8869157e3e150accc05108e0dffc4fcaa7222c0af5c6ffcf648a5cc3b1c3001e

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27eb879b00515283540a9c662ab3a930N.exe
Size

80KB
MD5

27eb879b00515283540a9c662ab3a930
SHA1

f828191bc68fde9aa6caecb65eda1751a53e0bc6
SHA256

8869157e3e150accc05108e0dffc4fcaa7222c0af5c6ffcf648a5cc3b1c3001e
SHA512

d86dd6f09c380084ae25cabb0144541628c5cdceddf81ac0664895f5bf0725ea0b81a218c3495de59a62e3e0bdee094a2b84c361ec57c0afda18be4b8373c366
SSDEEP

1536:qpv6WNplpxpos92SvlyqmRAkDSptT7GuPoEz0rdRQAaxKRJJ5R2xOSC4BG:WxNjpxpobS9Fm0ptPGuPoEAdeOrJ5wxW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	27eb879b00515283540a9c662ab3a930N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	27eb879b00515283540a9c662ab3a930N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagienkb.exe

Executes dropped EXE 20 IoCs

pid	Process
2160	Bkjdndjo.exe
2792	Bjmeiq32.exe
2688	Bfdenafn.exe
1200	Boljgg32.exe
2584	Bgcbhd32.exe
2616	Bmpkqklh.exe
3064	Bbmcibjp.exe
2000	Bjdkjpkb.exe
2752	Bkegah32.exe
2888	Cmedlk32.exe
2988	Cnfqccna.exe
1892	Cepipm32.exe
2244	Ckjamgmk.exe
2548	Cagienkb.exe
2224	Cjonncab.exe
1784	Cnkjnb32.exe
1632	Cchbgi32.exe
1452	Calcpm32.exe
2468	Ccjoli32.exe
1856	Dpapaj32.exe

Loads dropped DLL 40 IoCs

pid	Process
2112	27eb879b00515283540a9c662ab3a930N.exe
2112	27eb879b00515283540a9c662ab3a930N.exe
2160	Bkjdndjo.exe
2160	Bkjdndjo.exe
2792	Bjmeiq32.exe
2792	Bjmeiq32.exe
2688	Bfdenafn.exe
2688	Bfdenafn.exe
1200	Boljgg32.exe
1200	Boljgg32.exe
2584	Bgcbhd32.exe
2584	Bgcbhd32.exe
2616	Bmpkqklh.exe
2616	Bmpkqklh.exe
3064	Bbmcibjp.exe
3064	Bbmcibjp.exe
2000	Bjdkjpkb.exe
2000	Bjdkjpkb.exe
2752	Bkegah32.exe
2752	Bkegah32.exe
2888	Cmedlk32.exe
2888	Cmedlk32.exe
2988	Cnfqccna.exe
2988	Cnfqccna.exe
1892	Cepipm32.exe
1892	Cepipm32.exe
2244	Ckjamgmk.exe
2244	Ckjamgmk.exe
2548	Cagienkb.exe
2548	Cagienkb.exe
2224	Cjonncab.exe
2224	Cjonncab.exe
1784	Cnkjnb32.exe
1784	Cnkjnb32.exe
1632	Cchbgi32.exe
1632	Cchbgi32.exe
1452	Calcpm32.exe
1452	Calcpm32.exe
2468	Ccjoli32.exe
2468	Ccjoli32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	27eb879b00515283540a9c662ab3a930N.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	27eb879b00515283540a9c662ab3a930N.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	27eb879b00515283540a9c662ab3a930N.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cnfqccna.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Eanenbmi.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27eb879b00515283540a9c662ab3a930N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	27eb879b00515283540a9c662ab3a930N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	27eb879b00515283540a9c662ab3a930N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	27eb879b00515283540a9c662ab3a930N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Eanenbmi.¾ll"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	27eb879b00515283540a9c662ab3a930N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	27eb879b00515283540a9c662ab3a930N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	27eb879b00515283540a9c662ab3a930N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2160	2112	27eb879b00515283540a9c662ab3a930N.exe	31
PID 2112 wrote to memory of 2160	2112	27eb879b00515283540a9c662ab3a930N.exe	31
PID 2112 wrote to memory of 2160	2112	27eb879b00515283540a9c662ab3a930N.exe	31
PID 2112 wrote to memory of 2160	2112	27eb879b00515283540a9c662ab3a930N.exe	31
PID 2160 wrote to memory of 2792	2160	Bkjdndjo.exe	32
PID 2160 wrote to memory of 2792	2160	Bkjdndjo.exe	32
PID 2160 wrote to memory of 2792	2160	Bkjdndjo.exe	32
PID 2160 wrote to memory of 2792	2160	Bkjdndjo.exe	32
PID 2792 wrote to memory of 2688	2792	Bjmeiq32.exe	33
PID 2792 wrote to memory of 2688	2792	Bjmeiq32.exe	33
PID 2792 wrote to memory of 2688	2792	Bjmeiq32.exe	33
PID 2792 wrote to memory of 2688	2792	Bjmeiq32.exe	33
PID 2688 wrote to memory of 1200	2688	Bfdenafn.exe	34
PID 2688 wrote to memory of 1200	2688	Bfdenafn.exe	34
PID 2688 wrote to memory of 1200	2688	Bfdenafn.exe	34
PID 2688 wrote to memory of 1200	2688	Bfdenafn.exe	34
PID 1200 wrote to memory of 2584	1200	Boljgg32.exe	35
PID 1200 wrote to memory of 2584	1200	Boljgg32.exe	35
PID 1200 wrote to memory of 2584	1200	Boljgg32.exe	35
PID 1200 wrote to memory of 2584	1200	Boljgg32.exe	35
PID 2584 wrote to memory of 2616	2584	Bgcbhd32.exe	36
PID 2584 wrote to memory of 2616	2584	Bgcbhd32.exe	36
PID 2584 wrote to memory of 2616	2584	Bgcbhd32.exe	36
PID 2584 wrote to memory of 2616	2584	Bgcbhd32.exe	36
PID 2616 wrote to memory of 3064	2616	Bmpkqklh.exe	37
PID 2616 wrote to memory of 3064	2616	Bmpkqklh.exe	37
PID 2616 wrote to memory of 3064	2616	Bmpkqklh.exe	37
PID 2616 wrote to memory of 3064	2616	Bmpkqklh.exe	37
PID 3064 wrote to memory of 2000	3064	Bbmcibjp.exe	38
PID 3064 wrote to memory of 2000	3064	Bbmcibjp.exe	38
PID 3064 wrote to memory of 2000	3064	Bbmcibjp.exe	38
PID 3064 wrote to memory of 2000	3064	Bbmcibjp.exe	38
PID 2000 wrote to memory of 2752	2000	Bjdkjpkb.exe	39
PID 2000 wrote to memory of 2752	2000	Bjdkjpkb.exe	39
PID 2000 wrote to memory of 2752	2000	Bjdkjpkb.exe	39
PID 2000 wrote to memory of 2752	2000	Bjdkjpkb.exe	39
PID 2752 wrote to memory of 2888	2752	Bkegah32.exe	40
PID 2752 wrote to memory of 2888	2752	Bkegah32.exe	40
PID 2752 wrote to memory of 2888	2752	Bkegah32.exe	40
PID 2752 wrote to memory of 2888	2752	Bkegah32.exe	40
PID 2888 wrote to memory of 2988	2888	Cmedlk32.exe	41
PID 2888 wrote to memory of 2988	2888	Cmedlk32.exe	41
PID 2888 wrote to memory of 2988	2888	Cmedlk32.exe	41
PID 2888 wrote to memory of 2988	2888	Cmedlk32.exe	41
PID 2988 wrote to memory of 1892	2988	Cnfqccna.exe	42
PID 2988 wrote to memory of 1892	2988	Cnfqccna.exe	42
PID 2988 wrote to memory of 1892	2988	Cnfqccna.exe	42
PID 2988 wrote to memory of 1892	2988	Cnfqccna.exe	42
PID 1892 wrote to memory of 2244	1892	Cepipm32.exe	43
PID 1892 wrote to memory of 2244	1892	Cepipm32.exe	43
PID 1892 wrote to memory of 2244	1892	Cepipm32.exe	43
PID 1892 wrote to memory of 2244	1892	Cepipm32.exe	43
PID 2244 wrote to memory of 2548	2244	Ckjamgmk.exe	44
PID 2244 wrote to memory of 2548	2244	Ckjamgmk.exe	44
PID 2244 wrote to memory of 2548	2244	Ckjamgmk.exe	44
PID 2244 wrote to memory of 2548	2244	Ckjamgmk.exe	44
PID 2548 wrote to memory of 2224	2548	Cagienkb.exe	45
PID 2548 wrote to memory of 2224	2548	Cagienkb.exe	45
PID 2548 wrote to memory of 2224	2548	Cagienkb.exe	45
PID 2548 wrote to memory of 2224	2548	Cagienkb.exe	45
PID 2224 wrote to memory of 1784	2224	Cjonncab.exe	46
PID 2224 wrote to memory of 1784	2224	Cjonncab.exe	46
PID 2224 wrote to memory of 1784	2224	Cjonncab.exe	46
PID 2224 wrote to memory of 1784	2224	Cjonncab.exe	46

C:\Users\Admin\AppData\Local\Temp\27eb879b00515283540a9c662ab3a930N.exe
"C:\Users\Admin\AppData\Local\Temp\27eb879b00515283540a9c662ab3a930N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\Bkjdndjo.exe
  C:\Windows\system32\Bkjdndjo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Bjmeiq32.exe
    C:\Windows\system32\Bjmeiq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Bfdenafn.exe
      C:\Windows\system32\Bfdenafn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkegah32.exe

Filesize
80KB

MD5
74757c8a53a78dc5a5d0d621eb03ebdb

SHA1
2a92883871650e1629ccace3c43cfaff9e77cf46

SHA256
8f698b72cdac98e234cff70e5a6852ddd4bbc1942c8ef6fd4c3d663aba688218

SHA512
4017a08222f8867a284e70d67909084dba3ac7477ec80e7c982235e7275d133d5273a0a5563af7d4d3db0562461bab7cdb8c6d11f764d09ca3597b8941a3b51a

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
80KB

MD5
fed36b2a83eedbdac28e31ff81b33dbd

SHA1
03b02b45c2cb15cd3c81fe79b34be8e106d6fd28

SHA256
648ca13f2dba63098a0b13cf157ab4395a7a7d9754fb55d232e121efb5908665

SHA512
65a603464c7ee841d11210a06b52febadb55a8273e81357c5649c8d754f90c773bd5a3c8dea58702e8cdf29bc27720f8d45faac40470eff5f41f79a508743624

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
80KB

MD5
c32eadb34d4d81a3c294f272e1361ecb

SHA1
38c64a63cdc89cfec42db4494464fe32993d4354

SHA256
3be351606fc8e39dbe4a8fbb1446c2fed37f871703f7e968090921f77c95d671

SHA512
d7233e19de5d6639fd519a8bb819438c3a14f19ea20f73d185927152f9fd5798532adef00068cfc63375effdfe8ada506c64ce57fc9c85efc42e8ee0e1e520c6

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
80KB

MD5
d79170920ab076c19ee5041c03083376

SHA1
311cdc80edd884ef86b8fba127869a3df9cea1b6

SHA256
624841c9953845c3805ca62a8c70c5fafc7f49405490b02dbc870a7db833e60e

SHA512
d7de3deaa657226e45ad56cba3cb556f7c3c7d08e02906ed8d419b50cce0b53204ac282823ec27977ee52a0b57d5e87c332258f9a9a207b433fd4139ed1afc33

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
80KB

MD5
d34ed5f9310c58f9ad72778f3bd8e0f1

SHA1
873975ebbf63afdd83bd172ebb7e48ccb67d35a0

SHA256
2eb2ac80b3d9e66c63629c301ec6ea099b7112dcf6e0724a150b87ab91b52bd6

SHA512
fedac8f4918c7d7d010084507bcd98b56e4732ee9ad60f18b0541aef98e659cf4956ca08eda52894b6d7d41879f8f4c3d1103180b2e612d3484c56f7c6bcf9f6

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
80KB

MD5
5804aafa322c15336c257ea2338b81e8

SHA1
32a65a30bcf3101ac63043407dcf080cfbb57b21

SHA256
89c2d06242b0f79b07f0af793b106bccc844c9b7eec88370892f504ef6c2d0d2

SHA512
0d5b214f8adbb4165b27986b416b05294884ef72b104c5817e4dd9e243a49e24a32aafb90db740b4e3e3a78c39c8b9ce155c21e43d52b9dbe282ac20d86b7c57

Download Submit
C:\Windows\SysWOW64\Dfefmpeo.dll

Filesize
7KB

MD5
8df2ce63e2f53ef0946ea88c866a1c17

SHA1
040b42621be64f64b23b2ac72fbe3627a31d3bbc

SHA256
8e7ecb6dfabc2d2b5cce0885381f5896ec7feee444fc3e482a32208c92f3e5c4

SHA512
068bbe7c9aad5148836244ae5380c7e64c7880e72c63c718020a3828c6d88ef6382a1eae4b3f4293652eea6ceef9705bb81849287ebab40048cdbf060baac86e

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
80KB

MD5
da777ee871b5bb58cdaa30eace364dd1

SHA1
d719dbf342e9de3c021e98fb5c8556401c82ae77

SHA256
2591f7b210a927ac89c8d990836c7c406bc0bef8fc3473efbdc9cea9c40d00f5

SHA512
0fe44e8d599ac2b8a50642b79f477ff8d4e42fb9073a7efb04ed2fcc5179e7497957177562920a5382f761e48021f8286740494e8c4adc20f5f18eefe320b749

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
80KB

MD5
058cab1039924d5f5ddcf6b95a4ac7d1

SHA1
66b63f3275b0c078c752de6edbdd050c902144cc

SHA256
9df2b335344a01183d45456f02cce4199f5b171e35b181c133a300970eaa5911

SHA512
eba21152a2f54a6aca9780f422f7b9b3730ae4eff88466c5c702474abd200e48f355d4f4fd73ef466931c2490d2023c68949675d3e674d7d282029a095804ef7

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
80KB

MD5
da63b12c91424ceaf0b8406349528253

SHA1
1d8949099352954bd0e2937e1293179a49db120e

SHA256
f14bb51fb364fa3e419705d6d84f3a023ff7cefe33fe03c017d89993d5a6a051

SHA512
05a0294d56b71c80252ae5ddeb6d44a431d2c7542e34dc044876447040919194ace0c0d846a74f85e1432431f3d5bc35c9c4a124d1f90176e83f6988cbd815f6

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
80KB

MD5
cd6388649d7f27d0d677a265f92539bf

SHA1
88d31eaa8e025e60f34bb76b7e0f9275c3477356

SHA256
64acfba0fae3471f3fd90880cb98f381e93149a650b9a6b1ec67aeb0144970a1

SHA512
0b3f6e2a8c8c7a1f57e9deb0917fd2312f0994257d13b6717fd1ed15a0e8d4d4bde944e059cc4c2309da6b55e3af1a1b31b1aa6f05539844741385e184309197

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
80KB

MD5
88e1d15b75bec73dec76232a511d3248

SHA1
62f28dbba186678a21ad5bbc2e3323e2370f786a

SHA256
38929bd38887e9573803d2558677eeadc20ec6b2185e0d924b705aa10ff6dd5e

SHA512
63faf881aa942fb44f7851fb72d8074444d15e037573de2124f5bc4929522a7f4e380d40ec8c3120af576a7485e38af2ce845e14ef3dd84cc0acf107026d6017

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
80KB

MD5
e21404a107d161147bed53fd316986d0

SHA1
8e3a21b10cc04e3bc34973c10b2842094a28a34f

SHA256
7e8173ba5392a48e5cdf240831742536e80d439d7b4044aafbb6c1deb6e55c46

SHA512
38993a02e704dc81d47385ffa4844beb56b52baf685e02d3e62c9c0dac9b7ec0dabb9e70f558a48669aa41d9b6ab57fb1ed36bbb745daaeb5fcb79956ab6d2a2

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
80KB

MD5
5f15ae7ce9adda3d8bbf9a44bae32eeb

SHA1
c85d91311a55faa52f1b7cd88b75507f9af667f5

SHA256
3c897bd7be21fba8475a0fba38279bf06e827732c8206e9b40881f1bc9e3f744

SHA512
7f7b3b897c35d28425c2ffb3b07edf1bda2b7ccf08efb857e5c59373a1bd188cb31662302371dc337808a54dac2548b60772cd91b6a0073afe3cdfb3083f2ce5

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
80KB

MD5
ef5e3e6021c7af6ab297a52b58b33513

SHA1
c047dca52a563b8dc10023fe853e1b15f685e7d7

SHA256
d09f4d1c613a2e665458e1eb0f1efc474fd4ead388e20b86362bbe98bbc6c16f

SHA512
c1de9ac691acfc77abb951555ca88fb5000a99dde8c6bdfffc98c15467f4b66f2bc1095232651ca689058bc0de10e5faa4263957bb7b45259504842028b1f86b

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
80KB

MD5
bbe79fa8e92590bb65fb24118b806bbb

SHA1
701574f78f934adc548e361237c678d77666f787

SHA256
9e79c6dae7a51a1f32179660295e85e5df99052f5b405f09f39400803ac322ab

SHA512
75a08b4e21d5d91ae836715b43b04f97bb7fc0f9879295c3d079b085a573e56e9c32430bc02424a2eecd3ca7055cb8232430048cee28f831bf15d31203b8a598

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
80KB

MD5
c604680717205dbffe6641b3102b0a80

SHA1
6bdf4e23bf43f309887bc33135a1346a54e6f0c7

SHA256
5336d0ed0c14d4a700fa3c5062ac5760af3c8bff134332f76e2db20f0867f233

SHA512
6e2c23f6cae8a5991385025eb997583a5890890c59f07b060f3c6934fbf0ea37a96fe8fc53fb2013da32ae9f8bd30d0438dd91465a0a8e79f793886bb2c8413f

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
80KB

MD5
d0a9a3f299ef78b1ee5721081d14c363

SHA1
6bc34d7cefd8ec7cf72c680960043f6ce15600f0

SHA256
bbe26e55ccf4a4d7b1c26f995400b1c22a4f0b96bc03ba498ab7033c8e285aeb

SHA512
4d6cdaea247461a75ad74ad008e03ff18a58c96fcaa8591ffac7e5d72b51b387adacbad0abf0ee559d901bc47a5b7ba294f2a8500fbea9baeea0be2d381e7fc1

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
80KB

MD5
f9d8d91a072c1b07780eb2550d0ae541

SHA1
ecb3e12f270eb1eb7b1bce080b6de56a72e38b18

SHA256
4b9e438e1444ef3ea0afa41bb10e0066a700f76c9d10b20f318f102d4a591eed

SHA512
f450fdaf13d7f75391759588877b537764dc93d5e4deba91254945207ea29d6d2134737d669aa3f1734c356941ecdc3e59a6528f6205c8e3996702527bfdfbba

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
80KB

MD5
ec85cc46840b5a83e98b4416aa7c8e05

SHA1
4c49df9c460cb440f1372d0789e1c3df359705d9

SHA256
ae67e503acfb41bdb1d702631ff7e721a2e9010d4b4e34b9f46afa3860c9e7ff

SHA512
ac0c4e3ea817b63adc14e2f90451c5b9adc18fa04afb934b54dcd76a7bf93f9752357cef4e46bc08711784b518cfbeadd113eb104ad7928a039bf48e3c6d5857

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
80KB

MD5
1dd7156e924895f607e2f99cbc200552

SHA1
ca19a220e140c46b86cb0a4862766618d02804e3

SHA256
41287d49ca3d38570ba335edcaabec498ed88421e0b1ddb97cf887a97b0b05ba

SHA512
ec19b0232c015e5a8f4169b073975b712315f8540ba1af84d5e55b76b10044dbe73f3f497a26008fcb77d37d47cbb8a46e76e268fbeff89885b3b2c6e49ee814

Download Submit
memory/1200-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-114-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/1200-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-116-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/1452-270-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1452-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-249-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-261-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1632-256-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1632-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-286-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1784-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-248-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1856-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1856-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-189-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1892-247-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1892-235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-18-0x00000000002F0000-0x0000000000329000-memory.dmp

Filesize
228KB

Download
memory/2112-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-12-0x00000000002F0000-0x0000000000329000-memory.dmp

Filesize
228KB

Download
memory/2160-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-22-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2224-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-279-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/2224-230-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/2244-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-200-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2244-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-207-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2244-260-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2468-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2468-281-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2468-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2548-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2548-268-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2584-83-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2584-84-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2584-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2584-132-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2584-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-145-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-50-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2688-86-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2752-140-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2752-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2752-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-82-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/2792-42-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/2792-36-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/2792-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-206-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2888-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-205-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2888-158-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2988-221-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-170-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/3064-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-109-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/3064-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-168-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads