788f3334c8f60d9647df558e0f7380f130dbaa8b850975828286a7f4f97aada5

Analysis

max time kernel
111s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4ed2c4ed11184e120783c0cded0cb30N.exe
Size

55KB
MD5

f4ed2c4ed11184e120783c0cded0cb30
SHA1

1def8b2bc651db91a98222ba8015e71a25e9031d
SHA256

788f3334c8f60d9647df558e0f7380f130dbaa8b850975828286a7f4f97aada5
SHA512

089360aa9647b71b9335d5b3cc3d9c4168c688112cb555a3581e2fbe4505254e05ba167bcec6f01f5b167153172c45ca0b1705ab08c048169f95543b7f3d1f6d
SSDEEP

768:iYNWrXX70XmSMi2x3p0cZSCLalPDzQNgZaIRNOyNz0W2npRyeLO2p/1H5zXdnh:JAnov/psSCLUHZaIRNOyNz0WgDi2Lf

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clhecl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknfeege.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clhecl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqjla32.exe

Executes dropped EXE 20 IoCs

pid	Process
2332	Bmjekahk.exe
1884	Bfbjdf32.exe
3004	Bknfeege.exe
2860	Bdfjnkne.exe
2744	Bgdfjfmi.exe
1300	Bmnofp32.exe
2472	Blaobmkq.exe
2204	Cggcofkf.exe
2900	Clclhmin.exe
2772	Cobhdhha.exe
2284	Capdpcge.exe
1236	Clfhml32.exe
584	Ckiiiine.exe
2120	Cdamao32.exe
1184	Clhecl32.exe
2260	Cofaog32.exe
900	Ceqjla32.exe
2476	Cdcjgnbc.exe
2124	Cgbfcjag.exe
1208	Coindgbi.exe

Loads dropped DLL 40 IoCs

pid	Process
2164	f4ed2c4ed11184e120783c0cded0cb30N.exe
2164	f4ed2c4ed11184e120783c0cded0cb30N.exe
2332	Bmjekahk.exe
2332	Bmjekahk.exe
1884	Bfbjdf32.exe
1884	Bfbjdf32.exe
3004	Bknfeege.exe
3004	Bknfeege.exe
2860	Bdfjnkne.exe
2860	Bdfjnkne.exe
2744	Bgdfjfmi.exe
2744	Bgdfjfmi.exe
1300	Bmnofp32.exe
1300	Bmnofp32.exe
2472	Blaobmkq.exe
2472	Blaobmkq.exe
2204	Cggcofkf.exe
2204	Cggcofkf.exe
2900	Clclhmin.exe
2900	Clclhmin.exe
2772	Cobhdhha.exe
2772	Cobhdhha.exe
2284	Capdpcge.exe
2284	Capdpcge.exe
1236	Clfhml32.exe
1236	Clfhml32.exe
584	Ckiiiine.exe
584	Ckiiiine.exe
2120	Cdamao32.exe
2120	Cdamao32.exe
1184	Clhecl32.exe
1184	Clhecl32.exe
2260	Cofaog32.exe
2260	Cofaog32.exe
900	Ceqjla32.exe
900	Ceqjla32.exe
2476	Cdcjgnbc.exe
2476	Cdcjgnbc.exe
2124	Cgbfcjag.exe
2124	Cgbfcjag.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cofaog32.exe	Clhecl32.exe
File created	C:\Windows\SysWOW64\Elnlcjph.dll	Clhecl32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Bdfjnkne.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Cobhdhha.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Hkfggj32.dll	Clclhmin.exe
File created	C:\Windows\SysWOW64\Clhecl32.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Bknfeege.exe	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Edalmn32.dll	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Kacclb32.dll	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Cdamao32.exe	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Cobhdhha.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Cmfjgc32.dll	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Clfhml32.exe
File opened for modification	C:\Windows\SysWOW64\Clhecl32.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File created	C:\Windows\SysWOW64\Bfbjdf32.exe	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Clclhmin.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Dhhdmc32.dll	Cggcofkf.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Lfehem32.dll	Cdamao32.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Djenbd32.dll	Cofaog32.exe
File created	C:\Windows\SysWOW64\Cgbfcjag.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Qamnbhdj.dll	f4ed2c4ed11184e120783c0cded0cb30N.exe
File opened for modification	C:\Windows\SysWOW64\Bfbjdf32.exe	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Bknfeege.exe	Bfbjdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcjgnbc.exe	Ceqjla32.exe
File opened for modification	C:\Windows\SysWOW64\Bmjekahk.exe	f4ed2c4ed11184e120783c0cded0cb30N.exe
File opened for modification	C:\Windows\SysWOW64\Cggcofkf.exe	Blaobmkq.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfcjag.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Bkofkccd.dll	Bmjekahk.exe
File created	C:\Windows\SysWOW64\Idcnlffk.dll	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Cofaog32.exe	Clhecl32.exe
File opened for modification	C:\Windows\SysWOW64\Blaobmkq.exe	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Capdpcge.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Capdpcge.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Clfhml32.exe
File opened for modification	C:\Windows\SysWOW64\Cdamao32.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Bmnofp32.exe	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Bmnofp32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Peapkpkj.dll	Blaobmkq.exe
File opened for modification	C:\Windows\SysWOW64\Capdpcge.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Bknfeege.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Cdcjgnbc.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Befddlni.dll	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Blaobmkq.exe	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Niienepq.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Bmjekahk.exe	f4ed2c4ed11184e120783c0cded0cb30N.exe
File created	C:\Windows\SysWOW64\Bdfjnkne.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Cggcofkf.exe	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Iafehn32.dll	Ceqjla32.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcjgnbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfcjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjekahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknfeege.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnofp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capdpcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbjdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaobmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggcofkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhdhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clhecl32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clhecl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll"	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknfeege.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehem32.dll"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f4ed2c4ed11184e120783c0cded0cb30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll"	Clhecl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f4ed2c4ed11184e120783c0cded0cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaobmkq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2332	2164	f4ed2c4ed11184e120783c0cded0cb30N.exe	30
PID 2164 wrote to memory of 2332	2164	f4ed2c4ed11184e120783c0cded0cb30N.exe	30
PID 2164 wrote to memory of 2332	2164	f4ed2c4ed11184e120783c0cded0cb30N.exe	30
PID 2164 wrote to memory of 2332	2164	f4ed2c4ed11184e120783c0cded0cb30N.exe	30
PID 2332 wrote to memory of 1884	2332	Bmjekahk.exe	31
PID 2332 wrote to memory of 1884	2332	Bmjekahk.exe	31
PID 2332 wrote to memory of 1884	2332	Bmjekahk.exe	31
PID 2332 wrote to memory of 1884	2332	Bmjekahk.exe	31
PID 1884 wrote to memory of 3004	1884	Bfbjdf32.exe	32
PID 1884 wrote to memory of 3004	1884	Bfbjdf32.exe	32
PID 1884 wrote to memory of 3004	1884	Bfbjdf32.exe	32
PID 1884 wrote to memory of 3004	1884	Bfbjdf32.exe	32
PID 3004 wrote to memory of 2860	3004	Bknfeege.exe	33
PID 3004 wrote to memory of 2860	3004	Bknfeege.exe	33
PID 3004 wrote to memory of 2860	3004	Bknfeege.exe	33
PID 3004 wrote to memory of 2860	3004	Bknfeege.exe	33
PID 2860 wrote to memory of 2744	2860	Bdfjnkne.exe	34
PID 2860 wrote to memory of 2744	2860	Bdfjnkne.exe	34
PID 2860 wrote to memory of 2744	2860	Bdfjnkne.exe	34
PID 2860 wrote to memory of 2744	2860	Bdfjnkne.exe	34
PID 2744 wrote to memory of 1300	2744	Bgdfjfmi.exe	35
PID 2744 wrote to memory of 1300	2744	Bgdfjfmi.exe	35
PID 2744 wrote to memory of 1300	2744	Bgdfjfmi.exe	35
PID 2744 wrote to memory of 1300	2744	Bgdfjfmi.exe	35
PID 1300 wrote to memory of 2472	1300	Bmnofp32.exe	36
PID 1300 wrote to memory of 2472	1300	Bmnofp32.exe	36
PID 1300 wrote to memory of 2472	1300	Bmnofp32.exe	36
PID 1300 wrote to memory of 2472	1300	Bmnofp32.exe	36
PID 2472 wrote to memory of 2204	2472	Blaobmkq.exe	37
PID 2472 wrote to memory of 2204	2472	Blaobmkq.exe	37
PID 2472 wrote to memory of 2204	2472	Blaobmkq.exe	37
PID 2472 wrote to memory of 2204	2472	Blaobmkq.exe	37
PID 2204 wrote to memory of 2900	2204	Cggcofkf.exe	38
PID 2204 wrote to memory of 2900	2204	Cggcofkf.exe	38
PID 2204 wrote to memory of 2900	2204	Cggcofkf.exe	38
PID 2204 wrote to memory of 2900	2204	Cggcofkf.exe	38
PID 2900 wrote to memory of 2772	2900	Clclhmin.exe	39
PID 2900 wrote to memory of 2772	2900	Clclhmin.exe	39
PID 2900 wrote to memory of 2772	2900	Clclhmin.exe	39
PID 2900 wrote to memory of 2772	2900	Clclhmin.exe	39
PID 2772 wrote to memory of 2284	2772	Cobhdhha.exe	40
PID 2772 wrote to memory of 2284	2772	Cobhdhha.exe	40
PID 2772 wrote to memory of 2284	2772	Cobhdhha.exe	40
PID 2772 wrote to memory of 2284	2772	Cobhdhha.exe	40
PID 2284 wrote to memory of 1236	2284	Capdpcge.exe	41
PID 2284 wrote to memory of 1236	2284	Capdpcge.exe	41
PID 2284 wrote to memory of 1236	2284	Capdpcge.exe	41
PID 2284 wrote to memory of 1236	2284	Capdpcge.exe	41
PID 1236 wrote to memory of 584	1236	Clfhml32.exe	42
PID 1236 wrote to memory of 584	1236	Clfhml32.exe	42
PID 1236 wrote to memory of 584	1236	Clfhml32.exe	42
PID 1236 wrote to memory of 584	1236	Clfhml32.exe	42
PID 584 wrote to memory of 2120	584	Ckiiiine.exe	43
PID 584 wrote to memory of 2120	584	Ckiiiine.exe	43
PID 584 wrote to memory of 2120	584	Ckiiiine.exe	43
PID 584 wrote to memory of 2120	584	Ckiiiine.exe	43
PID 2120 wrote to memory of 1184	2120	Cdamao32.exe	44
PID 2120 wrote to memory of 1184	2120	Cdamao32.exe	44
PID 2120 wrote to memory of 1184	2120	Cdamao32.exe	44
PID 2120 wrote to memory of 1184	2120	Cdamao32.exe	44
PID 1184 wrote to memory of 2260	1184	Clhecl32.exe	45
PID 1184 wrote to memory of 2260	1184	Clhecl32.exe	45
PID 1184 wrote to memory of 2260	1184	Clhecl32.exe	45
PID 1184 wrote to memory of 2260	1184	Clhecl32.exe	45

C:\Users\Admin\AppData\Local\Temp\f4ed2c4ed11184e120783c0cded0cb30N.exe
"C:\Users\Admin\AppData\Local\Temp\f4ed2c4ed11184e120783c0cded0cb30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\Bmjekahk.exe
  C:\Windows\system32\Bmjekahk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\Bfbjdf32.exe
    C:\Windows\system32\Bfbjdf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\Bknfeege.exe
      C:\Windows\system32\Bknfeege.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Bmnofp32.exe
        
        C:\Windows\system32\Bmnofp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Blaobmkq.exe
        
        C:\Windows\system32\Blaobmkq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Cggcofkf.exe
        
        C:\Windows\system32\Cggcofkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Cobhdhha.exe
        
        C:\Windows\system32\Cobhdhha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Capdpcge.exe
        
        C:\Windows\system32\Capdpcge.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Clhecl32.exe
        
        C:\Windows\system32\Clhecl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Cofaog32.exe
        
        C:\Windows\system32\Cofaog32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Cdcjgnbc.exe
        
        C:\Windows\system32\Cdcjgnbc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Cgbfcjag.exe
        
        C:\Windows\system32\Cgbfcjag.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfbjdf32.exe

Filesize
55KB

MD5
dadb3da308c73eea3e4d9e6fa68eafd7

SHA1
64e1928e0bf4669eb094c3e42a54a37cc7256d74

SHA256
e35bb588d924940437ca54c93865124ef91cfdfa66395ed49142aa236efc3f4c

SHA512
770b4cffaf0f71784c85aacde50db2dcbc23d6a243a1b9e407074baa38df092a6d6dc4eb03e6bb9dfd3cefe9f07c8408df09f0b85d3d21549b41adb33801bf3a

Download Submit
C:\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
55KB

MD5
9e8841b27b32a4db06b5d9bd6dbf60d3

SHA1
4f6d1db5e91770c097bac7f55687bf3666cbb835

SHA256
d6f15dca6a023483c507777581fece08036a07a808e73d8dc983a5092ac44ed0

SHA512
3a391d8417cce30e76c52edfb86913f8227c95a8199690add4c3e8dbff9bcf5f5725625527a454ff9baa15f6d79cb69a5afc393764cf62cea1b6ce6585a0c545

Download Submit
C:\Windows\SysWOW64\Bknfeege.exe

Filesize
55KB

MD5
c47c72f7ec52efb9a4d50663188b1dea

SHA1
4fc2e0dc5364c37d845228b4f38fe929f57833f6

SHA256
502c79fcfbb2b042829e8dbb1c2920e77edd8cc111f70b314f6e859e7d87a616

SHA512
f094b1c4f1c413dea2ce19ed127e77c2b799fe162ac4929dd76fa21654ac3867bff99286007fbc025db44a9983b8c001858528c3b8dfafbf3cf947f75f42c8be

Download Submit
C:\Windows\SysWOW64\Cdcjgnbc.exe

Filesize
55KB

MD5
5e4e44708984101d7e8405df696c40f6

SHA1
5abe473d85bcf15879fadb4972c48decb10d709b

SHA256
3607a20d3328e1c51194c7099e8db262efc9ce494fce05c8e5a019d30f265569

SHA512
487b950d40d09e43661be0bc05e1952f6cfc231fdc88f88cc72630f0ce4aca08bfb901127193fa5488a39c77046a073c0bb3bb80c101bd234a34ed967b73657c

Download Submit
C:\Windows\SysWOW64\Ceqjla32.exe

Filesize
55KB

MD5
4a9fca8cf80a7e7e9d602c117a30eb5f

SHA1
2d2468d695d2ceb46ffd6962c9051db090cc9ee5

SHA256
d0d0340368abcc7fee333b9ff6ce3b5467af8cb96f8519fa70df741cf1d8067d

SHA512
7b46c7e3495701952b66895e64ab1c86ad2040d3644e79561292da7f6a1ecf4155cc8bf04f3b8016bac3eaa4eddea214eb059d5833ace2bc2f6604e0b7cfcec7

Download Submit
C:\Windows\SysWOW64\Cgbfcjag.exe

Filesize
55KB

MD5
bcb0b92ec7e1d74855ab42764a0601e2

SHA1
f4d64305fc998bfcf6d6971948c7247e974e8e0e

SHA256
85e9697f483466d0cd34e51dd132a3dd425a57e94a9753dbec0334d0f55c98f6

SHA512
a16db54c277403f8af910caaac3e3eced3767cb010cc8bf1f21063988cfa81c7bd4c25c4279820490e39c5ef483e03233a5be40a43ffe06cb18be0391186cd5c

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
55KB

MD5
8ae4ac22e88187a84a2b13ff25faa3a0

SHA1
f7da89cf94deed6cd591eaae0542f70ec7a8c22c

SHA256
6f7a62c286175214369aefd8dbf3f10c58d3d001dc5c70f7ed9b0b7df7139697

SHA512
211b46db2f3cf450094514f292713e8a942078911438708162d31e9d325607543186d0031d18d3aa8af3008705ae1287261238060a907796fe1f8d8083544534

Download Submit
\Windows\SysWOW64\Bdfjnkne.exe

Filesize
55KB

MD5
58b8b178fae8ec6e8bdde345fb159fd8

SHA1
a546bb0565a9a8ad61f92c2eb8665584ad2693c2

SHA256
634e814741e61700500f3bc7c092e7bd1314d85f073f7d97d8377ec10c3a317e

SHA512
5d780b1410cbbd476f4d7d0b927d72832b4a572360e75dd355f1a06500ebc4dd9619f6697797b837779f84bdcd0e31416483324e125952e8a366d58f08dce8f7

Download Submit
\Windows\SysWOW64\Blaobmkq.exe

Filesize
55KB

MD5
0c6f0c9be8cb2a4d2ddead75f58bb544

SHA1
699c950beaa121df9ba2eb4b9da757aceccc7282

SHA256
5baa739211b006669f59eca7644258052036490eefb700e019c169e1d7b89a31

SHA512
7731ef771ba0df826e02228edfc74af64323ec15fc1de353c2369d535ef2d4737b425b0c66d33c1583ab8585d398103fc41ce58afec70e8758a95e243c283db5

Download Submit
\Windows\SysWOW64\Bmjekahk.exe

Filesize
55KB

MD5
c34326b4203381b660e697ab7437526c

SHA1
ab13d27fef0fa4fc79ec7ea49ee65f98d674915a

SHA256
b3e4a527bc8c25d140f8d67d7888e69edaff2cc3845d42a1742148fa81f7a43a

SHA512
85705b7c227a9d1b8bd662d33edd96851ce8226e90ccfb8defe1f2f4bdd8a6971fe9dade0030b809a303304c7ce12e843c0d1e5954f36aff2af9c31f21546c14

Download Submit
\Windows\SysWOW64\Bmnofp32.exe

Filesize
55KB

MD5
64d48ca0a91a03bcdc830ea537f4bcf4

SHA1
b9c59ccd06ffd8b03b0734b5f06a69fd1cc9f6cb

SHA256
17748747502b88b5bcce87ce5b5ec1fbbf4b309719ad3174872d83226dfb21db

SHA512
79d39d5dfab1b3d21b64c6dbcba37e72d15da735fb67448d8e93ee3b2bab0f1012fb9af10ea0488ed23aea65ee273467743a1813b5f64aa89308d7e38011f193

Download Submit
\Windows\SysWOW64\Capdpcge.exe

Filesize
55KB

MD5
772f0905641ea4afb23d775d36da3a88

SHA1
4616432a3a38c0b60c85d049db25d9c7283a6bf4

SHA256
068d9c15abd53156e64a4a06dd253afb663f23a001020505dd608cc8469e6413

SHA512
a50fdd68e5baba12a347f724fa7d29cf5d55290e305b23d57c4618737dec821cd36379375ca93cfb71c8a950a7daf8dfa7eeb0fd5f8e85fe878615a637dfc7a0

Download Submit
\Windows\SysWOW64\Cdamao32.exe

Filesize
55KB

MD5
bd30a7687e81b773ef10554267d47a41

SHA1
267baede178e503ae7832ecdd382f00d0d0f8246

SHA256
676276c0ad95e8add3b49d7f35a92bf0cff56f2eae56f2830ec9a79fcce3165d

SHA512
f155371ccab1a6ecb37881ce981c5b51365ab039c75d5f2b273e308cc6a2fe16fc747b2268eb3fa8306aed8d10168d6e178da563b07fd0916be8320bb97ca23d

Download Submit
\Windows\SysWOW64\Cggcofkf.exe

Filesize
55KB

MD5
efbbc8b10a3756f76222131cae1e1e7a

SHA1
c0e6932f4a08e9e2058eb915ed0242b1fa01bfd7

SHA256
1e9ff804d5acb2c07e4478bc9b4f367cbb4240e0c0f2572adc5e35e22f4cce4d

SHA512
2f2af7fd6b6bf04e1d7f21e0a8fc549a60a8a7b349ce76d4da97e23449295e3897db3043efb2dc4c1d43016fc866730b5481cd4771a62d3e317f799c385a1027

Download Submit
\Windows\SysWOW64\Ckiiiine.exe

Filesize
55KB

MD5
ff57ca0e09e2cd9da24e76c9c072ab9f

SHA1
a690a3e29b1528d5ee9870b00811fcefde9b0474

SHA256
c46be8e8140e8a94af47af3d0d9d2bb7e053e19a99076cb6353df9d470487599

SHA512
6414b50e072ccac030a7fbe2eb5da753f03d31e139ea6f07401345d883615177e9b4eb4269d5f3e7db62daa885dca7d49b187bf1c728378462c88a43b85ad952

Download Submit
\Windows\SysWOW64\Clclhmin.exe

Filesize
55KB

MD5
92818301d15d36505f8aea0e3a9028f5

SHA1
f568899fe9d3df162297aa2a07e93eb630ee2c94

SHA256
829d83880c03071150e07f9c5a081aaf44757baf7cdf178415defe6e5cefb9ff

SHA512
6613c65869e710cba51107d098d974bbae0696a235c545f007fdc035b33d32da487e6b186082abf3a905cbec46634db7b5afe637648c2325eae8c0d621f43061

Download Submit
\Windows\SysWOW64\Clfhml32.exe

Filesize
55KB

MD5
edcb20fa493b6a86689474cc93cf5055

SHA1
a1aa0f7e18a44c2f4ff5053ea41b26343977a309

SHA256
e3a0ee4919384ef6871d477e78466f848542bcd9f6d2141d42cc7795af18b060

SHA512
84af65ac815050c7ea20efac83007a8f8a36ba3cf1057ee567dba0333e2dc2fffd914e2368e737edfade915b06d930fb58e05207d00e36432a36e1fb93cf3ad0

Download Submit
\Windows\SysWOW64\Clhecl32.exe

Filesize
55KB

MD5
9ca9462c04db6fb38c40f631f05bfd1e

SHA1
ac01620bf1b79db9ed67308e7cc6cfb4212e855f

SHA256
9ed9314305a3b21162c072689295f589d6bd25550e74e7d5ad689d066d1211d4

SHA512
b778e23e9bbd3a7a01a4c702286a7f4805b9499b75e4eba6df6c8031cc938a304cbf86629dd62bef99f81e906b8a6007e5c01b0e52051734fc5302904e15079a

Download Submit
\Windows\SysWOW64\Cobhdhha.exe

Filesize
55KB

MD5
1d180e091921213912dbf11d560331c3

SHA1
8331238993b80ff8252d502635cb1d15f23420ad

SHA256
fdaea6e0ad630462a3d1baa53c3c08cb52882f6c307707fefbdcf3f7e519e2e1

SHA512
e3cbddef48a09728d22af990490e613cdbe4afc73d22df1d54ceecd708dafbc95a70d099b6fa455b8c032e3ce00ea6bd71253eedcb19db960ee54f8ad54b9ca4

Download Submit
\Windows\SysWOW64\Cofaog32.exe

Filesize
55KB

MD5
ad84193bf35638b451204d95d876b38c

SHA1
9ddbb0e490d137b505b682a73402eb479260695e

SHA256
9164ae2d7f2fee70f782a8592536fab15a9df221cc5298f5ea6570ad9514de90

SHA512
29bf885b18150c68c86d933513097b98c05ad01a96af4402f6fae8c05998729e581101ef011785fc8b8ceed278b6330e0574ccd1fee916efe66d4bf614381cd9

Download Submit
memory/584-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-229-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1184-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-88-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1884-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-41-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1884-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-12-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2164-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-11-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2164-293-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2204-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-220-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2284-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2332-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-102-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2476-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-238-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2744-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-142-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2860-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-129-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-54-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3004-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads