d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46

Analysis

max time kernel
134s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Size

520KB
MD5

e6326d1fac4b54ce3fee2c8eea5c18fd
SHA1

52294dd88d8c32c9590aae3c7640dbd26b85021b
SHA256

d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46
SHA512

23f4b8835c9cf281065bb6cd2f379f94168188341548b7c93f0adde215e6e3639af4a695d39b6e757fdccf717f2bf37a23173899e83035bffef184472c7bb401
SSDEEP

6144:oCYnWlIFM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8JcgEH:rsFB24lwR45FB24lJ87g7/VycgEH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe

Executes dropped EXE 23 IoCs

pid	Process
4312	Bcebhoii.exe
1920	Bfdodjhm.exe
2264	Bjagjhnc.exe
3872	Bmpcfdmg.exe
612	Beglgani.exe
1460	Bnbmefbg.exe
4960	Belebq32.exe
3116	Chjaol32.exe
3256	Cabfga32.exe
4492	Cenahpha.exe
4564	Cnffqf32.exe
3568	Caebma32.exe
1492	Cmnpgb32.exe
1488	Ceehho32.exe
4736	Cmqmma32.exe
1524	Dhfajjoj.exe
4656	Ddmaok32.exe
3156	Daqbip32.exe
3596	Dodbbdbb.exe
4300	Ddakjkqi.exe
3944	Dkkcge32.exe
2768	Dmjocp32.exe
2188	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4356	2188	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4312	2136	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe	84
PID 2136 wrote to memory of 4312	2136	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe	84
PID 2136 wrote to memory of 4312	2136	d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe	84
PID 4312 wrote to memory of 1920	4312	Bcebhoii.exe	85
PID 4312 wrote to memory of 1920	4312	Bcebhoii.exe	85
PID 4312 wrote to memory of 1920	4312	Bcebhoii.exe	85
PID 1920 wrote to memory of 2264	1920	Bfdodjhm.exe	86
PID 1920 wrote to memory of 2264	1920	Bfdodjhm.exe	86
PID 1920 wrote to memory of 2264	1920	Bfdodjhm.exe	86
PID 2264 wrote to memory of 3872	2264	Bjagjhnc.exe	87
PID 2264 wrote to memory of 3872	2264	Bjagjhnc.exe	87
PID 2264 wrote to memory of 3872	2264	Bjagjhnc.exe	87
PID 3872 wrote to memory of 612	3872	Bmpcfdmg.exe	88
PID 3872 wrote to memory of 612	3872	Bmpcfdmg.exe	88
PID 3872 wrote to memory of 612	3872	Bmpcfdmg.exe	88
PID 612 wrote to memory of 1460	612	Beglgani.exe	91
PID 612 wrote to memory of 1460	612	Beglgani.exe	91
PID 612 wrote to memory of 1460	612	Beglgani.exe	91
PID 1460 wrote to memory of 4960	1460	Bnbmefbg.exe	92
PID 1460 wrote to memory of 4960	1460	Bnbmefbg.exe	92
PID 1460 wrote to memory of 4960	1460	Bnbmefbg.exe	92
PID 4960 wrote to memory of 3116	4960	Belebq32.exe	93
PID 4960 wrote to memory of 3116	4960	Belebq32.exe	93
PID 4960 wrote to memory of 3116	4960	Belebq32.exe	93
PID 3116 wrote to memory of 3256	3116	Chjaol32.exe	95
PID 3116 wrote to memory of 3256	3116	Chjaol32.exe	95
PID 3116 wrote to memory of 3256	3116	Chjaol32.exe	95
PID 3256 wrote to memory of 4492	3256	Cabfga32.exe	96
PID 3256 wrote to memory of 4492	3256	Cabfga32.exe	96
PID 3256 wrote to memory of 4492	3256	Cabfga32.exe	96
PID 4492 wrote to memory of 4564	4492	Cenahpha.exe	97
PID 4492 wrote to memory of 4564	4492	Cenahpha.exe	97
PID 4492 wrote to memory of 4564	4492	Cenahpha.exe	97
PID 4564 wrote to memory of 3568	4564	Cnffqf32.exe	98
PID 4564 wrote to memory of 3568	4564	Cnffqf32.exe	98
PID 4564 wrote to memory of 3568	4564	Cnffqf32.exe	98
PID 3568 wrote to memory of 1492	3568	Caebma32.exe	99
PID 3568 wrote to memory of 1492	3568	Caebma32.exe	99
PID 3568 wrote to memory of 1492	3568	Caebma32.exe	99
PID 1492 wrote to memory of 1488	1492	Cmnpgb32.exe	100
PID 1492 wrote to memory of 1488	1492	Cmnpgb32.exe	100
PID 1492 wrote to memory of 1488	1492	Cmnpgb32.exe	100
PID 1488 wrote to memory of 4736	1488	Ceehho32.exe	101
PID 1488 wrote to memory of 4736	1488	Ceehho32.exe	101
PID 1488 wrote to memory of 4736	1488	Ceehho32.exe	101
PID 4736 wrote to memory of 1524	4736	Cmqmma32.exe	102
PID 4736 wrote to memory of 1524	4736	Cmqmma32.exe	102
PID 4736 wrote to memory of 1524	4736	Cmqmma32.exe	102
PID 1524 wrote to memory of 4656	1524	Dhfajjoj.exe	103
PID 1524 wrote to memory of 4656	1524	Dhfajjoj.exe	103
PID 1524 wrote to memory of 4656	1524	Dhfajjoj.exe	103
PID 4656 wrote to memory of 3156	4656	Ddmaok32.exe	104
PID 4656 wrote to memory of 3156	4656	Ddmaok32.exe	104
PID 4656 wrote to memory of 3156	4656	Ddmaok32.exe	104
PID 3156 wrote to memory of 3596	3156	Daqbip32.exe	105
PID 3156 wrote to memory of 3596	3156	Daqbip32.exe	105
PID 3156 wrote to memory of 3596	3156	Daqbip32.exe	105
PID 3596 wrote to memory of 4300	3596	Dodbbdbb.exe	106
PID 3596 wrote to memory of 4300	3596	Dodbbdbb.exe	106
PID 3596 wrote to memory of 4300	3596	Dodbbdbb.exe	106
PID 4300 wrote to memory of 3944	4300	Ddakjkqi.exe	107
PID 4300 wrote to memory of 3944	4300	Ddakjkqi.exe	107
PID 4300 wrote to memory of 3944	4300	Ddakjkqi.exe	107
PID 3944 wrote to memory of 2768	3944	Dkkcge32.exe	108

C:\Users\Admin\AppData\Local\Temp\d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe
"C:\Users\Admin\AppData\Local\Temp\d81fd677025098d85f678122781c3cd1c2022485fba267b5f088fa90ae7fbe46.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\Bcebhoii.exe
  C:\Windows\system32\Bcebhoii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\Bfdodjhm.exe
    C:\Windows\system32\Bfdodjhm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Bjagjhnc.exe
      C:\Windows\system32\Bjagjhnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 408
        25⤵
        Program crash
        
        PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2188 -ip 2188
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
520KB

MD5
4f1f17732efc132e37f87483f63b0cfd

SHA1
cc7bec75f0b45c5651b6690f6fd4bbd2395dcd88

SHA256
33ac49b904eccdb97725d749165964fcc9814a3974fa4ff5a7dc745f5df76ccd

SHA512
18170b7d95590772d5a1ca64d455574c4688d770a680da99bedea0c96e2c69992bb40268d53378a737c18905ead5676da18c0cad70b7e1eef68c37dd93c18448

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
520KB

MD5
950060c2a0dfe7dac4aef912dfafc180

SHA1
964c4e7c1c5cc0cfc624b4ddcc41c2ff14b79939

SHA256
ac68c02b451ceec91743ed2a502a7265035f29604310150af7131cb495d4ee2b

SHA512
3a24a7d213045ec207a0db2bea1a28f468985118879796ad294e87b9fac57576113d8fb86d561618bdf95ab6d1281dfa3cdcab646cf68ba6a2eafbe3d7749aed

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
520KB

MD5
7ebe0271479a88ea58390e597d8ed2d8

SHA1
4054ce369e8db4756bb24b165f0c230dbaa907f5

SHA256
018333868aca9be8efb8c2d386b6a44b50626b3cf62beb63bea07330eddd3749

SHA512
b9e6a5d1c03cb4cb22867277ca29390817592a3416081d3c9fb22940654c8f299ffac427bfcd653c3500aca7ec00b313ea24ba3b31499d685d0569b9ad268ca3

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
520KB

MD5
d9f3f4e5cd9168d68f21db2208568bb5

SHA1
d18c24e0c9124b56d29779420dfce702895b4f39

SHA256
f1d5fff01d5a0ad4853cf81dd2029c54c8749cd7248649d6919b00fa7307d61a

SHA512
902aadbc1d94441355a10933829e57763dc7c4477fffad9ea6408bfa8189a734a9ad6dbc3e8b4076a4bcff675a962ca66334cfdb16e4c71bc7c848b68087bc5e

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
520KB

MD5
0ad93d55cde6225e1706f0fbcd1062c1

SHA1
2023d264c2b67a26e36d4bd92f386020fb2bc1d9

SHA256
9c02587f792ebda16a2c86cd0a6784a1a80204e0ef8d9495a696764f27f40d80

SHA512
314f4c057eeb22d1cd11e63e832d0e3078abf27005a227e8d0868261d81254f15ff2f0944730ffb764c03864cc272f48c49e47a92acacc9fa36ba5508c1bdd5d

Download Submit
C:\Windows\SysWOW64\Bmhnkg32.dll

Filesize
7KB

MD5
730bcd74aea23c2ddad284ed128a9351

SHA1
ff195a238f4dcef2273701cf5835ae110f786bfe

SHA256
57290c0146861c7951d1d37d51524cdf76f3978555a071905fe0cd503df97e89

SHA512
8fe536977dbd64cce7eb6e2acc9b6238ee7bafc724798d2f11b2c28adb5b8225276e55b533a40f990236bafe89aa9ded79409b6af9cc8eb5acf5bc9b22aab8eb

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
520KB

MD5
b0f06de79cd0caade09308d351c7f192

SHA1
9a873ee9571d2540e09bfa805cece8addf703670

SHA256
4cb3b365cee68607ae95081936504d8f3e230ade30f4971e3abca2029fd88cb8

SHA512
aa0f745adbeee2e115a9aca6b5741367b288cce1189dc7e7503547e6e81103f062105e925edf9d8b10de837e69a441a6c3d0411b7ddbd8c6fb8042f2170d5838

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
520KB

MD5
ab224bf224c07ba0e8a4942f7ea325f8

SHA1
aaa4b95fb5ec5d98786ea8cf676e69092abad10a

SHA256
d02c3dbebc407da637e5d005dcf6f3c1d91bcc184a21fd441254aef1b2320e39

SHA512
d30efe70dce17c034994597b817432b8da467a70c7e77930031ebd4a999564f027c53b554b2bee5a0fde995b8e8a55453fbf6a1fb03656d4871edd85238f93dd

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
520KB

MD5
75f60d11e9f9888d31f079019f010bd0

SHA1
5f0b6bbafac49219a54750f32672188633a30c23

SHA256
d1c3357a0aeb4b06c64176545fa2d82c1050dca8e5defb10f5ea3309da02b6d3

SHA512
c85385adc36414f56018aa1a067c4117f6bfdcad5384b82d8f27fcbb2df0f2c593197ad4037837ced01e9da3f9c413bb0a3faaf973c5cf9ca0f3fb051a196bd2

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
520KB

MD5
7ec369c6f0e31d4211b47b1b22af6b2c

SHA1
353fcd0a76d7b08bb16376433b402ddd983a5c13

SHA256
a3b90958bdb9729250ebdcca2707bbd14939a6bfcc5fba2b6b0c74d6a84d0d19

SHA512
6d56e5aa776f145a6d3b8e7d58f45859ff8fb05f96e694846f7747c000d3e74b0df65e60532e3396d45b5970673807ea87e2f7cf83665a241d4e36ae362055da

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
520KB

MD5
798defc2ddea1426707824622e4e069d

SHA1
63d6c2bc785162bcaa058e509abc55486774cbc9

SHA256
b4f730c60a845ccab8f87442ac49ddb84d51a5357541fcd26e640b1640835268

SHA512
c02fabc2878ac09b654218f4a0655c65b6c21da35b493c8664ef38f2f035e91f9104c9784d6c42a726ea6cbc369436c579f0f530361cf188863101c1f10de144

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
520KB

MD5
3d838778212e2b24d55b1fccfb889c77

SHA1
40809c1e36e5365f2ddf336fd1ec4c07f7f5c17b

SHA256
863fd2de51407389f46efdf41289cbacb4ca8319245754c6ef5a377db5beb4bf

SHA512
a3c76fef5119c813d68e232915c36e986116a60e29d1c74375c5c5007988a9321cda3bfcb3995031753fd7c7843bf8a75a07bbd63dc02f1de3a4faa016756540

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
520KB

MD5
ed29cc262ab6136e70010097f5d2ceb0

SHA1
e825a323c748b62025ed5748eb49566407fb6800

SHA256
fcf65152461db6f8e19bedfd54d61356a187299441912c1a5d3474dfdd84c334

SHA512
cf5c69ac3ffffed9b166dbb6e10c78f280812bc68837fd991525bc72f50474b8b27a9babcf7d5bb0caa87dad3f42b45c7aff4c99a12cbfe2b1a9dcd1385166d8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
520KB

MD5
ef3a032b58dc34c3f272eb3fe093a55f

SHA1
3c5cb55bce47227f671923de0d7910be72622b5b

SHA256
5fd7894e2077b34dd540bfc82f0d9f657b658ded682877036b8410f3a8c08ebb

SHA512
2fca5570dc45a6dce67514de94aed32912095dfdd640974cb8f0576b9a2cacde70375d0d77b7e8cd7c9844a34ddb692d07ab1df48e3b7c8e9744a5b566204aef

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
520KB

MD5
2e20f0fa8d792f51af038c5f588e4c38

SHA1
55a329aa88f304478787cf70fc5a016255f47c64

SHA256
b30b8c659690ca125fdf7f45f742e2222e8838c1b56da4fdb1de93249136e6e7

SHA512
1f43bfb0c8568536ca22b98f59b124dec55beed757ed895b9ab344337f849ad8569389118cc13003aa91d2a2c8ae53d79b89c3326a362f63ffb04f7f19f5bad3

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
520KB

MD5
00484236e9ea45378975d4304cafc601

SHA1
fd3c4496374aba6eaa579951050eea5def3d3a90

SHA256
0985f36da96eb0a3242e21eaff729915da321e26faf414ca82ba5734fd86ef8d

SHA512
370e1a0de2d591a054ed20f06b3cb1fd1c003fdfc292ab8366368c492617a4f4c64f8d5ed933ff05502bece5c1aad85f268aaad35771175edb0da2acb3b4fff7

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
520KB

MD5
9e9ce6a4e5f21a2acd402c7c7dfe62e3

SHA1
73872c8e9625b2bf27666f80620b558a243ffb79

SHA256
48ce8a9466454c808e0d1771d3f28b4edae705fa3e050e5fb16dfacbb4e38fbd

SHA512
218a8389aeaba176c21aaef9f716d5251a2cdc22537fe78c89455b28a18b4ee9ad52e59a27611643dde50e3f72652456aa6b5592f7e4a5f65763858aef529f12

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
520KB

MD5
9c377afa1e75f139a175b637e56bed12

SHA1
9826e57d89c3661f92dfd22a0f55bd3637fcd0bb

SHA256
56120aab90080afbad6926b1f9161036eda887fb665a449a5b31b43c97e3e3b4

SHA512
bb546ca2c119e49d30a2e9cc4bde8fe3b98b3cf14c83429e5d5bcabe3d69bb8497c71417c6a97392476116e856a392e033629156aef45af603ccb63249c017bd

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
520KB

MD5
5ef1bb7a0a7ac92d7c67831eaab58034

SHA1
16d709aebed49895ad2f86aecfedd496407d1ef1

SHA256
dad08f650d12a668fec4c4aa1e1a060c64b65b136f072a630e2589529c3e1ebe

SHA512
06d529993a5c1e9146f5361adcae4c6fe49e74bb4ae6bb72974804167872852c97f9b27084b1ca79ded3a4cfe60dc4bbaef9355b12135eaa46f3be2c976173b7

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
520KB

MD5
e48768e18e4f9da81c03224f6e2eb1d9

SHA1
44c778bfc0b979526dab8f9ea9efe0f4ebace364

SHA256
1acb2eb7000b1b1028b67e672d7656119c1276d49a36e75f9a10831ba1701d6c

SHA512
a27b19dc6404131845ae98c1c877035fb5ffad0fd800658761531e67e7caa501b6e2b5987291521e7431c9c60936438dc68ac4a3519b6dd977276722e8553136

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
520KB

MD5
7bec4eecf4ecbfb1b13bec03993f70c7

SHA1
032c6aa21a049c2df16ce87d02a1349fe0e09e61

SHA256
946a16eea6d9da19963ad1dd894600537f41d4fd7eb59b0332a04e9f94c8de49

SHA512
f99d1628a226d78b3c621ebcf9fcc3a0a1e03fb714a2223181c9a92b9ad29872a968857e7c2fb633d2a74e859f687f98069d08b3bd571e50437faa9d81395b5b

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
520KB

MD5
86b232251a8799a5dd6f18b65310f571

SHA1
8fefda2d970a9d672cb126126fde331e0ed62b2b

SHA256
71f2257c89ca1ce8c8cb199c86865896805f979a5e8ccbfa3a017980502c790d

SHA512
d151dc9b24ce1a4240e4e154179f8ff87b4d6f0498d9bf1fa1f802b214f7b63c6724a06ff96c5c63a984b437695d62d2e5df1b0f52184fab9797fb0b5aeff6b8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
520KB

MD5
68935985159cb9b91f7e65f4d0e6c03f

SHA1
f4f182ef0184f0e5840a5bde315f97ae700e96ee

SHA256
61af6affb1f22f8803c1ab66f786d031e4b383fa796adeaa574934abcd6e23c4

SHA512
25b563cdfc04d53b3a5d28da634baae407aac1707ba88feb353a6f382dc1125d2a8652b7bc385f448735111fd2a04ed5b01f88260ee993827328b5d7718c097c

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
520KB

MD5
d020c2a29566ddde4c66a3f6abd7b2ef

SHA1
7961872e3e84a81b8fd7df8a59c0684af363f753

SHA256
1e8ab429c915d4479415774420d9276798fe4533b163ff5006d074bf2ea79d00

SHA512
235ee79074ed9927a46f8bb56f668f1663c89b37a833577c7f1f3326e588317c04977bf6c38600f235b1d6248642b73eba75840d3cd759d66ddb12af05d9ca57

Download Submit
memory/612-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/612-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads