ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Size

80KB
MD5

422c93b3ca209aaac797dece06b890c6
SHA1

5882c9401f0ada5af550af4a93965dfdc130683b
SHA256

ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7
SHA512

0c0b7adec524f50291d789f012796220a7ac22ee39641f94e90fa2aea60e8d9698a56ff95afe5a0467e87dc022704fc5f947785a2c77d668a6b0db54c47f9aa2
SSDEEP

1536:bE3EPonB4AFLWEeyUGvaU22LrPJ9VqDlzVxyh+CbxMa:GGAFLWE1vaYjJ9IDlRxyhTb7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beadgdli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beadgdli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebappk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boobki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe

Executes dropped EXE 19 IoCs

pid	Process
2864	Beadgdli.exe
2156	Bknmok32.exe
2772	Boobki32.exe
2604	Ccqhdmbc.exe
2568	Cpdhna32.exe
2148	Cnhhge32.exe
2964	Clnehado.exe
2392	Dcjjkkji.exe
2852	Dboglhna.exe
564	Dhiphb32.exe
1196	Dqddmd32.exe
684	Dgqion32.exe
2248	Eddjhb32.exe
1464	Egebjmdn.exe
2312	Ejfllhao.exe
1588	Ebappk32.exe
656	Ebcmfj32.exe
1716	Fpgnoo32.exe
1468	Flnndp32.exe

Loads dropped DLL 42 IoCs

pid	Process
2728	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
2728	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
2864	Beadgdli.exe
2864	Beadgdli.exe
2156	Bknmok32.exe
2156	Bknmok32.exe
2772	Boobki32.exe
2772	Boobki32.exe
2604	Ccqhdmbc.exe
2604	Ccqhdmbc.exe
2568	Cpdhna32.exe
2568	Cpdhna32.exe
2148	Cnhhge32.exe
2148	Cnhhge32.exe
2964	Clnehado.exe
2964	Clnehado.exe
2392	Dcjjkkji.exe
2392	Dcjjkkji.exe
2852	Dboglhna.exe
2852	Dboglhna.exe
564	Dhiphb32.exe
564	Dhiphb32.exe
1196	Dqddmd32.exe
1196	Dqddmd32.exe
684	Dgqion32.exe
684	Dgqion32.exe
2248	Eddjhb32.exe
2248	Eddjhb32.exe
1464	Egebjmdn.exe
1464	Egebjmdn.exe
2312	Ejfllhao.exe
2312	Ejfllhao.exe
1588	Ebappk32.exe
1588	Ebappk32.exe
656	Ebcmfj32.exe
656	Ebcmfj32.exe
1716	Fpgnoo32.exe
1716	Fpgnoo32.exe
744	WerFault.exe
744	WerFault.exe
744	WerFault.exe
744	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dboglhna.exe	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Ejfllhao.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Ebappk32.exe	Ejfllhao.exe
File opened for modification	C:\Windows\SysWOW64\Fpgnoo32.exe	Ebcmfj32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fpgnoo32.exe
File opened for modification	C:\Windows\SysWOW64\Beadgdli.exe	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
File created	C:\Windows\SysWOW64\Bdajpkkj.dll	Beadgdli.exe
File created	C:\Windows\SysWOW64\Dgqion32.exe	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Ogadek32.dll	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Elfkmcdp.dll	Dqddmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ebappk32.exe	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Bknmok32.exe	Beadgdli.exe
File created	C:\Windows\SysWOW64\Kppegfpa.dll	Bknmok32.exe
File opened for modification	C:\Windows\SysWOW64\Ccqhdmbc.exe	Boobki32.exe
File created	C:\Windows\SysWOW64\Aiheodlg.dll	Cnhhge32.exe
File opened for modification	C:\Windows\SysWOW64\Dhiphb32.exe	Dboglhna.exe
File created	C:\Windows\SysWOW64\Jhpgpkho.dll	Ebappk32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Beadgdli.exe	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
File created	C:\Windows\SysWOW64\Jhibakgh.dll	Ccqhdmbc.exe
File created	C:\Windows\SysWOW64\Dhiphb32.exe	Dboglhna.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	Dgqion32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdhna32.exe	Ccqhdmbc.exe
File created	C:\Windows\SysWOW64\Jlpfci32.dll	Dboglhna.exe
File created	C:\Windows\SysWOW64\Mjpdkq32.dll	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Cpdhna32.exe	Ccqhdmbc.exe
File opened for modification	C:\Windows\SysWOW64\Cnhhge32.exe	Cpdhna32.exe
File opened for modification	C:\Windows\SysWOW64\Bknmok32.exe	Beadgdli.exe
File created	C:\Windows\SysWOW64\Cnhhge32.exe	Cpdhna32.exe
File created	C:\Windows\SysWOW64\Bpmoggbh.dll	Clnehado.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Dhiphb32.exe
File opened for modification	C:\Windows\SysWOW64\Dgqion32.exe	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Lebbqn32.dll	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
File created	C:\Windows\SysWOW64\Ccqhdmbc.exe	Boobki32.exe
File created	C:\Windows\SysWOW64\Dboglhna.exe	Dcjjkkji.exe
File opened for modification	C:\Windows\SysWOW64\Ejfllhao.exe	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Clnehado.exe	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Fcphaglh.dll	Dcjjkkji.exe
File opened for modification	C:\Windows\SysWOW64\Boobki32.exe	Bknmok32.exe
File created	C:\Windows\SysWOW64\Iidbakdl.dll	Boobki32.exe
File created	C:\Windows\SysWOW64\Boobki32.exe	Bknmok32.exe
File created	C:\Windows\SysWOW64\Ckpmmabh.dll	Cpdhna32.exe
File created	C:\Windows\SysWOW64\Gbmiha32.dll	Ejfllhao.exe
File opened for modification	C:\Windows\SysWOW64\Ebcmfj32.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Clnehado.exe	Cnhhge32.exe
File opened for modification	C:\Windows\SysWOW64\Dcjjkkji.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Dcjjkkji.exe	Clnehado.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	Dgqion32.exe
File created	C:\Windows\SysWOW64\Ngbpoo32.dll	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Ebcmfj32.exe	Ebappk32.exe
File opened for modification	C:\Windows\SysWOW64\Eddjhb32.exe	Dgqion32.exe
File created	C:\Windows\SysWOW64\Egebjmdn.exe	Eddjhb32.exe
File opened for modification	C:\Windows\SysWOW64\Egebjmdn.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Fpgnoo32.exe	Ebcmfj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
744	1468	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boobki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beadgdli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknmok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdajpkkj.dll"	Beadgdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll"	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beadgdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejfllhao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpdhna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beadgdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll"	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boobki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll"	Ejfllhao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll"	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpmmabh.dll"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhibakgh.dll"	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbqn32.dll"	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgqion32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgqion32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clnehado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll"	Bknmok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clnehado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpgnoo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2864	2728	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe	30
PID 2728 wrote to memory of 2864	2728	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe	30
PID 2728 wrote to memory of 2864	2728	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe	30
PID 2728 wrote to memory of 2864	2728	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe	30
PID 2864 wrote to memory of 2156	2864	Beadgdli.exe	31
PID 2864 wrote to memory of 2156	2864	Beadgdli.exe	31
PID 2864 wrote to memory of 2156	2864	Beadgdli.exe	31
PID 2864 wrote to memory of 2156	2864	Beadgdli.exe	31
PID 2156 wrote to memory of 2772	2156	Bknmok32.exe	32
PID 2156 wrote to memory of 2772	2156	Bknmok32.exe	32
PID 2156 wrote to memory of 2772	2156	Bknmok32.exe	32
PID 2156 wrote to memory of 2772	2156	Bknmok32.exe	32
PID 2772 wrote to memory of 2604	2772	Boobki32.exe	33
PID 2772 wrote to memory of 2604	2772	Boobki32.exe	33
PID 2772 wrote to memory of 2604	2772	Boobki32.exe	33
PID 2772 wrote to memory of 2604	2772	Boobki32.exe	33
PID 2604 wrote to memory of 2568	2604	Ccqhdmbc.exe	34
PID 2604 wrote to memory of 2568	2604	Ccqhdmbc.exe	34
PID 2604 wrote to memory of 2568	2604	Ccqhdmbc.exe	34
PID 2604 wrote to memory of 2568	2604	Ccqhdmbc.exe	34
PID 2568 wrote to memory of 2148	2568	Cpdhna32.exe	35
PID 2568 wrote to memory of 2148	2568	Cpdhna32.exe	35
PID 2568 wrote to memory of 2148	2568	Cpdhna32.exe	35
PID 2568 wrote to memory of 2148	2568	Cpdhna32.exe	35
PID 2148 wrote to memory of 2964	2148	Cnhhge32.exe	36
PID 2148 wrote to memory of 2964	2148	Cnhhge32.exe	36
PID 2148 wrote to memory of 2964	2148	Cnhhge32.exe	36
PID 2148 wrote to memory of 2964	2148	Cnhhge32.exe	36
PID 2964 wrote to memory of 2392	2964	Clnehado.exe	37
PID 2964 wrote to memory of 2392	2964	Clnehado.exe	37
PID 2964 wrote to memory of 2392	2964	Clnehado.exe	37
PID 2964 wrote to memory of 2392	2964	Clnehado.exe	37
PID 2392 wrote to memory of 2852	2392	Dcjjkkji.exe	38
PID 2392 wrote to memory of 2852	2392	Dcjjkkji.exe	38
PID 2392 wrote to memory of 2852	2392	Dcjjkkji.exe	38
PID 2392 wrote to memory of 2852	2392	Dcjjkkji.exe	38
PID 2852 wrote to memory of 564	2852	Dboglhna.exe	39
PID 2852 wrote to memory of 564	2852	Dboglhna.exe	39
PID 2852 wrote to memory of 564	2852	Dboglhna.exe	39
PID 2852 wrote to memory of 564	2852	Dboglhna.exe	39
PID 564 wrote to memory of 1196	564	Dhiphb32.exe	40
PID 564 wrote to memory of 1196	564	Dhiphb32.exe	40
PID 564 wrote to memory of 1196	564	Dhiphb32.exe	40
PID 564 wrote to memory of 1196	564	Dhiphb32.exe	40
PID 1196 wrote to memory of 684	1196	Dqddmd32.exe	41
PID 1196 wrote to memory of 684	1196	Dqddmd32.exe	41
PID 1196 wrote to memory of 684	1196	Dqddmd32.exe	41
PID 1196 wrote to memory of 684	1196	Dqddmd32.exe	41
PID 684 wrote to memory of 2248	684	Dgqion32.exe	42
PID 684 wrote to memory of 2248	684	Dgqion32.exe	42
PID 684 wrote to memory of 2248	684	Dgqion32.exe	42
PID 684 wrote to memory of 2248	684	Dgqion32.exe	42
PID 2248 wrote to memory of 1464	2248	Eddjhb32.exe	43
PID 2248 wrote to memory of 1464	2248	Eddjhb32.exe	43
PID 2248 wrote to memory of 1464	2248	Eddjhb32.exe	43
PID 2248 wrote to memory of 1464	2248	Eddjhb32.exe	43
PID 1464 wrote to memory of 2312	1464	Egebjmdn.exe	44
PID 1464 wrote to memory of 2312	1464	Egebjmdn.exe	44
PID 1464 wrote to memory of 2312	1464	Egebjmdn.exe	44
PID 1464 wrote to memory of 2312	1464	Egebjmdn.exe	44
PID 2312 wrote to memory of 1588	2312	Ejfllhao.exe	45
PID 2312 wrote to memory of 1588	2312	Ejfllhao.exe	45
PID 2312 wrote to memory of 1588	2312	Ejfllhao.exe	45
PID 2312 wrote to memory of 1588	2312	Ejfllhao.exe	45

C:\Users\Admin\AppData\Local\Temp\ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
"C:\Users\Admin\AppData\Local\Temp\ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Beadgdli.exe
  C:\Windows\system32\Beadgdli.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\Bknmok32.exe
    C:\Windows\system32\Bknmok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Boobki32.exe
      C:\Windows\system32\Boobki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\Cpdhna32.exe
        
        C:\Windows\system32\Cpdhna32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Clnehado.exe

Filesize
80KB

MD5
6dd4699e805d8de5b89105a93d064d2e

SHA1
71c49c828a07a056b45aa4e74eb22de7febde8a6

SHA256
d70768c579abc8641e2d70ae3843131557d2dc5cf3a340eba07b92d0f233e13d

SHA512
767c59557f3a2c9a43169d359708b701a3008995fd162be8fddf9a73ca2bbf8cd39afb37c52d199b000542cbf43e7fe9dc8d43e5a7f2fed481d2db299778441f

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
80KB

MD5
02b7523dd19fb5c6d6e48252d3f3428d

SHA1
76c274146e74473dadd841f56a46c64aef8a7ae8

SHA256
652faf3af8aaf84ff0788e2f96d0b6db16fabf8a029e933072c8eb1fc632c634

SHA512
1aeea5a3ea5a91aae3b9c63b636bc29017587b34d694ee85cd8fd52558a8c0676069d0152038512a6273c788e4a164807f91fbfdba0b2d41103df889a0f115bd

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
80KB

MD5
5c9c3b887e1e0885dc6322eb8bf2ca80

SHA1
af693b5780d8bd4dc8e889b1cec6e9bb81aa1fb2

SHA256
8bdabd6dae24099b499f9738eb15c0803a2c9db8677a5e6b72d92615ebc56b9a

SHA512
1a53423eb02eb5c48c8d647ec6132a91029f28b44c693221d6ca6b61c91300d844270fb11f528d860885811fd8170ae0adebfb735f695beee5c4e13131fd6d28

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
80KB

MD5
9f0ac50f9e8282c864cd67f4d5fb8eea

SHA1
4c6c6648ed83d0ef76554ca96d1c96e1adc716d3

SHA256
d84aaddda688293a3b46f187c815612423cf02d7dd258df1f4c0a7a8cb15242a

SHA512
1821f3bfafb79f80aebc35aec53f091514b3cce7136414ca9f1177ee2fe670ba8589d090e8bc0578e909e00a070ee309f6a27ebce5a93d36c73092f9541e2bae

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
80KB

MD5
1f6c2125e87fcf4ce5a1e7cc9ff1ed71

SHA1
d7da2f726c8f30e59503e3009f0e7276eadfe79a

SHA256
979d84aaf888104f9e7951d4a9e67b00c6755a5f95e10cd21820cacf7bb1342e

SHA512
a5989f5cb8e3239963585d76497b61670e2b36a3c26838cd40cb34c388306affd05bea94dc64c952349660cbd1f6917aec0c4c00afcb6cc645df84577885195d

Download Submit
\Windows\SysWOW64\Beadgdli.exe

Filesize
80KB

MD5
467e8445ed17333a72c7e98989a00ddf

SHA1
487f88789dd4fe2b2cbaa280f801085a56d5f798

SHA256
24deb6d97e4f2621e1af77fc01940ae59baf48cf5e3645cc9bb6069912de54b2

SHA512
82b07d6fc4e33ce168878d5758358acd2559d8d067beb5b73e5c175f49dd2974cccee2f39f26a700161c943ae11b5bad2da75bb21487ee36c97d3ae623d8f3bc

Download Submit
\Windows\SysWOW64\Bknmok32.exe

Filesize
80KB

MD5
4e0bc73395833f90179efd708d96a08e

SHA1
556b06e4f4525900a6cedd7cce831cfe17bbea56

SHA256
61e9f084d92ceeabf896f312b93e1292e217cb2d64ec4c28023b1051e2c4d93d

SHA512
d166a934bce0128694398a425f1d242fc529f4bb1f9bd48c7209dc67b682a4f40484af853ec3ea36172e1f7ebb69e1b54e4c06dc5bcfe82c7cb9eca0e8adaeb0

Download Submit
\Windows\SysWOW64\Boobki32.exe

Filesize
80KB

MD5
e2783c4919b4183c55e9ad886c855174

SHA1
0cddbfc79fb094d9b9334b3798c3d58ae11ad531

SHA256
ba9068bceed07227d0ffb0b03f78c44f9851442a367778366e7591094337de6e

SHA512
79b7264a447ea5848328f40458dfe0f5a882e81376a8a69883ad2161c2dae0d7069a5593632dcc51a0502c8c1167b5913af56eaa9c743ecfefd97f4002cdc423

Download Submit
\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
80KB

MD5
3438606365cbbf89bc8ccd48332e9f5b

SHA1
d53d059354f174f004c9f942cb8c4d4d2e0d6dfa

SHA256
f879638a2bc20ec3e7f1ed4346a355f32a69776cb18d766869de8a1f27cf8e92

SHA512
95334861024c13cd947cd19bd4ace766ba6fa274f5034c4e966bdc0bafae5ffc74ba98ffac84daba91e0b93de75dd8f3a6a9c4d732cb98f8400bdf05aaf7779c

Download Submit
\Windows\SysWOW64\Cnhhge32.exe

Filesize
80KB

MD5
d99c30c77a915ba3032c852071671ffb

SHA1
224bec045e803e3f6097827fb6f1d26ca3f7f5c3

SHA256
dd3a8e8d444273a867d55c03d47dd81a7aa5bdfad4146b8fe54745ad3945c34e

SHA512
09716f9724b4bf216661644b025abab00090b6c05057ba910e2bc24039851eb1d3e402904f2ad52fc8f28f0f136848a28280eba46f1ff84c0572fe2502d51c15

Download Submit
\Windows\SysWOW64\Cpdhna32.exe

Filesize
80KB

MD5
3092b4f4a9d7e09cfdd8647ffd82050c

SHA1
74ddee98da5a6ae98acc60c9509cd0476d3af863

SHA256
ec0e8be9814939ab60f8c5e52c415f98d33f35260401492c415c15558c3ee353

SHA512
c96f76a61e9132e3172b409cb22c7594c49e02e9577cf174ad958d0e85dcaa4ccfedfaf1e6ef57468e2700834382831c25e31d0e02586b4a030c317b44d3f3a9

Download Submit
\Windows\SysWOW64\Dboglhna.exe

Filesize
80KB

MD5
ba9567806116a1dc35dec936c99b4832

SHA1
0322fa8191256ffa37dea3209a06e5b166ae39bb

SHA256
760403c2344b32b13068990d4ea85b0eb4d76ce736674ccbedbb8e8dd2ac6252

SHA512
9d5185ccc5ab107712f4b67903f7f07a07f2b4cea01335c5f929cbf4f8b7bc20563904d8e1f646fbae2522efe538431445e1805cc66636fb9242c6e7fa87041b

Download Submit
\Windows\SysWOW64\Dcjjkkji.exe

Filesize
80KB

MD5
e14c86beb2f097ddedc2d8c5041e0b55

SHA1
4e860ff6349ea1b37348005410083bb0872b9512

SHA256
c7ff55232e895fbc7441c8ffe9e72fdf53f6ad5fd4e613ede0196040c62a7332

SHA512
bb17ad80a7061972fdc1b72bd7418e861a522accd9f0dba673434bd6c49eabe4c90834b268eb5f0194549902fbb23f40fe54937113a32caec908f694537c196f

Download Submit
\Windows\SysWOW64\Dgqion32.exe

Filesize
80KB

MD5
fefe6a6de5444667af454006314b9b76

SHA1
c66cf79682b8a8057fb9d53c6085555125f24bd1

SHA256
3f00e6de12f7169a772ba6acb4f762ec82b3ae117380511d6c171a67bbe64e53

SHA512
d702d22d8b94d0067d753ef6ce864526429eee62312daecb8164fdd2032dda0cc1daaf92ee990d080fd29dacd316eeed51e2687887373ebc5a97dab2d70eb34c

Download Submit
\Windows\SysWOW64\Dhiphb32.exe

Filesize
80KB

MD5
4e43d1d5d2bc5e2dd40f3bf5c87eaceb

SHA1
2d79f88fec7dd4310154a453999e839b969887f3

SHA256
da956cf15c6ce059b9f4c5ed7ebed20dce5561defc8f5e182f1ca98cbbf861f2

SHA512
a03255d40159ff1f23eeeff94530a237b08b480547ea186901fe72ba9fd96db53fd79daf3baa97f389a88fd4835fbd92302c3279c233accf66f0a796fafbe37a

Download Submit
\Windows\SysWOW64\Dqddmd32.exe

Filesize
80KB

MD5
4099d4ffbbaaaa0137ba6fed6be9f2d5

SHA1
d05961f9f74719138a2fd3726d9883811880a72c

SHA256
95fd5e75394dc8867dc65baa347dd12365b372aec8785c6c3ca5461cdd804274

SHA512
a38521704b926ed8ff2db3b88d576addaa946e941f53e437fdfae391c0b40f0b61dfd0e613cb4f32eb7b82103f7a0448e203f88b508f68f7b20539b676d3b2f4

Download Submit
\Windows\SysWOW64\Ebappk32.exe

Filesize
80KB

MD5
656ae3844ea84f6d659538c8146e874e

SHA1
21b7ae4b7843a6c4ff6c49ad96027eccf600f8e1

SHA256
04cf44c8bd80071af0850cdefd65e25a66690c1585a51b0ae17a61fe76a1ca02

SHA512
6804fea7bf0b9349f291303f1cb2c92332de6f1ac89c86d285d46148f146d2d3228c664e7ce57a1d607fb87b4f6ae092141e02f79bb9d2a942561d46e3cc0244

Download Submit
\Windows\SysWOW64\Eddjhb32.exe

Filesize
80KB

MD5
b6d21ff6b5b8b7cf15060aa650ccdd37

SHA1
626de55d3adce2c613d6c551da87c8e7a2abd6a9

SHA256
4a549997cae4ee745d0be8feb15d85d9a4ce1d4fd2e85992c975cf17192272d9

SHA512
30211b52314da7114d7e889f707d0e6d652ea1738de244c4ee6522a368c6a028128d2d2b187caf4170bafd3d98d5bdf8d301efbe9e90a9c0f5aec625bcce43e2

Download Submit
\Windows\SysWOW64\Ejfllhao.exe

Filesize
80KB

MD5
a61f9f400f75c29f1835e87638c9719f

SHA1
d1ecbf4279fe0a09b592566d8f65ccb086de061c

SHA256
90819e41cd89527d3647fd3f28ee8e50e888e77a2a66dc9f72d36b9e317ea180

SHA512
0a24f87f746910246f2b93a4f67e8a7dd671359428b852d21eb5492c9ac9340f42197464d2454731e5bf2fa4fe70f8690e80f2a8f7aa04e4e00cad1f125ed7a4

Download Submit
memory/564-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/564-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-232-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/656-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-171-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1196-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1196-158-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1196-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-222-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1588-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-244-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1716-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-94-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2148-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-41-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2156-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-40-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2248-186-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2248-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-117-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2568-77-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2568-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-68-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2604-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-11-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/2728-12-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/2772-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-131-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2864-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-27-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2964-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-108-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads