f02e9928eeb4a726b9e09c745db377fd8c43ed1beb6dcb5c36dc9be615ff8505

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a27d2269fd9e92b3ee5aac2106b2010N.exe
Size

82KB
MD5

2a27d2269fd9e92b3ee5aac2106b2010
SHA1

ce38d23b24e159ecef1ed0277c8479d6796c75f5
SHA256

f02e9928eeb4a726b9e09c745db377fd8c43ed1beb6dcb5c36dc9be615ff8505
SHA512

0440f3a9c070682aee18b15216675a88bd4d744af22473d74722b076859f190042c3367660c271d2dab93520bf237545404ee9bdfb991358dbea8be870c382ab
SSDEEP

1536:wBLufjDFLfwM6WHjLS351Bxp9rzs56c2L7oepm6+wDSmQFN6TiN1sJtvQu:r7ZabBxp9DVHpm6tm7N6TO1SpD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe

Executes dropped EXE 20 IoCs

pid	Process
2380	Bnknoogp.exe
2668	Bchfhfeh.exe
2876	Bieopm32.exe
2680	Bqlfaj32.exe
1944	Bbmcibjp.exe
2596	Bfioia32.exe
236	Ccmpce32.exe
2828	Cfkloq32.exe
2004	Cocphf32.exe
2820	Cepipm32.exe
1248	Ckjamgmk.exe
2960	Cagienkb.exe
2244	Cgaaah32.exe
880	Cbffoabe.exe
2744	Cgcnghpl.exe
1288	Cjakccop.exe
1984	Ccjoli32.exe
900	Cfhkhd32.exe
2168	Danpemej.exe
2120	Dpapaj32.exe

Loads dropped DLL 43 IoCs

pid	Process
2312	2a27d2269fd9e92b3ee5aac2106b2010N.exe
2312	2a27d2269fd9e92b3ee5aac2106b2010N.exe
2380	Bnknoogp.exe
2380	Bnknoogp.exe
2668	Bchfhfeh.exe
2668	Bchfhfeh.exe
2876	Bieopm32.exe
2876	Bieopm32.exe
2680	Bqlfaj32.exe
2680	Bqlfaj32.exe
1944	Bbmcibjp.exe
1944	Bbmcibjp.exe
2596	Bfioia32.exe
2596	Bfioia32.exe
236	Ccmpce32.exe
236	Ccmpce32.exe
2828	Cfkloq32.exe
2828	Cfkloq32.exe
2004	Cocphf32.exe
2004	Cocphf32.exe
2820	Cepipm32.exe
2820	Cepipm32.exe
1248	Ckjamgmk.exe
1248	Ckjamgmk.exe
2960	Cagienkb.exe
2960	Cagienkb.exe
2244	Cgaaah32.exe
2244	Cgaaah32.exe
880	Cbffoabe.exe
880	Cbffoabe.exe
2744	Cgcnghpl.exe
2744	Cgcnghpl.exe
1288	Cjakccop.exe
1288	Cjakccop.exe
1984	Ccjoli32.exe
1984	Ccjoli32.exe
900	Cfhkhd32.exe
900	Cfhkhd32.exe
2168	Danpemej.exe
2168	Danpemej.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	2a27d2269fd9e92b3ee5aac2106b2010N.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	2a27d2269fd9e92b3ee5aac2106b2010N.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	2a27d2269fd9e92b3ee5aac2106b2010N.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Cfhkhd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1680	2120	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2a27d2269fd9e92b3ee5aac2106b2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2380	2312	2a27d2269fd9e92b3ee5aac2106b2010N.exe	31
PID 2312 wrote to memory of 2380	2312	2a27d2269fd9e92b3ee5aac2106b2010N.exe	31
PID 2312 wrote to memory of 2380	2312	2a27d2269fd9e92b3ee5aac2106b2010N.exe	31
PID 2312 wrote to memory of 2380	2312	2a27d2269fd9e92b3ee5aac2106b2010N.exe	31
PID 2380 wrote to memory of 2668	2380	Bnknoogp.exe	32
PID 2380 wrote to memory of 2668	2380	Bnknoogp.exe	32
PID 2380 wrote to memory of 2668	2380	Bnknoogp.exe	32
PID 2380 wrote to memory of 2668	2380	Bnknoogp.exe	32
PID 2668 wrote to memory of 2876	2668	Bchfhfeh.exe	33
PID 2668 wrote to memory of 2876	2668	Bchfhfeh.exe	33
PID 2668 wrote to memory of 2876	2668	Bchfhfeh.exe	33
PID 2668 wrote to memory of 2876	2668	Bchfhfeh.exe	33
PID 2876 wrote to memory of 2680	2876	Bieopm32.exe	34
PID 2876 wrote to memory of 2680	2876	Bieopm32.exe	34
PID 2876 wrote to memory of 2680	2876	Bieopm32.exe	34
PID 2876 wrote to memory of 2680	2876	Bieopm32.exe	34
PID 2680 wrote to memory of 1944	2680	Bqlfaj32.exe	35
PID 2680 wrote to memory of 1944	2680	Bqlfaj32.exe	35
PID 2680 wrote to memory of 1944	2680	Bqlfaj32.exe	35
PID 2680 wrote to memory of 1944	2680	Bqlfaj32.exe	35
PID 1944 wrote to memory of 2596	1944	Bbmcibjp.exe	36
PID 1944 wrote to memory of 2596	1944	Bbmcibjp.exe	36
PID 1944 wrote to memory of 2596	1944	Bbmcibjp.exe	36
PID 1944 wrote to memory of 2596	1944	Bbmcibjp.exe	36
PID 2596 wrote to memory of 236	2596	Bfioia32.exe	37
PID 2596 wrote to memory of 236	2596	Bfioia32.exe	37
PID 2596 wrote to memory of 236	2596	Bfioia32.exe	37
PID 2596 wrote to memory of 236	2596	Bfioia32.exe	37
PID 236 wrote to memory of 2828	236	Ccmpce32.exe	38
PID 236 wrote to memory of 2828	236	Ccmpce32.exe	38
PID 236 wrote to memory of 2828	236	Ccmpce32.exe	38
PID 236 wrote to memory of 2828	236	Ccmpce32.exe	38
PID 2828 wrote to memory of 2004	2828	Cfkloq32.exe	39
PID 2828 wrote to memory of 2004	2828	Cfkloq32.exe	39
PID 2828 wrote to memory of 2004	2828	Cfkloq32.exe	39
PID 2828 wrote to memory of 2004	2828	Cfkloq32.exe	39
PID 2004 wrote to memory of 2820	2004	Cocphf32.exe	40
PID 2004 wrote to memory of 2820	2004	Cocphf32.exe	40
PID 2004 wrote to memory of 2820	2004	Cocphf32.exe	40
PID 2004 wrote to memory of 2820	2004	Cocphf32.exe	40
PID 2820 wrote to memory of 1248	2820	Cepipm32.exe	41
PID 2820 wrote to memory of 1248	2820	Cepipm32.exe	41
PID 2820 wrote to memory of 1248	2820	Cepipm32.exe	41
PID 2820 wrote to memory of 1248	2820	Cepipm32.exe	41
PID 1248 wrote to memory of 2960	1248	Ckjamgmk.exe	42
PID 1248 wrote to memory of 2960	1248	Ckjamgmk.exe	42
PID 1248 wrote to memory of 2960	1248	Ckjamgmk.exe	42
PID 1248 wrote to memory of 2960	1248	Ckjamgmk.exe	42
PID 2960 wrote to memory of 2244	2960	Cagienkb.exe	43
PID 2960 wrote to memory of 2244	2960	Cagienkb.exe	43
PID 2960 wrote to memory of 2244	2960	Cagienkb.exe	43
PID 2960 wrote to memory of 2244	2960	Cagienkb.exe	43
PID 2244 wrote to memory of 880	2244	Cgaaah32.exe	44
PID 2244 wrote to memory of 880	2244	Cgaaah32.exe	44
PID 2244 wrote to memory of 880	2244	Cgaaah32.exe	44
PID 2244 wrote to memory of 880	2244	Cgaaah32.exe	44
PID 880 wrote to memory of 2744	880	Cbffoabe.exe	45
PID 880 wrote to memory of 2744	880	Cbffoabe.exe	45
PID 880 wrote to memory of 2744	880	Cbffoabe.exe	45
PID 880 wrote to memory of 2744	880	Cbffoabe.exe	45
PID 2744 wrote to memory of 1288	2744	Cgcnghpl.exe	46
PID 2744 wrote to memory of 1288	2744	Cgcnghpl.exe	46
PID 2744 wrote to memory of 1288	2744	Cgcnghpl.exe	46
PID 2744 wrote to memory of 1288	2744	Cgcnghpl.exe	46

C:\Users\Admin\AppData\Local\Temp\2a27d2269fd9e92b3ee5aac2106b2010N.exe
"C:\Users\Admin\AppData\Local\Temp\2a27d2269fd9e92b3ee5aac2106b2010N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Bnknoogp.exe
  C:\Windows\system32\Bnknoogp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\Bchfhfeh.exe
    C:\Windows\system32\Bchfhfeh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Bieopm32.exe
      C:\Windows\system32\Bieopm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 144
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfioia32.exe

Filesize
82KB

MD5
b21b54ad57e0d5889cc8cf0023a7b255

SHA1
3c93156f50237c7e1b067aabb42659cb41b67aa1

SHA256
3028dbf6f0dd3c9f4dcbbce615547a9286f92d229afe6310133ee32f91ba3b26

SHA512
622fcbf48a991261fafeaad99a18c82156c7722696f14a6ff9c7f55b9680b6694aa3a81300aae4d988cc1c1c46050893a84a1c5233419c1a70e1256a8599b28d

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
82KB

MD5
5b79e84420be416cf7e17aba53615318

SHA1
963fb60e580acf16b62a5e97f85d02d34c74aba9

SHA256
00a41e97dd1213bf325c7130cc7fbef021688e4fe71a52902ded28524171ee23

SHA512
b94153f16e8d52a35f4d53d05684a5538064e48fd72205d6b505cd6c321ba53df2919fd9ef0d61a6b83f85286d74ea500da68baf284265bb0d6ecfa743aa05d4

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
82KB

MD5
2f99b5da3a65ad70197d83f90ae57020

SHA1
e8e076bcbedb8fae2a3864d183f4fc148d088d69

SHA256
01f0afea4716ddb6cd8485e8295b6a5a7673a42ccfd5e4db84e714f989e0a1b2

SHA512
420a59de4c9a03e2e2b6b52915b19bcf1c702b681f8f0848a6aab382a2bda2ce50f4123f46c97e8b34d6d404fe296a7fe2f7c5c817e9fb77d3adfe99c8a202a6

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
82KB

MD5
f777e94d96076ef992ba33aa42b4dcef

SHA1
933a3bfba574221c9b31017398681db32459d4d6

SHA256
c54273ddc9b6d7a569c87ef4aca8ce35306778f0ffbd1e188596c07336517d8c

SHA512
d21d79c14edf2032cffec14a21e1e116bc44f0533a77ccadd4179053927d55042f066eb5e39b8f6c4f38e9bbeba74b5e95c21d13876165060dec4553fc2d3905

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
82KB

MD5
db87e78b9c79809d76b7e905f1ba3aa2

SHA1
ad79a5c93f2268108c3a1c46ee3b37a9b929fdbb

SHA256
94e2fda952ef9a89be092dfcf445b9374acf3ec2a465d419b69138e356af76f7

SHA512
d3b5db06c02b63468bf219d85c74632108e87fef4f08028abb4f81834490e9732fa75ef25a163a0f0609c66e5e9d84dd4d82779965eb5e8ab95512ef5c7347ac

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
82KB

MD5
4b6ce58f7bbce643dd637cc5b0e0a7ae

SHA1
b125bfd7885c8cf1ad6fff0335f1f60dddac902c

SHA256
cd4a8ba6ec2337da6894672fbeeb898f13077b235ac57f9085f49d232d0bdd9d

SHA512
2b2e5135f4d8f8f671030c933ba3f134197fae0c0daeee8fe8fbb58ee16a97a2fdc6ecf2fa8535465c886f82ef2820a98e1eca5a85f9f0b498c719db8f362309

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
82KB

MD5
11d1f77db3bc09c430619cdec447fb90

SHA1
1178c56f3e2dca13b45bf333cf5a6e43e2909c68

SHA256
dc247511d6594c975aac9055e7c30d90685a063fe41cba3112db942e0ce31a18

SHA512
8429794d061081bd9dfcdd2d6add5caf99ddd9409dbf94c296126d770863f6225876db321658297678ee2d6f8375d384050c5131c32a2122c915a7006676e8ce

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
82KB

MD5
3986ec5b6c10c427b29f9e57620c807c

SHA1
3cffd792043ab4e5cd6e8db806923b97c9f026bb

SHA256
ff3272e09603bf5669ad1492a323d78f19ecc43d6dac59df5ddd8f7f3befddb5

SHA512
04302013e9217fdb70516338e210a71876a81225149ea1b7b63af11e8d3e132e7645405d720eade01c9fea5e393545a9f8a924b556be9909b3d94f82577229bc

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
82KB

MD5
f63cada09bd0c0781bc1f3573eca086d

SHA1
21a265cdf5c290914b75969918963385376c4688

SHA256
f915aee8c3a80f667b3c531b364ac46d534f710aeb4d414773981d5b808db457

SHA512
05ee0f6ff7c5e20d54a4e0e86065aac61be41b5c6535433180bdf6ba793a083a81ac887c4a88fa5f2856da1b4a674ffaeb0c9f806150745cfa9957adc08aba92

Download Submit
\Windows\SysWOW64\Bnknoogp.exe

Filesize
82KB

MD5
33687013094c8d845018beb1127a6128

SHA1
a2880e9e78e6270f15c52b829c139979a300e665

SHA256
7c18d8bd13864cc09bf05e9ef6535d47e5fd362e8b4b462fdf679137f4d97952

SHA512
cf2af1e7282009f6009de6c2e31d6ad1271e9fd46a8dce4dc2366d07bb5c309ef472cba49634e337dec9517339c6c7c55cc1384fc599f14765dfdd35c67f935e

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
82KB

MD5
4d923ac4ec16f1be8b59529c3114aece

SHA1
0215eecded8a5458099ece621ef081b8456ac6d2

SHA256
b99b749ec3dc7a9121819f15f4460a867ea46debb29d1bc59512a728084973b3

SHA512
3c75ba2b5c73ea3b79ff5b7a7ff88769d6ce25b4a42f72e3e52d73f823eb51036417a5a2e33982a43b89be235c06908f1d6399c636e9ef47a8f10233b62726f8

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
82KB

MD5
122559116776c1019542428f5b18bdaa

SHA1
f1518a22d48730a11bd20dc78e2f3410550a2c29

SHA256
dfb7bf489f504a5bc2f39a3f7e494030cce59e399e83c6605f09207bcf5d4c82

SHA512
6b89bbc1c1c9cd0ac603852e116115eb13ca06c5647471d92ad039eaba86e305268be55b985a843a5e8fb90e32a25098a0f473f0d1b8c8f8fedecf6c31b5e3d0

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
82KB

MD5
f6683b7d3ecad3a0679a72b23b4480d9

SHA1
2cc0f9337fb5c9aef2428b10ee375628d1c4d850

SHA256
557e56699e754799004369b9b0a50f0dc4f403980b9a362982ec29fec1d322b6

SHA512
896a0b7225158872dd02e6e6ef27989d6e66a778b52faee387bfa8525f8bd0d86b37abeeca3dd151a72960e58e5fbe4eda5400a8c74aaacf8f14c5e942a8555b

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
82KB

MD5
25a1e7af69e76a0ca141abd99a210d63

SHA1
7cc9decc617f10de8dbc52715123093d7720639f

SHA256
2b73b86fe40ddf6bb7b11dfc3ec8fdb6c9168543db31c98443ccea9f9a24128c

SHA512
af7949b9b84a6aae6899379c926e304696c7372e3ce9f507919c6403e69cb9874d96aaa330ed741155b58989d13654d1c6152f64779aad0d5ef7aa977f46c567

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
82KB

MD5
7e0a7724bbb0e56b0997025381a0afcc

SHA1
ab16a1046e4ff99e56d98d68b31b790600b802cf

SHA256
13dbbb351484d405a175e81cd0f87db555e6f0c5737094f41507457bd9da65dd

SHA512
ef13ef3251cde448fef4745d3c79780434b69dff5e8232babb5b0ef9a4058683ed66a0713f616c6b03629af280df84269297f808673559127db93df7b15403e0

Download Submit
\Windows\SysWOW64\Cgaaah32.exe

Filesize
82KB

MD5
850986bcda2c9ad9dc47465dc7d49a95

SHA1
c380da3e5c6f5f3b31e54046cf939cea33f97e20

SHA256
8d95a4c2cb9cee963f4264fea0d06220fec2c2c69c45210385d5a8ca35f2ad57

SHA512
e77b5862240c947b839ec554c5ccb4a8572fa5e7d29a41b7468aab326ae39c40fa0f4c11c94b136708b619f8e967841022f484ab91cdb3036f9805744ad9f4a4

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
82KB

MD5
fce4ca1adf75f3852f1de18463db3a27

SHA1
69dba9984497e11b0b07ef5d8e4d0dcb94a6bba2

SHA256
12ebe3e59aae644359d3232c40cf212e470d9a3a5fda27a4e6f8f1e818a7457b

SHA512
dd099e0802f5591f498c186b188e8e397b481352df225c297bae9dd9a935782b713e27a3737abe0be9596f92b8ff3618e7ad33f0cadc5a80747405f7cc913032

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
82KB

MD5
8f4b6751900a061d3146ec8d7e95aaf2

SHA1
bebd9a11707331ce6c0117bf414ed21412ae1ded

SHA256
e3b358b86594d37cb04a0d68dbc1edd9a328db7b5fae45b211cb39a471ef7a14

SHA512
7e6c48310e4838eb49c52d45465f82b9a7621ae58538611b5c5bcc36d6e3c9c522fbc4bf0525f6ba3878579132ec5e039ccdd9c07d30a8959daf5a7229fa220e

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
82KB

MD5
9cd3f66788e4fb43f1179e721d747e3e

SHA1
e0149bade0753fcc7171e6edf88d9e84964a5d15

SHA256
6872cc955d77c74a09fb2c1e09c593cc6b73d91767a97047118778e5742b805a

SHA512
587c8c967ab4a0a06642ebdc3b4d48f5b09ee67870edbaa434edad94b9938f1854cc1331ad4fb7656d4a82359aa2909661f799a6341dad765f6c29ea07291194

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
82KB

MD5
a5f18ba45c75a23d02f04e2d8e9b53a7

SHA1
332813b4ec861d4e301511c5ce4550dcc1365960

SHA256
9444b64d0b73016ae686649b20843a2c4076573686388f50cbf7a712f226daa1

SHA512
6c0130fd2cec3d9ae1e20059918c8c219138a7b92938c7c0beccd371389d6665f2955b1609070ffb9c7c5fcd02f73c09b14490d2e737c1294d26c17c08fb48e8

Download Submit
memory/236-153-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/236-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/236-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/236-111-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/880-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-215-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/900-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/900-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/900-285-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/900-265-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1248-222-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1248-173-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1248-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-243-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1288-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-128-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1944-80-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1944-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-283-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1984-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-143-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2004-189-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2004-190-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2004-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-278-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2244-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-11-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2380-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-20-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2380-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-91-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/2596-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-33-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2668-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-113-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2680-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-66-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2680-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-230-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/2820-154-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2820-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-122-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2828-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-129-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2828-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-184-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2960-191-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2960-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads