berbew | 606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63

Analysis

max time kernel
85s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Size

128KB
MD5

acae4da446e3f7ddddf7d05e0f16cc00
SHA1

e1f266b5008b31deafdebec0b226747c77afba85
SHA256

606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63
SHA512

d4bdfe87ef1f0e01551ad59d46ea81fc2528935ed2e2f2867598fbe44abdc3e39d194c65f82476226f07e977a780922b7ad468256c1fc8877f5b6db3b1493dab
SSDEEP

3072:AnyF/Fvj7TPPSTEndnnhhhWmieDP5wkpHxG:AnEPL15qCA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgcnghpl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 21 IoCs

pid	Process
1288	Bqeqqk32.exe
2880	Bccmmf32.exe
2776	Bdcifi32.exe
2680	Bgaebe32.exe
2796	Bchfhfeh.exe
2612	Bffbdadk.exe
2448	Bcjcme32.exe
1624	Bbmcibjp.exe
1544	Coacbfii.exe
760	Cmedlk32.exe
1052	Cfmhdpnc.exe
1568	Ckjamgmk.exe
2956	Cagienkb.exe
1396	Ckmnbg32.exe
1952	Cchbgi32.exe
668	Cgcnghpl.exe
1920	Calcpm32.exe
1732	Cgfkmgnj.exe
1848	Cfhkhd32.exe
1840	Dmbcen32.exe
1972	Dpapaj32.exe

Loads dropped DLL 42 IoCs

pid	Process
2280	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
2280	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
1288	Bqeqqk32.exe
1288	Bqeqqk32.exe
2880	Bccmmf32.exe
2880	Bccmmf32.exe
2776	Bdcifi32.exe
2776	Bdcifi32.exe
2680	Bgaebe32.exe
2680	Bgaebe32.exe
2796	Bchfhfeh.exe
2796	Bchfhfeh.exe
2612	Bffbdadk.exe
2612	Bffbdadk.exe
2448	Bcjcme32.exe
2448	Bcjcme32.exe
1624	Bbmcibjp.exe
1624	Bbmcibjp.exe
1544	Coacbfii.exe
1544	Coacbfii.exe
760	Cmedlk32.exe
760	Cmedlk32.exe
1052	Cfmhdpnc.exe
1052	Cfmhdpnc.exe
1568	Ckjamgmk.exe
1568	Ckjamgmk.exe
2956	Cagienkb.exe
2956	Cagienkb.exe
1396	Ckmnbg32.exe
1396	Ckmnbg32.exe
1952	Cchbgi32.exe
1952	Cchbgi32.exe
668	Cgcnghpl.exe
668	Cgcnghpl.exe
1920	Calcpm32.exe
1920	Calcpm32.exe
1732	Cgfkmgnj.exe
1732	Cgfkmgnj.exe
1848	Cfhkhd32.exe
1848	Cfhkhd32.exe
1840	Dmbcen32.exe
1840	Dmbcen32.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cfmhdpnc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Fpbdkn32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Fpbdkn32.¾ll"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1288	2280	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe	31
PID 2280 wrote to memory of 1288	2280	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe	31
PID 2280 wrote to memory of 1288	2280	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe	31
PID 2280 wrote to memory of 1288	2280	606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe	31
PID 1288 wrote to memory of 2880	1288	Bqeqqk32.exe	32
PID 1288 wrote to memory of 2880	1288	Bqeqqk32.exe	32
PID 1288 wrote to memory of 2880	1288	Bqeqqk32.exe	32
PID 1288 wrote to memory of 2880	1288	Bqeqqk32.exe	32
PID 2880 wrote to memory of 2776	2880	Bccmmf32.exe	33
PID 2880 wrote to memory of 2776	2880	Bccmmf32.exe	33
PID 2880 wrote to memory of 2776	2880	Bccmmf32.exe	33
PID 2880 wrote to memory of 2776	2880	Bccmmf32.exe	33
PID 2776 wrote to memory of 2680	2776	Bdcifi32.exe	34
PID 2776 wrote to memory of 2680	2776	Bdcifi32.exe	34
PID 2776 wrote to memory of 2680	2776	Bdcifi32.exe	34
PID 2776 wrote to memory of 2680	2776	Bdcifi32.exe	34
PID 2680 wrote to memory of 2796	2680	Bgaebe32.exe	35
PID 2680 wrote to memory of 2796	2680	Bgaebe32.exe	35
PID 2680 wrote to memory of 2796	2680	Bgaebe32.exe	35
PID 2680 wrote to memory of 2796	2680	Bgaebe32.exe	35
PID 2796 wrote to memory of 2612	2796	Bchfhfeh.exe	36
PID 2796 wrote to memory of 2612	2796	Bchfhfeh.exe	36
PID 2796 wrote to memory of 2612	2796	Bchfhfeh.exe	36
PID 2796 wrote to memory of 2612	2796	Bchfhfeh.exe	36
PID 2612 wrote to memory of 2448	2612	Bffbdadk.exe	37
PID 2612 wrote to memory of 2448	2612	Bffbdadk.exe	37
PID 2612 wrote to memory of 2448	2612	Bffbdadk.exe	37
PID 2612 wrote to memory of 2448	2612	Bffbdadk.exe	37
PID 2448 wrote to memory of 1624	2448	Bcjcme32.exe	38
PID 2448 wrote to memory of 1624	2448	Bcjcme32.exe	38
PID 2448 wrote to memory of 1624	2448	Bcjcme32.exe	38
PID 2448 wrote to memory of 1624	2448	Bcjcme32.exe	38
PID 1624 wrote to memory of 1544	1624	Bbmcibjp.exe	39
PID 1624 wrote to memory of 1544	1624	Bbmcibjp.exe	39
PID 1624 wrote to memory of 1544	1624	Bbmcibjp.exe	39
PID 1624 wrote to memory of 1544	1624	Bbmcibjp.exe	39
PID 1544 wrote to memory of 760	1544	Coacbfii.exe	40
PID 1544 wrote to memory of 760	1544	Coacbfii.exe	40
PID 1544 wrote to memory of 760	1544	Coacbfii.exe	40
PID 1544 wrote to memory of 760	1544	Coacbfii.exe	40
PID 760 wrote to memory of 1052	760	Cmedlk32.exe	41
PID 760 wrote to memory of 1052	760	Cmedlk32.exe	41
PID 760 wrote to memory of 1052	760	Cmedlk32.exe	41
PID 760 wrote to memory of 1052	760	Cmedlk32.exe	41
PID 1052 wrote to memory of 1568	1052	Cfmhdpnc.exe	42
PID 1052 wrote to memory of 1568	1052	Cfmhdpnc.exe	42
PID 1052 wrote to memory of 1568	1052	Cfmhdpnc.exe	42
PID 1052 wrote to memory of 1568	1052	Cfmhdpnc.exe	42
PID 1568 wrote to memory of 2956	1568	Ckjamgmk.exe	43
PID 1568 wrote to memory of 2956	1568	Ckjamgmk.exe	43
PID 1568 wrote to memory of 2956	1568	Ckjamgmk.exe	43
PID 1568 wrote to memory of 2956	1568	Ckjamgmk.exe	43
PID 2956 wrote to memory of 1396	2956	Cagienkb.exe	44
PID 2956 wrote to memory of 1396	2956	Cagienkb.exe	44
PID 2956 wrote to memory of 1396	2956	Cagienkb.exe	44
PID 2956 wrote to memory of 1396	2956	Cagienkb.exe	44
PID 1396 wrote to memory of 1952	1396	Ckmnbg32.exe	45
PID 1396 wrote to memory of 1952	1396	Ckmnbg32.exe	45
PID 1396 wrote to memory of 1952	1396	Ckmnbg32.exe	45
PID 1396 wrote to memory of 1952	1396	Ckmnbg32.exe	45
PID 1952 wrote to memory of 668	1952	Cchbgi32.exe	46
PID 1952 wrote to memory of 668	1952	Cchbgi32.exe	46
PID 1952 wrote to memory of 668	1952	Cchbgi32.exe	46
PID 1952 wrote to memory of 668	1952	Cchbgi32.exe	46

C:\Users\Admin\AppData\Local\Temp\606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe
"C:\Users\Admin\AppData\Local\Temp\606108230ed860ff0a8074c5b74cd0695ce0f8cbc7a1a721f58343f0f7065d63N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Bqeqqk32.exe
  C:\Windows\system32\Bqeqqk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Bccmmf32.exe
    C:\Windows\system32\Bccmmf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\Bdcifi32.exe
      C:\Windows\system32\Bdcifi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
128KB

MD5
d0959c3ca14070065f73041d0e6a8b81

SHA1
62f5100b6e92823e6b5c66adb2eda5b18bedc635

SHA256
8e4526236ad95a88a9a001def197a93d8aa5658bc9feefcdb689b977dcb8e6df

SHA512
2d0742ecae486f2397cda621c6b12829fd41fbd0155698b9a5ad6dbb52fe4c76350fd8702f4f2194cdbb69bd94941b24c08c089aab68c157e3e3fba2012a43c1

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
128KB

MD5
4b73bcd9be0293187e9e265bc8c99dc2

SHA1
0d65f9dc8a507a0a77ff7334f2ff001eb553ffad

SHA256
3a3ee08d07d3dc4ae0cd28590a8fa86717d7b84f38a7380289d9211fb2b05bd5

SHA512
9f27c87d132b54377da70039d3be33e6e497e788c00b6827ae9e3f4bda4dc7292c0e1d38f9fd1da1a44a6893a59ffe115996055165e17c239bef6827496d14a5

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
128KB

MD5
4e22d2c86fe674f93c9ffc4227ae1e4c

SHA1
6e2fb25e075e4a050aa16e58a652227f6a5ad352

SHA256
0d4635231449f182bf5bdbdcba212228b88e2bd7e9242a8be4baa1e280b2415c

SHA512
85d31af068cc465893322075b1f16ed526ebb1834b79b234ec1d3897158c236be386331e165b11829f2c66ef4609eb004004e145b60a19e05e707dff23a0779b

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
128KB

MD5
5b121de29d433bb5ff35d4bc2afe48c1

SHA1
30b690d312e85603d8c961f80c230f55d5c1b89e

SHA256
7374ebcfad3bbc5147eacbe98daa03293cb33a10f28dc7d97be97cbddfea865a

SHA512
ce82166de84e8bed72bf899f67d5d56db10d6c7cd809ec8c8d58446a005b7d15ed52ee5294063c6f977cd8c1a49651cac254939269b8297c6eaca0574faf7dab

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
128KB

MD5
21e3e50bfa4a66b35ec3b6097474f74a

SHA1
e29d2375059c8244bf937b3d705a41e5bb08d22c

SHA256
a0e91efe6b2cbe469e0dc3b44dea1acaa51ff2a095305756e802b9146502ef37

SHA512
644f080ecd05170bec0025df21d1f1faaff3c7cd7bf1ccdd571b0982f3688ff3baf2043cf3dbb1a477a2ffbe5c05a96b0f3c99f31763c96e1ac5e3094868968d

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
128KB

MD5
608e26c339c8b8030b8a9ac8fbcfe31f

SHA1
476347b442bd08e0db41719ec5a9c80bbbc88746

SHA256
8b672db2f8b6c9ee835ab725deb5bc4ee3e8eb2b93d82c6cfaa71a4a71ce8b59

SHA512
39163ca32f653333a2d89bab6064ec087ca990526326c0ac85d9d11a574cfee295d271cab999ff04d05bd4ae6078e2e1c6f6730778c8743e797950e6b033cba7

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
128KB

MD5
b869d5b7ad13af08be004bd24370c34e

SHA1
2beacb3254c68e1077e383b8a9dda7ef2c1a445c

SHA256
05696e33165160aa6ae4a8373f48474709f21dbba24c93cb28386e4e92756014

SHA512
c1e1ba12dcc68b7dbf153111f7b253d8a37a13c526454c90c9a74728dca687fcc1dfde585515324049d35bce85da97081f2452452949d9e6798bf48522ef025f

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
128KB

MD5
48ac6dac49398d1f1e15204125403b59

SHA1
b870339f92c44f2bd3c2e7de20953ffa08d2325a

SHA256
339b07820980774c657fcc9aa5a23cb03e59beecbd29dff3801f029a0b8b9b66

SHA512
5d1a850f5fef530c0874a679dbced7ddf24b6e2b4ca20cfae69e63ceb44a4ebcddd0ca2b058fe2992ad27bbb8457d128b27eef67c3bee8cf70fbd6148b534e29

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
abc5de506b02e3785cf4e3d05bb255f1

SHA1
60b933cc6ab0ca164da5ff5c95a32d3b617d5fe7

SHA256
b8783275d4e6241e6d62966d1adb2b9a938c5c2edca32da4db625a7692c99dec

SHA512
27fa81205d9fe0f557625e377dbd32a938f01c195a6e429b240439a52b12133227cfa9d1595c2ea903432bd2fdeecec34d7e8f49b27cd41e8de24b806dc37ad4

Download Submit
C:\Windows\SysWOW64\Gmkame32.dll

Filesize
7KB

MD5
e5e74c9511e6da078adb9f6ce98c551f

SHA1
fa0f70e45e4e2f7ad0d2dcea6bca7c1644045a01

SHA256
c373b77c720a785957a5529ab7235eab8f99874b1ec514d634ba3c2517adae73

SHA512
03179e27f9bcc1e393dae82edab3873dc953b7cbbce675817bd87634aba5ab8d720a37eb1b9f03ccc9734ae2febc2bb8f5ebdae2c7bfabbee1b7d05e00fd123d

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
128KB

MD5
142074ae2f1a0c1b7ba3ee513f158d02

SHA1
100016b6421cbcc4c21768951f45ef4ab6280d6c

SHA256
35e263099378036f3d2b92186dd9b266933395208921c92c8774c74bd991e6cc

SHA512
ca83df406ee9f415a111cb65fd75b89ccba7cf3bacff348960053636356c623b816362659437bd8dcf6f5c8c92ea9ab3afbfe6ef3d3fb2598fafa889ce2d9550

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
128KB

MD5
adf491eb8a54e3e5dda5c5a0a6ca33f9

SHA1
5e56b69379e7ed85195952c9b77221b302f9f858

SHA256
21f6e017adf63fe9532763ef494f6db0f2a7004eec6fc3f19195a8bd16ad5f2b

SHA512
6d6bb152f06e7d240197c8fa28e4335c0cd2902409a4a4eea28f572702372a59e00ff96964a4c06423c466578d5f46859f24ae5c1c56353a4f562ad1b9079fc3

Download Submit
\Windows\SysWOW64\Bdcifi32.exe

Filesize
128KB

MD5
d5dede23c29cd08567e4259a9414680c

SHA1
6eb4ad6c89e788388df7775838b05a3d7bc0793e

SHA256
1e3e5a9e90f87853d6668c9f4cd6950638744563a027ee8a971c0f8a3efbe7c5

SHA512
12fe0670f2ef89b312ca774619c352427756e05ce4df98a6bae7d6399871a46159713434f61c8dec42c2d016ed5266b6915aa36f999334a9b76c60bd692afa8d

Download Submit
\Windows\SysWOW64\Bgaebe32.exe

Filesize
128KB

MD5
406824bfa0011165135d0531cfbb9ed4

SHA1
f188801f84cbdefd28954b670606fe4a4c60a506

SHA256
2c167c86ee77929f6ce85b7a2203b0887882c4f2b3fde971ee1c91499d6c1952

SHA512
23b826abe38b57c8ed61342fa84987ae7a0b3546c1f884969cf227d8be032bdd15a08c3d040cafd0874912ccc58d04f82ac4045d4edb0bb070dc26591c1177c0

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
128KB

MD5
e27706f21d779e1ff2a4c821756200a2

SHA1
3bb01c2ad6e3088457376da97f189303017c014f

SHA256
e1eaacfaa9c6bbc5b6a12dfb235e65c652537a2705ccf8d3b5f84fd971bfb349

SHA512
74449bedc7a10eaaf456e52c062256fc9b51e800623219c2ee6bc18b484aa605ced44c1faa79b3542b7d5dda07022437b9eee1c80b910faf9ee99f6c1e1125f6

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
128KB

MD5
77448d8f43c4105e373e87d73f805e29

SHA1
4fd1930a60d72f5c814f434f517502d2ceec4999

SHA256
e6dbc0ba7c90b8afe2b663ac2848293fb50c862f85c12616dce355c27f35009f

SHA512
cc18ffe2373f906709ba7dc8cbc82c7c0d16b8905d5d60a8eb75269952ea36429421f987ded15fce4ee3c893f4a50ea78b1f6876ddf274a83478addd0d69e5f1

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
128KB

MD5
b28d51ae4d22c164e4b83d6e6d7d5e95

SHA1
d9afd90b717654de930c8ccc852175dc02e74a91

SHA256
f49e2ded837fd29c48b4d7e7fdcc57f85e70e79145c3e327c3bf6d9088851d69

SHA512
3948f43eb67a71e27f5b842173abce508bba3dfdd624040b8be77f27327294273a9eceb2c57a5e168d3cae92de917c6d2396d7628037e4b55aba155cc0bbd8fe

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
128KB

MD5
367a4426d36bf9be29bea0a7ffe80af1

SHA1
4f37ca145e27754500961bade717319241033f80

SHA256
261d7072a03669f6dcb160040189587800c8de0d4256d71213acddfa3673ff41

SHA512
e497c4f77b7037d5b7341fdac21b6b49e859f1e5af3accf411680474683aa5dbd90dbbeeb74cbbca4c17e746ec4fd07df6ceec0bc0546316a08bb9b4514ba763

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
128KB

MD5
4c12c238de34af73b1bcd7099169de6b

SHA1
f54e800c261113a3cc855a74d9c2bd9d3e831dd0

SHA256
48ede0584f8d9e0de522256d64ac7ba8a68af9ff4e52b4d161d90b9bbb42b279

SHA512
32408b659fc9bd24b981465377d554cd275483aa194956dc022d3607d4f1732ce4b7b3245aa91f85f8e84b92a0f25fd7fb924b7b30ebdf1a5fe2dae0bcca9a50

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
128KB

MD5
1c058e1e77b68e1208aaa2e5d402fb8d

SHA1
e895df0d750c69dbe7735550d6f2bad273ccf782

SHA256
ecc865166cd32f6bbb71b0e05fba18ff2931d02a9277f08e6bb2ac173c31c130

SHA512
760ba9381d242a2fb188ec9447b1f4b349320af19a4d1292b16ca3a5c8a6b272eabd9f15a98dcede15960c25cff5b8bd279ae6d158dfb34fa1dd5ca6a042aa23

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
128KB

MD5
7364c47b61e3e32b45968b643c5c991c

SHA1
92157831636081efb95ba4b8b29cf9e0db856a26

SHA256
01760d13cd51f0c8523e9d4b320aab691ad0abf37dc7261292a47f6f4b8ed852

SHA512
3a161963d24ad9049ab9de053eb76df8dcdd0103f1ff9a37ae5caadf16d843cf95339fc9e5951975df5b76cb55be11b7bc4a8591637b1b7a6c3f8cc897dc8e4c

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
128KB

MD5
8259e9d477dab1f45478a0c16911dfb3

SHA1
a7adafe80f5f96223a5923c5c3b504a5c9df662f

SHA256
cb9bfa2e27ffc85888044bcc4e3d7778a0a9692d07b751152c9e40478e9b55ba

SHA512
1e597b02e29260c568bc0881770919c9f6ebe7cdd7551dd2d998456bd660874d6974caf86ba6bd42623b877dbb914d5f11d6da7a2c8654d5193f11dafb0f1a8e

Download Submit
memory/668-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/668-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-141-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1052-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1396-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1396-199-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1396-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-169-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1568-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-115-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1624-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-242-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1732-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-264-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1840-260-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1840-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1848-249-0x0000000000380000-0x00000000003C1000-memory.dmp

Filesize
260KB

Download
memory/1848-253-0x0000000000380000-0x00000000003C1000-memory.dmp

Filesize
260KB

Download
memory/1848-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-11-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2280-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-12-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2448-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-102-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2448-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-62-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2680-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-39-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2956-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads