205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Size

78KB
MD5

7225183b437279eea47469ba2d5656d4
SHA1

c5c265505ecde5e65ea6fb77ed6e4c7b0afbc884
SHA256

205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8
SHA512

dcc384dd083233643a0e84c55d4fc72421c21d2c092164d88a42ca08623edb36928b035597428a75185a4a19dab25a1d8a7b82b33aff642b8bf7ec723547b792
SSDEEP

1536:rkInVHtFOlMDcvJeiJR2xcLz1it6yf5oAnqDM+4yyF:w2HI0+YgitCuq4cyF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe

Executes dropped EXE 21 IoCs

pid	Process
316	Bjpaop32.exe
1816	Bchfhfeh.exe
2772	Bqlfaj32.exe
2664	Boogmgkl.exe
2800	Bmbgfkje.exe
2608	Ccmpce32.exe
2636	Cenljmgq.exe
3048	Ckhdggom.exe
2864	Cnfqccna.exe
824	Cileqlmg.exe
560	Cpfmmf32.exe
1152	Cebeem32.exe
1620	Ckmnbg32.exe
2232	Cnkjnb32.exe
2324	Ceebklai.exe
1736	Clojhf32.exe
976	Cnmfdb32.exe
1708	Ccjoli32.exe
916	Cfhkhd32.exe
2204	Dnpciaef.exe
1648	Dpapaj32.exe

Loads dropped DLL 45 IoCs

pid	Process
604	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
604	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
316	Bjpaop32.exe
316	Bjpaop32.exe
1816	Bchfhfeh.exe
1816	Bchfhfeh.exe
2772	Bqlfaj32.exe
2772	Bqlfaj32.exe
2664	Boogmgkl.exe
2664	Boogmgkl.exe
2800	Bmbgfkje.exe
2800	Bmbgfkje.exe
2608	Ccmpce32.exe
2608	Ccmpce32.exe
2636	Cenljmgq.exe
2636	Cenljmgq.exe
3048	Ckhdggom.exe
3048	Ckhdggom.exe
2864	Cnfqccna.exe
2864	Cnfqccna.exe
824	Cileqlmg.exe
824	Cileqlmg.exe
560	Cpfmmf32.exe
560	Cpfmmf32.exe
1152	Cebeem32.exe
1152	Cebeem32.exe
1620	Ckmnbg32.exe
1620	Ckmnbg32.exe
2232	Cnkjnb32.exe
2232	Cnkjnb32.exe
2324	Ceebklai.exe
2324	Ceebklai.exe
1736	Clojhf32.exe
1736	Clojhf32.exe
976	Cnmfdb32.exe
976	Cnmfdb32.exe
1708	Ccjoli32.exe
1708	Ccjoli32.exe
916	Cfhkhd32.exe
916	Cfhkhd32.exe
2204	Dnpciaef.exe
2204	Dnpciaef.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Boogmgkl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	1648	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 316	604	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe	31
PID 604 wrote to memory of 316	604	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe	31
PID 604 wrote to memory of 316	604	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe	31
PID 604 wrote to memory of 316	604	205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe	31
PID 316 wrote to memory of 1816	316	Bjpaop32.exe	32
PID 316 wrote to memory of 1816	316	Bjpaop32.exe	32
PID 316 wrote to memory of 1816	316	Bjpaop32.exe	32
PID 316 wrote to memory of 1816	316	Bjpaop32.exe	32
PID 1816 wrote to memory of 2772	1816	Bchfhfeh.exe	33
PID 1816 wrote to memory of 2772	1816	Bchfhfeh.exe	33
PID 1816 wrote to memory of 2772	1816	Bchfhfeh.exe	33
PID 1816 wrote to memory of 2772	1816	Bchfhfeh.exe	33
PID 2772 wrote to memory of 2664	2772	Bqlfaj32.exe	34
PID 2772 wrote to memory of 2664	2772	Bqlfaj32.exe	34
PID 2772 wrote to memory of 2664	2772	Bqlfaj32.exe	34
PID 2772 wrote to memory of 2664	2772	Bqlfaj32.exe	34
PID 2664 wrote to memory of 2800	2664	Boogmgkl.exe	35
PID 2664 wrote to memory of 2800	2664	Boogmgkl.exe	35
PID 2664 wrote to memory of 2800	2664	Boogmgkl.exe	35
PID 2664 wrote to memory of 2800	2664	Boogmgkl.exe	35
PID 2800 wrote to memory of 2608	2800	Bmbgfkje.exe	36
PID 2800 wrote to memory of 2608	2800	Bmbgfkje.exe	36
PID 2800 wrote to memory of 2608	2800	Bmbgfkje.exe	36
PID 2800 wrote to memory of 2608	2800	Bmbgfkje.exe	36
PID 2608 wrote to memory of 2636	2608	Ccmpce32.exe	37
PID 2608 wrote to memory of 2636	2608	Ccmpce32.exe	37
PID 2608 wrote to memory of 2636	2608	Ccmpce32.exe	37
PID 2608 wrote to memory of 2636	2608	Ccmpce32.exe	37
PID 2636 wrote to memory of 3048	2636	Cenljmgq.exe	38
PID 2636 wrote to memory of 3048	2636	Cenljmgq.exe	38
PID 2636 wrote to memory of 3048	2636	Cenljmgq.exe	38
PID 2636 wrote to memory of 3048	2636	Cenljmgq.exe	38
PID 3048 wrote to memory of 2864	3048	Ckhdggom.exe	39
PID 3048 wrote to memory of 2864	3048	Ckhdggom.exe	39
PID 3048 wrote to memory of 2864	3048	Ckhdggom.exe	39
PID 3048 wrote to memory of 2864	3048	Ckhdggom.exe	39
PID 2864 wrote to memory of 824	2864	Cnfqccna.exe	40
PID 2864 wrote to memory of 824	2864	Cnfqccna.exe	40
PID 2864 wrote to memory of 824	2864	Cnfqccna.exe	40
PID 2864 wrote to memory of 824	2864	Cnfqccna.exe	40
PID 824 wrote to memory of 560	824	Cileqlmg.exe	41
PID 824 wrote to memory of 560	824	Cileqlmg.exe	41
PID 824 wrote to memory of 560	824	Cileqlmg.exe	41
PID 824 wrote to memory of 560	824	Cileqlmg.exe	41
PID 560 wrote to memory of 1152	560	Cpfmmf32.exe	42
PID 560 wrote to memory of 1152	560	Cpfmmf32.exe	42
PID 560 wrote to memory of 1152	560	Cpfmmf32.exe	42
PID 560 wrote to memory of 1152	560	Cpfmmf32.exe	42
PID 1152 wrote to memory of 1620	1152	Cebeem32.exe	43
PID 1152 wrote to memory of 1620	1152	Cebeem32.exe	43
PID 1152 wrote to memory of 1620	1152	Cebeem32.exe	43
PID 1152 wrote to memory of 1620	1152	Cebeem32.exe	43
PID 1620 wrote to memory of 2232	1620	Ckmnbg32.exe	44
PID 1620 wrote to memory of 2232	1620	Ckmnbg32.exe	44
PID 1620 wrote to memory of 2232	1620	Ckmnbg32.exe	44
PID 1620 wrote to memory of 2232	1620	Ckmnbg32.exe	44
PID 2232 wrote to memory of 2324	2232	Cnkjnb32.exe	45
PID 2232 wrote to memory of 2324	2232	Cnkjnb32.exe	45
PID 2232 wrote to memory of 2324	2232	Cnkjnb32.exe	45
PID 2232 wrote to memory of 2324	2232	Cnkjnb32.exe	45
PID 2324 wrote to memory of 1736	2324	Ceebklai.exe	46
PID 2324 wrote to memory of 1736	2324	Ceebklai.exe	46
PID 2324 wrote to memory of 1736	2324	Ceebklai.exe	46
PID 2324 wrote to memory of 1736	2324	Ceebklai.exe	46

C:\Users\Admin\AppData\Local\Temp\205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe
"C:\Users\Admin\AppData\Local\Temp\205061f60d8f2cdb06858681e8d0d18ed0becdd0cae6d047c87faad4622ac9e8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\SysWOW64\Bjpaop32.exe
  C:\Windows\system32\Bjpaop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Bchfhfeh.exe
    C:\Windows\system32\Bchfhfeh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\Bqlfaj32.exe
      C:\Windows\system32\Bqlfaj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 144
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
78KB

MD5
000b5afa84e5dfe5f4a476517a4850e9

SHA1
2097e489907e4c1c501fc5e450d1520e3cd93882

SHA256
923394df631709770d47a862c23046e9cbd8c0f47452fe6693e77df9b012a491

SHA512
83d3aa51d2d88bcb7e70368287d0206199fc0c1225847f481edf934b32d3c7850c51381b6a24d5c4b45aeb705ee3645fef6302759f6a2d46db054a9187f35345

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
78KB

MD5
1df036cd39973ab63a3133a3bf2132dd

SHA1
04a8f9643104636360cd8829a4ca21197f7b0675

SHA256
5167f128dc87701fed6b99d8f26408330e96639900c2e6a4f20fafdd51658b50

SHA512
eb10090390d70b9fbf3a766fb3820cec8a2e04b30bdd7843eeb62be6ac801394aeddf08056571bb29300492779adef2189a1b2b0a492c44afb0883666fe086f0

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
78KB

MD5
0ef56a7358f0d673cb44990a83950f3e

SHA1
cfe4c7ebe0917ccbaf24749c37aa4a6af1cf1bd3

SHA256
d65178b1f59e2d0a99d67087968dfdcf68720ea3faa621ff36c72ac4b4bb3492

SHA512
125b4972ba5994ec2aac955a35af851ddbffbaf52e1d78ab37ef1cce0841a0ce23e55f89a1798c1a730825e798579f936a7b52796c423a6aa460e51b0de44f9f

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
78KB

MD5
6fc5275e71a5828fc37727360ceae961

SHA1
96b3b85f786c8143371417aa30e5436751134e94

SHA256
642c0be7c0439c2f08b9e430ced07b6c81a2a59922876c5c30277dff709350a0

SHA512
4237e7ef7fde86014f59eb035f71b4dcd2421778b55f562091992f547e20a90501addeb1e22a24e4fa026686a824d2a8db3ddad77549ea8e094011a0272c0156

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
78KB

MD5
7e2bfb93cb86450be76dab462017f97c

SHA1
83587351cd9866f6c9e1c5ec6b8daebb95bd625c

SHA256
20d14b6880a865dc77cac591c4e5a3bcba48fe0e392a84f2f66be3671e742c66

SHA512
af9ee55568a011d94fc83aac21ca6796cdfe8398f00d9b9ecca187d56b1f8cd784d5acc20dc5593341a04f4a3a3699eba3fe1bcf0797a66f0d4843720d55711a

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
78KB

MD5
91c92024b79b29cb0958cca003c0f441

SHA1
45b0108fa811ec82eb16a413278bfb8bfe4cf087

SHA256
3c218f1003ebedbc4525d3bf01045aa6aa5c058245a80ea2e212c2f605baa5a1

SHA512
a1916f708417542c566f20c961a7188793c370c6126b2788bd2a2a3eff0d67163ded98659b9467bab9cfd2b04f76c4b8913443efd1c17e52997d9783fab19827

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
78KB

MD5
f8e77a4136fb8c8d2c1d1fc2d03e29f8

SHA1
88d35af2a1a716a7fe992b5a6c91607fffa763fd

SHA256
92c75a5ca1f7aef721b65bb81c85dd022e0b92cc14285f767508e71c8933b649

SHA512
bbb73e703aee46baa623086fc42edbefcfe302204e5a14ffcb22fbe5af27fe0b658f4ad62aee4ea7de45daf18474f95439014063e55c79d4ef87bc8732f44b81

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
78KB

MD5
5fe60aa4f2ac5b2f0baf13f0c94d4e85

SHA1
cba58ed470ce5f8b09c9112b295802181db801c2

SHA256
2c67e0e7a3e4623841cf1dc9924026ad26fe1a26f71e21fa789a90339a00b038

SHA512
855c55fde18ce527d92c7c5da7dcddeb834f785a9f36828830c28b0090676958b5f09584a077535c1144e5cc3f038b7916654fb8dea0d04a8d8357943a5033a0

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
78KB

MD5
82b73c333f2031867ead88b269e9fb80

SHA1
2bce3e39ef227ed442c37e73dc9fd342c36e7d61

SHA256
7398c38da26a4ef13a4c23d415eb5601097eb70cfa1d5b17a11af5467a281686

SHA512
1487f38f8f409195e09ed68de8c93c04ab1d0438c2ce020756ba900cbdb09f83e4db2c275894dfac30b215184ff4b292725c4be65e2bd1656e9b127fc95dde9d

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
78KB

MD5
ad464a25fefe52dd8f85c2879d9a21a8

SHA1
268d94f37a78006c67de6fbce4a02c16866deb46

SHA256
8c29a2b1184e757f1bb7b6ddd187705cf7eb4655c7f74466fe0793a3ef2c4509

SHA512
379a255be131c24fd34bfd8c1a74d6653b5c436c815f552c5d5ae75d0b55c4b69de4fe2e99e3dcda74ea62d2e2ebfadd3c2fe20237118b6ba750548fa631346f

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
78KB

MD5
52e9c9be34f3a63be68059bfe1c10973

SHA1
c907187bc46d03e8d0ab25083ca01e4e4b34db62

SHA256
90d776bb9fd8c55aa6060baacb6835548ecfcb194c76e7ef6cfe02ba9ed7cbf9

SHA512
9c3639d50f9516b9e412b77b9b29e705eb2646073a0c90033c8115c38a6bc3b5306e676195ecb532be18cbc30085271e84f1a876f4cda08c66a84aa134bab6f7

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
78KB

MD5
3d2eadbcb41bd825b9b48e9d5c016627

SHA1
20632cda458df967450ebe0a60846bf1204a2927

SHA256
4deb0c235f49646ef855782edddaf7647393b33d2b8e8b4b24d7066a8820df13

SHA512
9829462dfda383fb3c87ebffee9b21b0e0c2e966da31439d488a7a11d40fe069292e9ad3f74038c1bf8d768f66d45415ddb6984c693633c62b04a5da016df425

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
78KB

MD5
327a9ac5626973f79177257e368d5c33

SHA1
d6ef91967146c1839faee5d81d3c3d050c90b8ef

SHA256
ffffb589fb89070db62ee542a4692d3b8073c5211428b568aebc51de51d10e25

SHA512
299fbb0d16f9ffb333caa1ab85f79fdef8fe1af3ef71d669e3926ad56d2a40e95517706d105451d84dab7b8f49c8346350a0fbdb7a5233ec57f5c177dbb3b4a1

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
78KB

MD5
62d5152210ac6ac78438b42ee5eb4ac9

SHA1
dfa22d870c67a0f074302b315fb10afa4e28f1ca

SHA256
d4ad57d6bea9b04bcb7000cf6b5416b74ad7819d82bafa83f949092e4bf96daf

SHA512
4376dc999a1baa254015fe6dadbfa74842e59321bba870179dd652474afca19cdea23f00593ac20356a42905f3daf59eb6e6013a98a86aad8d228d856b908cc3

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
78KB

MD5
3e8aa6731970f55bc79942123fbda15c

SHA1
d2f03211ecad4a8a527c213e9d5949b45dab6bad

SHA256
3190040296bc09eb2887b7d73d5e96adbc278e038a4f5f6af9f69b15e8ceb561

SHA512
8d89aac2b8d9a41716173b78bdbbfc02a7ae41f91bbd8df929a36a75e8482c16e4d8ac65b1629b64ba4ff4d20c976654c92d9ce134fd756be86af362a21b87a2

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
78KB

MD5
a99c4af612f1cea8fbc30f870ec67b7c

SHA1
5e6d20533f011934b185113b747703428f9edd0e

SHA256
359dccf93a40926c29f8398435df9b79ec796b2ea07b081b7ed26e4c0e7fd2a6

SHA512
fae217cfdf3c47e0e1d10e6845a63e370e4644e9efe6590a56cb027f4ccc48d92bed2b75a466a9f76f4ab06f6815c70ccf1097f0b80770542272605d9c3b9624

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
78KB

MD5
be6a9af26e6028c5ccf98dc1ff3fddc0

SHA1
9601739cb5a468a00943fb771351836a8ebd2712

SHA256
381d2e469edf73f38bf3e3f52737dbfbf4b7c09fd6cccc9be3cd188a581286cb

SHA512
3ad6cb5131a99145b9017fdda8ecb22b946368efa30564b0052e6121049d9f5a3a25e4316474b51f7947504b665e985b7722bfa0f6dfa6bdf130550ba7d139f7

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
78KB

MD5
127201320abc154691bd05c67ae709ec

SHA1
cefda5545187a7dc5f8d24439befa8beb3ad635d

SHA256
c008f1ff442df96bf1f23ecc554a0de24c1ab3be89e0e036ffbb2dd108d74c97

SHA512
b2a65e7f73e4152cad064be99466cec036303ecf5973dfe699026ad5b53dc89849dc4524524ac82fe4d0bd96787489f3fd5b51f182041eeb80f6a09b7a27e751

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
78KB

MD5
822512648f898491154fa188a5488568

SHA1
6e53a153a10210edc3bc7135c1866e3018d7330b

SHA256
1cc98b571bd9e056bd21e2b230a8c4ba9e921df6aefcca3b8f2e33d04076d752

SHA512
527833c7017ca0e42723002b3b36b69b6406aed2b53422920103872f1e36b5dd9973fce1341be654f192a3e2dd6698bd9b44453a1c49f6709e5be600a8c556c1

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
78KB

MD5
8041bd3bccf08bf2df215adf6460a4ce

SHA1
1bfcbde2d071381154be71fe92bbfda635b26513

SHA256
5096406876175757087549b6fddf5dec21e0fe42f44fdd6e194eb4b33665001d

SHA512
7eb52f1047592d2721935f542b6fdaaa056b12ead2e10960ae897bd6fafdf110850f761a8666497d6a6f4f2f1271e6fea2280c69ba1b615e4486716c34145834

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
78KB

MD5
02d0dc779c5578e9e2f3f6a4d5fdefd1

SHA1
436abdc23dfb650a84368d0f2f2b5a16986f39dd

SHA256
b5bf33a2dba3b6dd35ed727ef7ac0448376e91ebec7e95320abde5e042e1ad6d

SHA512
1bdc3069caab5c6878401c0edd84950e7cf0bc2083d9de0792ebe338b5410f30d462c7ea6028129739aeeb4454e709cff4906971e942776e65ebdfbfd2f8132b

Download Submit
memory/316-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/316-26-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/560-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/560-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/604-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/604-7-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/604-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-141-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/824-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-254-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/916-255-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/976-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/976-232-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/976-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1152-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1152-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-241-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1708-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-245-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1736-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-222-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1816-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-272-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1816-273-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2204-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-262-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2204-266-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2232-199-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2232-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-194-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2232-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-213-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2324-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-86-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/2636-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-106-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/2664-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-61-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2664-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2800-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-114-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/3048-119-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads