8d9f6ae3e4e37d4e6c5800f95f79b45bc31a7b89d12675a5ba390a7

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
49KB

MD5
23cd09149fdbafb62bde06d04d296875

SHA1
4b15607c73a0917c36a1b602003bdcadf6be6626

SHA256
b353bd59d5a529654d32e79872da18005c31e3f048521b1fedc8281ee8a1aec0

SHA512
56fd2beec0beedaaf15f885ddde872ca394accafb5ea12cb9371b9c8619a5807e2526c244fafde60a742f7f0001fde11a1fa50e1f624676534d7c7fd8af6ace1

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
49KB

MD5
d11df7b5203ac89d4715fe684142eb3d

SHA1
b5efd46fd8f22574f44ad852582b44044c7760b8

SHA256
9b4a769d327b9ea8fede791aa75084ded623e819e1ed0cbb9a40ad1468db67e1

SHA512
0b655beee55bb6252546723206e117a42d6c297cd3e32291a87ce80d01a6d7cd7cbf6762c4989d94ebe19e30e73d781b897bb1c16ab64278a4f856414928feda

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
49KB

MD5
42b90664a6ee4276ecb856a5affc9f3a

SHA1
f436ca239ce647203f3383fb7914818c0b3698d0

SHA256
e5b37548f1451942b0afc7bcc8826745a9a2739d8ac82cc371782ed658e45b47

SHA512
6a2d54acbd2368b003602b775a03b2ac6effaeca5390ada4aa982714fae0ad61994f0807e0068161837f8e0bcf72c00b8d69a16c615ddf0ccb14e1f26881e502

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
49KB

MD5
e8b426f7ca8c68e7f5a2706adc33138e

SHA1
3b0afe522fa0e92d0efbd1aa343f111eab6031f8

SHA256
cffaf2fc8fd44b173cc2f6f8922dacd6b07f9a627012ac5991784cc8e6e0bf9f

SHA512
6a6b59334de08625bf6477ced04feb24671e96a9961a814c0156f9e1d9fb43e6c269ea7ffc24911b840ff6b703fc90651b58263f019c1a85ab2a165e9a32e95f

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
49KB

MD5
2ed346be8530d043a39baa686f49bb3a

SHA1
6ca77fd25ca4cbe454aff9d2ea3c61f9dfb5722d

SHA256
46c84972b5f389f177a7de1f4d426201e6a7a5c1a60966d290827d0b29bf35d9

SHA512
9501c1d999fa2350551678438512327dee7fce2fe97cc1a1f04cede6b4913d4ba54c5adbe16e4fe2caf202cc2f3efaa7faa236525cd013976907505177024f38

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
49KB

MD5
b4732d7261ab97e51ae3a6e1f1856d03

SHA1
d98c3158c525de205bb52ca567931fe8c587525f

SHA256
be69a6374322fc20ea1bc89ff1c7decd6a119729fabe7db0bdc676a6fd9530c4

SHA512
d526705f982b3ab0584fcefc2fab039ac46860418c058b6bc6e2d9a7891d72009c74211404a6dfb66ceeab3bb613b8acae093c6fbd4af9921a8081b0c4872865

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
49KB

MD5
3a99801647fcade9ce13eef9642610b0

SHA1
44aae4538d4e525ecd65f782d5678b6e64c3d990

SHA256
3d23f1ab2e5fee052bd2fbf4860895b85096cf73defcc8d7526eb9cc1c1b0182

SHA512
daea5e3b779fe06cb297b6218f72974780dd08db8ed3ec5fde0df222af1e4da0dc4a5c40f7c6c637e7d4b000e73864e304ebae4666196eacca171826c5a5de78

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
49KB

MD5
1bb2396d6358a50df4afbdf0972f5b89

SHA1
5b27b3e6779bdf649f2dfbbcaaf986ac438f7b11

SHA256
0a52947ac2b1ea9d67d1991fcc5e67848c650585f63ab6ed23079dfd24dabee4

SHA512
93c2ea4b63005f21c7787f1c2934373e9e25813069931dc903191f8e08b222aa6f24b011bc97502e02a128c6d0de3240c511df7d1996eaddb713a9c3bf17a537

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
49KB

MD5
5f68f8f738f50c6cb28d739639296587

SHA1
2e02d643dd15bf26d7e0a8e5fd88e11f6721d9b2

SHA256
695a736bfd0e7de1320ed3833e3b600b1cb34ba7b0b7f5ead4ffb874b8674c8b

SHA512
be7077f7b7452679612f4d45fbedaaad88e1fb82719e2e2376c649401a692d07b79afea08d76f986933b0b5f5a84c91815a8f9a2cf4ee1f634db8b5987cd56a6

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
49KB

MD5
379a0ecb8d9c0152de451e29d29bbf08

SHA1
119c0f2722574fd0f3a0e783bbe3e5414e9ed040

SHA256
0d8a244eecd2a28763a1710cbe2bb7fdacbc2340363f1a04f2109e61e6ab46a4

SHA512
f5ea9598e158b17ebd0b6580ff600fe7d6bb88586684b183bfb49d3bde38a7a86866b12b44ede6c2c295c6c98e889c5094fd4f4c45837d437f4e35a0f0ff627c

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
49KB

MD5
70163120c7353b9ec8247575f89b26c3

SHA1
f28879d32d8d8d7ce7699b9496daadf2d569346a

SHA256
0434995a6526ce581d69fd1ea9908db7dad0421f60db4db28a334c7e576dee89

SHA512
232ec12ac5c2808abaaeb46519f4e381bebd4f285af760266cb0a32c66935708aaff54e746bbbd82fed52771215ed88da6eb2fcfea394ed9008f8379418f5f40

Download Submit
memory/612-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/612-194-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/732-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/732-183-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1480-175-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1480-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1928-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1932-173-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1932-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2116-185-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2116-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2284-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2284-41-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2352-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2352-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2504-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2504-179-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2948-198-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2948-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3308-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3308-187-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3976-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3976-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4156-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4156-181-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4196-196-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4196-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4352-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4600-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4600-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4660-189-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4660-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-121-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4904-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4904-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5088-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5088-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5088-5-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads