c318aef0989334eccbcb5e6bf06389507ca96167965a46259f218cec380cfda2

Analysis

max time kernel
32s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Size

128KB
MD5

8fdb0429ca0efc054c0e2e1c95c2b0e0
SHA1

c92aad5b9d6402bb7ceff1675d8b417082536d74
SHA256

c318aef0989334eccbcb5e6bf06389507ca96167965a46259f218cec380cfda2
SHA512

9b1b36673a1c2df6b908248b0f5392b212c8e97d51d3abec24b43f4be333a9b61e8438deefde27bcba2cc301b6c09a08d8af18c3785c2851880da7ed4241b60d
SSDEEP

3072:poLrVdd+OJeLZMQJ82Qo5/ZRDd1AZoUBW3FJeRuaWNXmgu+tB:KLrTtkFZJdWZHEFJ7aWN1B

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe

Executes dropped EXE 20 IoCs

pid	Process
2800	Akmjfn32.exe
2756	Anlfbi32.exe
2640	Achojp32.exe
2716	Ackkppma.exe
264	Apalea32.exe
556	Afkdakjb.exe
2520	Acpdko32.exe
3044	Aeqabgoj.exe
3036	Bbdallnd.exe
2864	Bhajdblk.exe
1148	Blobjaba.exe
2088	Balkchpi.exe
2236	Boplllob.exe
756	Bejdiffp.exe
1792	Bmeimhdj.exe
2452	Cdoajb32.exe
1608	Cbdnko32.exe
1664	Cinfhigl.exe
612	Cbgjqo32.exe
2284	Ceegmj32.exe

Loads dropped DLL 44 IoCs

pid	Process
2840	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
2840	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
2800	Akmjfn32.exe
2800	Akmjfn32.exe
2756	Anlfbi32.exe
2756	Anlfbi32.exe
2640	Achojp32.exe
2640	Achojp32.exe
2716	Ackkppma.exe
2716	Ackkppma.exe
264	Apalea32.exe
264	Apalea32.exe
556	Afkdakjb.exe
556	Afkdakjb.exe
2520	Acpdko32.exe
2520	Acpdko32.exe
3044	Aeqabgoj.exe
3044	Aeqabgoj.exe
3036	Bbdallnd.exe
3036	Bbdallnd.exe
2864	Bhajdblk.exe
2864	Bhajdblk.exe
1148	Blobjaba.exe
1148	Blobjaba.exe
2088	Balkchpi.exe
2088	Balkchpi.exe
2236	Boplllob.exe
2236	Boplllob.exe
756	Bejdiffp.exe
756	Bejdiffp.exe
1792	Bmeimhdj.exe
1792	Bmeimhdj.exe
2452	Cdoajb32.exe
2452	Cdoajb32.exe
1608	Cbdnko32.exe
1608	Cbdnko32.exe
1664	Cinfhigl.exe
1664	Cinfhigl.exe
612	Cbgjqo32.exe
612	Cbgjqo32.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Aeqabgoj.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Aeqabgoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1720	2284	WerFault.exe	49

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ackkppma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2800	2840	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe	30
PID 2840 wrote to memory of 2800	2840	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe	30
PID 2840 wrote to memory of 2800	2840	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe	30
PID 2840 wrote to memory of 2800	2840	8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe	30
PID 2800 wrote to memory of 2756	2800	Akmjfn32.exe	31
PID 2800 wrote to memory of 2756	2800	Akmjfn32.exe	31
PID 2800 wrote to memory of 2756	2800	Akmjfn32.exe	31
PID 2800 wrote to memory of 2756	2800	Akmjfn32.exe	31
PID 2756 wrote to memory of 2640	2756	Anlfbi32.exe	32
PID 2756 wrote to memory of 2640	2756	Anlfbi32.exe	32
PID 2756 wrote to memory of 2640	2756	Anlfbi32.exe	32
PID 2756 wrote to memory of 2640	2756	Anlfbi32.exe	32
PID 2640 wrote to memory of 2716	2640	Achojp32.exe	33
PID 2640 wrote to memory of 2716	2640	Achojp32.exe	33
PID 2640 wrote to memory of 2716	2640	Achojp32.exe	33
PID 2640 wrote to memory of 2716	2640	Achojp32.exe	33
PID 2716 wrote to memory of 264	2716	Ackkppma.exe	34
PID 2716 wrote to memory of 264	2716	Ackkppma.exe	34
PID 2716 wrote to memory of 264	2716	Ackkppma.exe	34
PID 2716 wrote to memory of 264	2716	Ackkppma.exe	34
PID 264 wrote to memory of 556	264	Apalea32.exe	35
PID 264 wrote to memory of 556	264	Apalea32.exe	35
PID 264 wrote to memory of 556	264	Apalea32.exe	35
PID 264 wrote to memory of 556	264	Apalea32.exe	35
PID 556 wrote to memory of 2520	556	Afkdakjb.exe	36
PID 556 wrote to memory of 2520	556	Afkdakjb.exe	36
PID 556 wrote to memory of 2520	556	Afkdakjb.exe	36
PID 556 wrote to memory of 2520	556	Afkdakjb.exe	36
PID 2520 wrote to memory of 3044	2520	Acpdko32.exe	37
PID 2520 wrote to memory of 3044	2520	Acpdko32.exe	37
PID 2520 wrote to memory of 3044	2520	Acpdko32.exe	37
PID 2520 wrote to memory of 3044	2520	Acpdko32.exe	37
PID 3044 wrote to memory of 3036	3044	Aeqabgoj.exe	38
PID 3044 wrote to memory of 3036	3044	Aeqabgoj.exe	38
PID 3044 wrote to memory of 3036	3044	Aeqabgoj.exe	38
PID 3044 wrote to memory of 3036	3044	Aeqabgoj.exe	38
PID 3036 wrote to memory of 2864	3036	Bbdallnd.exe	39
PID 3036 wrote to memory of 2864	3036	Bbdallnd.exe	39
PID 3036 wrote to memory of 2864	3036	Bbdallnd.exe	39
PID 3036 wrote to memory of 2864	3036	Bbdallnd.exe	39
PID 2864 wrote to memory of 1148	2864	Bhajdblk.exe	40
PID 2864 wrote to memory of 1148	2864	Bhajdblk.exe	40
PID 2864 wrote to memory of 1148	2864	Bhajdblk.exe	40
PID 2864 wrote to memory of 1148	2864	Bhajdblk.exe	40
PID 1148 wrote to memory of 2088	1148	Blobjaba.exe	41
PID 1148 wrote to memory of 2088	1148	Blobjaba.exe	41
PID 1148 wrote to memory of 2088	1148	Blobjaba.exe	41
PID 1148 wrote to memory of 2088	1148	Blobjaba.exe	41
PID 2088 wrote to memory of 2236	2088	Balkchpi.exe	42
PID 2088 wrote to memory of 2236	2088	Balkchpi.exe	42
PID 2088 wrote to memory of 2236	2088	Balkchpi.exe	42
PID 2088 wrote to memory of 2236	2088	Balkchpi.exe	42
PID 2236 wrote to memory of 756	2236	Boplllob.exe	43
PID 2236 wrote to memory of 756	2236	Boplllob.exe	43
PID 2236 wrote to memory of 756	2236	Boplllob.exe	43
PID 2236 wrote to memory of 756	2236	Boplllob.exe	43
PID 756 wrote to memory of 1792	756	Bejdiffp.exe	44
PID 756 wrote to memory of 1792	756	Bejdiffp.exe	44
PID 756 wrote to memory of 1792	756	Bejdiffp.exe	44
PID 756 wrote to memory of 1792	756	Bejdiffp.exe	44
PID 1792 wrote to memory of 2452	1792	Bmeimhdj.exe	45
PID 1792 wrote to memory of 2452	1792	Bmeimhdj.exe	45
PID 1792 wrote to memory of 2452	1792	Bmeimhdj.exe	45
PID 1792 wrote to memory of 2452	1792	Bmeimhdj.exe	45

C:\Users\Admin\AppData\Local\Temp\8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe
"C:\Users\Admin\AppData\Local\Temp\8fdb0429ca0efc054c0e2e1c95c2b0e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Akmjfn32.exe
  C:\Windows\system32\Akmjfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\Anlfbi32.exe
    C:\Windows\system32\Anlfbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\Achojp32.exe
      C:\Windows\system32\Achojp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ackkppma.exe

Filesize
128KB

MD5
a1f41cadb5f915281de1873d0d9f8dba

SHA1
3c561999b8b1d63d6f1490cf6f72358165bb3631

SHA256
0388b4bb0cb4274727cf6d9bf5cc94ce958e8b88446dd89b6df448543ddc739f

SHA512
7b73c7ee6471419efa471609e4f693d1120d4e0c6f376ba502d79ea00f68fb72e43ba952427137cd64962856c403113f60d8d885df46a38389beda9901029bb0

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
128KB

MD5
07bde5a78264a2ec0c175cd3b934495f

SHA1
a12ba46bab982244e31a8bdcf8487e9df31b42a4

SHA256
1df09a448d0218167f8b15405d1c21f9dd82283c79c88dbd8bfcfb201583592c

SHA512
53f7a3f58daacc6c82789440a1e45354661a8fc28818c4a34d55c21295281d8b61ad1854868a4973e1b67392de53dd9ab381ab30c7f06924723b079368c5864c

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
128KB

MD5
cf694b906cc2bf1b75bb116172fcfb6a

SHA1
77c8e34fef354366b0b44678e47bcc40e03478a9

SHA256
4e816164b26b036dc44219fdea212de7719983d99ac6225d7809c7b777ffa521

SHA512
81e003cf56866372a5e92bd957ffdcb4734fdcbce77c6820558339bb5387d9f1ef541dcfe5482e2fe79b9a5c14a3956d02a2bbc218eddc069b37f19c42dbc632

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
128KB

MD5
5761e21d0848ccf45bf49ed8c8a09f78

SHA1
1afba3aa05d7bc534b77bc8a08635477f7e0183e

SHA256
92f76592e72acdb2feaac64b6fc0f3c747f51d98634986d580579e64b553b6d0

SHA512
fbc3a3effbdb0482aa1be980a0c0795eff44362736d8992008496888d4ce1ac5c6ce6c745bfea0fad0dbfa768eff1ec043e878b0c4f509b2efc1a67a11ef08d6

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
128KB

MD5
ca4fe14df1aea75bdd984f276e864bd9

SHA1
7b849e90ba46b5ff4a16950953d8a467806cfaec

SHA256
435ffd2abc9e156f46c736a3669fbda5ab9a9c96b28eaedcea11699e450ea514

SHA512
69ebc713455f8d330baecc3fc32ed07982a50f355595894c8d339a4ca2041f9df80db483bb4702d1797b026d1817b077487fef1af59f243094f2f34e12947dfe

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
128KB

MD5
cfd01bebd9293d5904535c96342f9f31

SHA1
399939e47f31e2d15a90c98c4457dc9c2ce509cd

SHA256
a6e1e2569bb707e78af164df58392e32ec01b0b72a3c0ac16bb8ee68f02f701d

SHA512
99fc013d97468cb3fb320b8d34eb42e5730985093d9720e47e8ceb0cbc2757bfc738d30102c2ac4c87aecfb2b326af1571d5814779f6d1f94266790f3c0f4d44

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
128KB

MD5
859b3ad706c5cebc79c2cb9c0851cd1c

SHA1
47e631493b52efcd800e2f6c114e9483c358a858

SHA256
00d26d228602c3f382ea5821acb9faa7982a65477049a60e49d35aec5832a4bb

SHA512
15fe6ae428cb33f19f611ba6cbf20976a17b4e5d668e655d0d882821effdda5939858d38491a2fdee66c5c700ccd5c3eb9d43f0431d54b5052228dacf3f4bb2a

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
128KB

MD5
1053c69b750cc2f585209b137bd4364f

SHA1
47f4e5154d6bbde4841c009e9efbd262a1a4aa87

SHA256
4381af3a38e796bd0ceb53b898c15a6495dbe4bbba62faa0632df93a8789f920

SHA512
9aad0857a9bf3c1a268fef36afdbc1b082af82bb2d4bd5a20c74564fa27d0de87048fba7726a99726fd95e622334e8123085070614e9e596d09f21caed3af61a

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
128KB

MD5
6536bed75f06055a97bbab2ad1e445ae

SHA1
78d90edf6ad099b8109c6a02468be4b8db856efa

SHA256
0da90063c8df9b0903f91f4f83d6123a6c7db59439b0314b30e423aa2893d141

SHA512
e1262bac51e5797e1d1e3867409a90af01a081302b13ee4fe5a8ff887f61eec873af142b42b4413752c8d62f1b427bb959653ad773e1a693624ff2c0a20e3193

Download Submit
C:\Windows\SysWOW64\Hbappj32.dll

Filesize
7KB

MD5
c105350bf15fbf343a811e2139bdbfd8

SHA1
fe7dd96e92a22509a666d9adfb5bc151180ea188

SHA256
95ac0b99d84805bf08f68cf5c6d31a26bffe32c156d37ebb75c289ba1da9b5b6

SHA512
a9429f5d9e20f22eae89a56d7344352f4ef5341d66ea870206ad069111d70f518d7d531433ae36e8b8118f77f11c314984b7e8ea8efbf6f4a56f2ef931dd08de

Download Submit
\Windows\SysWOW64\Achojp32.exe

Filesize
128KB

MD5
0893823c4eeba192a2526a81158d72ba

SHA1
b826290a34b2a3134f13ae1d74c23b699bc24942

SHA256
26be9a7b5041b97cb6c98eb16c396bcd4646d666caef10b5690d1c5591d653a1

SHA512
b4eac4c98c709f8d51422227e55f289321b3922e10834061fccaee22754508a61ee98ca15dda2f4175ee535c66035fb76bd534d6d0427b74c8e6ab4adf36d588

Download Submit
\Windows\SysWOW64\Acpdko32.exe

Filesize
128KB

MD5
ccd04b648f12333ebc6ee29e196c5011

SHA1
0099b9be732b08ac5afb448cc915903c86ae381e

SHA256
0e06d1920e73dda30b81843074deddefc46c836fdbc401178b7af5587c01e6ab

SHA512
2c2c7e9fb966bdd0d41b7b2a81fe9fe7820ef64ad519ac990581ff648b79e1aeda41ca5b3df3a33d2c9104715203d45324998ea8307c5d1156bea064062a408b

Download Submit
\Windows\SysWOW64\Aeqabgoj.exe

Filesize
128KB

MD5
03d38c4a5bd23dc0dafd99b61bf7db82

SHA1
9f526ff2fd2a7b8efd025aa13183a13804a29c23

SHA256
86199c26afe502a570779e1736b6d92c3320ac4cb55213afe4f336f6562069b1

SHA512
0a4faed38f65a0c84007d378c25a2594d376f3c916c088dda8cd4fd857ad7a60437c8718da2bcdfbccbb94364e63bb1a018439b9034f3bb2e21feabf6d661730

Download Submit
\Windows\SysWOW64\Afkdakjb.exe

Filesize
128KB

MD5
461575870278e20c8314d27aa8dc460c

SHA1
d7ff7751b5d4dccf6936d93321966a262263e4b2

SHA256
5c1078842dd4689adb7468de65b8fc3e7a8a4e2e7d9da5476f5e191563cdf946

SHA512
e868393fdc970442c45eba54b4f4efa7e51ad3857a72db901d988e68fbfe3e710293b5ab258064315e7e3f06a7c6aa61a021e404107f119027d25b42ba902b61

Download Submit
\Windows\SysWOW64\Akmjfn32.exe

Filesize
128KB

MD5
0a264e7406965d52d9fa6dc453b9ac54

SHA1
ddf15eb39963b0ea5f4abfc6445a737f02864e77

SHA256
edb9d579d7328201232bc923663cfe59f932a9b09cbec216c0c13026ba999047

SHA512
68c7ba917aa66a7df7549629c40d10f2c6bde4e19a461fda7a2d652744286aae13ab007060e39c3165a81777fb4894451d3dfa66045bdfc04865ef38c89d40a9

Download Submit
\Windows\SysWOW64\Apalea32.exe

Filesize
128KB

MD5
d55264be20352006afb8b595fcee814e

SHA1
6be9e0f18f67c62034401c91f312c26d5ff06a50

SHA256
2302191eb7c91b40a3f12012d6eaa0fb4c73b24289a9618a9eef260f3275791a

SHA512
4d8039258e19abd311e69849c8ae6fd4238dae349f2ff0b8bbbc3f8025e786bfe7515105be64b5093831654c64670f0d00edf9a9dd13637563c5c6f246cdb68d

Download Submit
\Windows\SysWOW64\Bbdallnd.exe

Filesize
128KB

MD5
75c88293318ba9434fab6fc0db6e452b

SHA1
878220b58cf06d960370039bae881492b659c03d

SHA256
aac4bb60b8af27ac04412e2ddd4269a8fcb3a428f42b9afaced11b5ba9b74df4

SHA512
096d7bfd31c9a5c238651d266f1f2aa2ddad9363f0e01bbd12208389ca017c1c450115a48d56df7686201ba6e029b5bf69ffe32cb20ed96fa186e54a620f9f35

Download Submit
\Windows\SysWOW64\Blobjaba.exe

Filesize
128KB

MD5
e625c2f432ad52279c522bb729b5a46e

SHA1
0d7b13487c8a701e0c99a0707ea84a5bc0b455de

SHA256
ac152686b58eca8c35cdb0bc999d74cebbac0079f960e376c969a03ad27c5b4d

SHA512
6f5fd13138076b32479bccb049237a830790c38adbdb6db76af2ef942dc2ad4fde152764ddf0cc3cd5fec6b8bc4fbcdc88554ee342217244ed5598307859b94b

Download Submit
\Windows\SysWOW64\Bmeimhdj.exe

Filesize
128KB

MD5
cdd84cadb0e7297e8f03724a059da089

SHA1
48e3c5998a4fc9debf671992a16a97fbae6ec118

SHA256
d240fcdf59dcde1879d5303c1a436a4dc31694c555079bbe2903109cd69baadf

SHA512
e16dc95fda85403d5709fc1babec611459377fbf2c156053777fe0ffc8b8f94b7655da30ead6661ea96ddc6e36f622d00cf57672ccdd70949c5eda80e739bf60

Download Submit
\Windows\SysWOW64\Boplllob.exe

Filesize
128KB

MD5
0aa923a07b1606501f39eb3c387aab27

SHA1
a3be6fcfe9ee8997fd9b6cc97407435c11bfdfbd

SHA256
ac89736906935375a7538712f90c7182e7451bdddadf1a5f3c97495783d8412a

SHA512
ddfbf711e9c1fa6d72d3b0ad864bc633dd120fb854d62be72be70c330e126b0c0a3b701ba0886cf4306abfaf23dc9a2e91f43e596a78b6c21c307de8e9cced1e

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
128KB

MD5
d6fda8ab99b865fff3b83bb20b330af6

SHA1
7a4dce3ef605c5f259a41ab03f3c17366b7b9085

SHA256
aafccded9ae137f773f9b374d48edec15454994368dd95c17f6d124077b22fdf

SHA512
9a769c87492b7c89fd5141a16cdb361b16f3fba3b05fbc1fd864db421ce9dd587f13f6145049bb0e03fadb6ebd03416b2eb0674e7a195deec28308c8c2ba2f3f

Download Submit
memory/264-132-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/264-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/264-84-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/264-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-93-0x0000000001FB0000-0x0000000001FF2000-memory.dmp

Filesize
264KB

Download
memory/556-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/612-288-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/612-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/612-298-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/756-220-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/756-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-179-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1148-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-227-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1148-228-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1148-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-180-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1608-269-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1608-296-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1608-294-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1608-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1664-275-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1664-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1664-280-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1792-281-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1792-282-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1792-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-242-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1792-243-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1792-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-245-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2088-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-188-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2236-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-206-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2236-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2284-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2284-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-258-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2452-254-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2520-101-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-109-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/2520-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-160-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/2640-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-100-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2716-123-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2716-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-63-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2716-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-69-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2756-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-34-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2800-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-11-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/2840-12-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/2840-54-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/2840-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-157-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/3036-146-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/3036-201-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/3036-200-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/3036-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-147-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/3036-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-125-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/3044-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads