berbew | 87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 00:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Size

57KB
MD5

c79fc6dfd68b27ecc2966190a7cffdae
SHA1

a67e39fd915de916ae43ee3438f8394b7ae8f3af
SHA256

87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991
SHA512

bcc738fc9b32b3d841d691355b38167436f3a0331695540b395c9e6bae881effc6f86d87bc2a828837309db03012c54c7cd841113606c73a899634573d45a03a
SSDEEP

768:Hb7dAq2Os0UUpmup6D0Cr1/5UvM5FNGfMkm+FKq08dYU9K/1H55Xdnhg:77Oq290UBl0CrhqvoFNGNRKq0tU9IJ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 20 IoCs

pid	Process
2016	Bjdkjpkb.exe
2352	Bkegah32.exe
2704	Ccmpce32.exe
2780	Cbppnbhm.exe
2024	Cfkloq32.exe
2828	Cmedlk32.exe
2600	Cnfqccna.exe
2620	Cfmhdpnc.exe
1484	Cgoelh32.exe
536	Cpfmmf32.exe
2868	Cagienkb.exe
1876	Cinafkkd.exe
1948	Cnkjnb32.exe
3008	Ceebklai.exe
2656	Clojhf32.exe
2392	Cmpgpond.exe
1364	Cegoqlof.exe
1872	Djdgic32.exe
1652	Dmbcen32.exe
1392	Dpapaj32.exe

Loads dropped DLL 43 IoCs

pid	Process
276	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
276	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
2016	Bjdkjpkb.exe
2016	Bjdkjpkb.exe
2352	Bkegah32.exe
2352	Bkegah32.exe
2704	Ccmpce32.exe
2704	Ccmpce32.exe
2780	Cbppnbhm.exe
2780	Cbppnbhm.exe
2024	Cfkloq32.exe
2024	Cfkloq32.exe
2828	Cmedlk32.exe
2828	Cmedlk32.exe
2600	Cnfqccna.exe
2600	Cnfqccna.exe
2620	Cfmhdpnc.exe
2620	Cfmhdpnc.exe
1484	Cgoelh32.exe
1484	Cgoelh32.exe
536	Cpfmmf32.exe
536	Cpfmmf32.exe
2868	Cagienkb.exe
2868	Cagienkb.exe
1876	Cinafkkd.exe
1876	Cinafkkd.exe
1948	Cnkjnb32.exe
1948	Cnkjnb32.exe
3008	Ceebklai.exe
3008	Ceebklai.exe
2656	Clojhf32.exe
2656	Clojhf32.exe
2392	Cmpgpond.exe
2392	Cmpgpond.exe
1364	Cegoqlof.exe
1364	Cegoqlof.exe
1872	Djdgic32.exe
1872	Djdgic32.exe
1652	Dmbcen32.exe
1652	Dmbcen32.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1780	1392	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 276 wrote to memory of 2016	276	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe	31
PID 276 wrote to memory of 2016	276	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe	31
PID 276 wrote to memory of 2016	276	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe	31
PID 276 wrote to memory of 2016	276	87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe	31
PID 2016 wrote to memory of 2352	2016	Bjdkjpkb.exe	32
PID 2016 wrote to memory of 2352	2016	Bjdkjpkb.exe	32
PID 2016 wrote to memory of 2352	2016	Bjdkjpkb.exe	32
PID 2016 wrote to memory of 2352	2016	Bjdkjpkb.exe	32
PID 2352 wrote to memory of 2704	2352	Bkegah32.exe	33
PID 2352 wrote to memory of 2704	2352	Bkegah32.exe	33
PID 2352 wrote to memory of 2704	2352	Bkegah32.exe	33
PID 2352 wrote to memory of 2704	2352	Bkegah32.exe	33
PID 2704 wrote to memory of 2780	2704	Ccmpce32.exe	34
PID 2704 wrote to memory of 2780	2704	Ccmpce32.exe	34
PID 2704 wrote to memory of 2780	2704	Ccmpce32.exe	34
PID 2704 wrote to memory of 2780	2704	Ccmpce32.exe	34
PID 2780 wrote to memory of 2024	2780	Cbppnbhm.exe	35
PID 2780 wrote to memory of 2024	2780	Cbppnbhm.exe	35
PID 2780 wrote to memory of 2024	2780	Cbppnbhm.exe	35
PID 2780 wrote to memory of 2024	2780	Cbppnbhm.exe	35
PID 2024 wrote to memory of 2828	2024	Cfkloq32.exe	36
PID 2024 wrote to memory of 2828	2024	Cfkloq32.exe	36
PID 2024 wrote to memory of 2828	2024	Cfkloq32.exe	36
PID 2024 wrote to memory of 2828	2024	Cfkloq32.exe	36
PID 2828 wrote to memory of 2600	2828	Cmedlk32.exe	37
PID 2828 wrote to memory of 2600	2828	Cmedlk32.exe	37
PID 2828 wrote to memory of 2600	2828	Cmedlk32.exe	37
PID 2828 wrote to memory of 2600	2828	Cmedlk32.exe	37
PID 2600 wrote to memory of 2620	2600	Cnfqccna.exe	38
PID 2600 wrote to memory of 2620	2600	Cnfqccna.exe	38
PID 2600 wrote to memory of 2620	2600	Cnfqccna.exe	38
PID 2600 wrote to memory of 2620	2600	Cnfqccna.exe	38
PID 2620 wrote to memory of 1484	2620	Cfmhdpnc.exe	39
PID 2620 wrote to memory of 1484	2620	Cfmhdpnc.exe	39
PID 2620 wrote to memory of 1484	2620	Cfmhdpnc.exe	39
PID 2620 wrote to memory of 1484	2620	Cfmhdpnc.exe	39
PID 1484 wrote to memory of 536	1484	Cgoelh32.exe	40
PID 1484 wrote to memory of 536	1484	Cgoelh32.exe	40
PID 1484 wrote to memory of 536	1484	Cgoelh32.exe	40
PID 1484 wrote to memory of 536	1484	Cgoelh32.exe	40
PID 536 wrote to memory of 2868	536	Cpfmmf32.exe	41
PID 536 wrote to memory of 2868	536	Cpfmmf32.exe	41
PID 536 wrote to memory of 2868	536	Cpfmmf32.exe	41
PID 536 wrote to memory of 2868	536	Cpfmmf32.exe	41
PID 2868 wrote to memory of 1876	2868	Cagienkb.exe	42
PID 2868 wrote to memory of 1876	2868	Cagienkb.exe	42
PID 2868 wrote to memory of 1876	2868	Cagienkb.exe	42
PID 2868 wrote to memory of 1876	2868	Cagienkb.exe	42
PID 1876 wrote to memory of 1948	1876	Cinafkkd.exe	43
PID 1876 wrote to memory of 1948	1876	Cinafkkd.exe	43
PID 1876 wrote to memory of 1948	1876	Cinafkkd.exe	43
PID 1876 wrote to memory of 1948	1876	Cinafkkd.exe	43
PID 1948 wrote to memory of 3008	1948	Cnkjnb32.exe	44
PID 1948 wrote to memory of 3008	1948	Cnkjnb32.exe	44
PID 1948 wrote to memory of 3008	1948	Cnkjnb32.exe	44
PID 1948 wrote to memory of 3008	1948	Cnkjnb32.exe	44
PID 3008 wrote to memory of 2656	3008	Ceebklai.exe	45
PID 3008 wrote to memory of 2656	3008	Ceebklai.exe	45
PID 3008 wrote to memory of 2656	3008	Ceebklai.exe	45
PID 3008 wrote to memory of 2656	3008	Ceebklai.exe	45
PID 2656 wrote to memory of 2392	2656	Clojhf32.exe	46
PID 2656 wrote to memory of 2392	2656	Clojhf32.exe	46
PID 2656 wrote to memory of 2392	2656	Clojhf32.exe	46
PID 2656 wrote to memory of 2392	2656	Clojhf32.exe	46

C:\Users\Admin\AppData\Local\Temp\87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe
"C:\Users\Admin\AppData\Local\Temp\87a4fdde48db6ff3e8ef992913c8320e540ba91f103f3bf1b6c47bc499faa991.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:276
- C:\Windows\SysWOW64\Bjdkjpkb.exe
  C:\Windows\system32\Bjdkjpkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\Bkegah32.exe
    C:\Windows\system32\Bkegah32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Ccmpce32.exe
      C:\Windows\system32\Ccmpce32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 144
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkegah32.exe

Filesize
57KB

MD5
b75548db956006b93112e6f6f88a1b8f

SHA1
a877068f4b3825f0db488a3f60d6050424433be2

SHA256
ae6bc769212c835f17232a4a86742803978e44d33eef14db76dd921fd5d2f3ed

SHA512
3094feb0a9d3b6cb364784116aaa9e1fd3f48c1bd9435e368833e92f41ee389f4525a69166a3f3f709e6af911ad42aafe4950da7da51c61f52ce90b381129dfb

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
57KB

MD5
1798830751193379b4f49dc2056914b2

SHA1
bfe6afc35df62e9c7869831d726cf9247bd5a3c8

SHA256
d105837330695d3c041b623faa19730f35076a34bd5b766e2f2cd93c1fdb1b34

SHA512
26746d160c0803abe949758576e7356fa13022615c1c5954a3806903030b51350b68f32dada0b9ec16d6132bea721465eef38fa0b89e6c8af80ba563a18c1aeb

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
57KB

MD5
1a7e60a2a308527b7c13a64716b6b14a

SHA1
3915576d1aa1dfdfd677f909a4d9cdbfabc4d501

SHA256
78daad82bd0130d9900807117e47afb65143becd37fd8be1feb94db7847eb312

SHA512
0240692a9f336295eccc2b23e9b31341b82f4c10b9b0137338f8f0f3e90e8f791c7ec0da752ca1d05bb96c27a3811ebeae8322a05ef7c8ca34e904c01ed156a9

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
57KB

MD5
c099e6d3793bd691b860447be9aff970

SHA1
9c14cad1a74ce993c1aeae45a3d25208ab95ad56

SHA256
b1b46b9ccefef6838e8053199bfe6efadcad994a141aa8226d61a1881fd58e2d

SHA512
5b7772c6d409399b9f97730a2a211c71d8fbe67a3ccaa469d15ec129b6593b29a7f9508c5d2205822f8e0b13142cfd75e4ba61236f3e0c5ad6c3ddc0f7254db0

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
57KB

MD5
ca821fd849daa335f139c690e87b84b6

SHA1
1c8de9153b9d330e85d2b4b0a35872dff039e1e5

SHA256
5f897bfa85c18cb04b3ac439048b0136777da55bf3d8b15ffd3ca23e8c98e487

SHA512
c4c78c4b177f8a7758bab22970ffa2723b5b28eca6f8b45f5a2709e2dcda8353f4773b5c120362cbf5f59cebae6ee80f46c7588edc847c72a4097fe665d142ee

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
57KB

MD5
27656c67449046b67c54243411496411

SHA1
5a6271474aca6266a4d5aa426e8fca4c9cf2f315

SHA256
d7b8c7f7d6e82062f2ee867211d3d214d52b7c3200d40cfcb854a798fd141fab

SHA512
af568f740cdb64e138859972cfd2815e18c6ebf2e97c28345932a96cd8e7f9dd3184faa6d438e86c7acbb3110cc62f2a9360fda108c17aacad44049f374af2fb

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
57KB

MD5
d5d6b96ad1adbf78f887bff02163f7b3

SHA1
9354e00ad8a2c615c9abf203bb418e86090aacff

SHA256
b0b208b0a68b575c05788bce3da9cb66494e3b07245874b2d7558a7e9bd7b49b

SHA512
bafa8b13c12afbdee85ef726df9e1f33e2af91774622f1489d1229d83cecb3cf30a54f4fae366f0359cfa58605dc94efe2269e20f293c06d2ac65862653bbe87

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
57KB

MD5
1c70d0055749afb2853653467b3a4813

SHA1
8a1ba339d8ca0356499d13bf9c3605416f346ab7

SHA256
9133f0c362d88befa5fc3102c6e5813e8d0ebd2959fa0272d1d365356b2b7136

SHA512
3710a582e75911a07efb9c1533436d39d9432d5730cdedccc972f30c6379d4c51f3edd8bf5ece026dbdb7a918a6f87e8fc59a5f2a811215102b0cb7e0ff6a8c3

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
57KB

MD5
71d1f34640ced0c29b18fa2bb053068b

SHA1
aa89c995ad805006fd27ef0f77625ce663e4faf9

SHA256
ebdf731906db6c5ff5d3670635cf76423e4082194e710a554208b5f48a22ab84

SHA512
bae17e9722b46a9eca3f2a9199002d5dbbb9e9d973d064469629903e9c6216ecc95a2f754567ee54088239758d5f2ce80392481e637719401117db928f00a963

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
57KB

MD5
5d71d2e2c3694dfa8ab008f132dae428

SHA1
7dd66e697a8d8d7cd0689387022499b68cc6582b

SHA256
8531a5baf2df5ed1709e58faa959fc085c160ea584595508d25bf35c548d033f

SHA512
184cf8905baad82f40466a7aa35f23f22f410eea30558cf3602b2f8c7fbb320de4028381af5967a987b41809a5493c1c1083da38039b00b8bab60aef0b80a77b

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
57KB

MD5
32361f37c13ef17631a844b5f7d1c82c

SHA1
8515db4d24b4bc0c4abfced2bebe18a51f1104c2

SHA256
515754a72c4b9b93f0d2da8e9ebb5f423b74e8fb98af0e3276633d84ae6fcae7

SHA512
5d29850590677199eb391c28fff470ca9c8a4462819a724b1891afa3302419bae55a9822927fb832a7d294eb1e867136cee3d12e46af4b66593ed9915ddde676

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
57KB

MD5
b5cf492033ff7b5f0767e711c159fb4c

SHA1
5faa415c8d5d82da83b215c6c0fd39c2816baf1e

SHA256
019675a74eab358ff3710aaa842d2a1fd453bc4e364b4ad7bdca8133fd4c79ea

SHA512
4f2980dab377606e39580403a05e2c3242f881d00c4fd09a3be007804dc7463bfe436b652980229b55b46f6bb60473737d9fc5c2d53b55bddb01c321fed95eed

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
57KB

MD5
44eedd34cf9fc02627979eb54b3d8651

SHA1
574d5c5dc8c7aae5a883d9b5e8940278d083dfe5

SHA256
626417d8f672697d555adc434b324c52a224779ae9e5a82fe08d886b174bb517

SHA512
46015c001ae07b8837f45da0ef340f84596bc1c47aa11b655a3b9b135e7fee57f315fca0a09db324ca2aaa7c182595ca6c7b415b364e131f4a446e6b82efce2d

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
57KB

MD5
00dc6c02a2f98d6a377733857fd5c874

SHA1
73ca6210ff0494b6ff31115877207b880e97b714

SHA256
138e3c5f43ec3f9f1567f851edacb0655969c7b0b82847d63fd4cb1fa54f1cd8

SHA512
f7c5f23431fa338e7d7a022f2d304a7af3c44843551284650a95f5654e9949beca68b3a0d8042a4fdc5b898c944c9748aaeffbddbd5b0f7c018631407be7b03b

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
57KB

MD5
8b4d641c0d1c5d4d67b505519f0afece

SHA1
f7156e7d92d1c80050fcdb3522a8f32bcd8ba6a3

SHA256
d7a22e9cc795fa9cfdc71e0948c533ba5f7c4a1d8b8815047b7643dee615c27a

SHA512
34bb33f41e581ebc0e7ce541fe56d411865fee0180d792330a6ed6c48a6120a08776d2861335f98c1811d7731cd3534af7d45d5e59f10c114c4144f7dd61f8e1

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
57KB

MD5
75a7699d7379d4d170efe081933f0d3d

SHA1
91c3a7241faad5cb80f3825866506f2fa802b868

SHA256
46cc10ec76b943ee7d980008c7c79fbc219a75629d4e78f17ea38d70b7fdac92

SHA512
88aae55cdbe845cba9a24fa4f76317d30cb29d0db6178339aec5a05f783e108509be8253394abd96be87b2802bc4da0bb4e796ee56536432227cbd387a8d58dc

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
57KB

MD5
85116c7663795d131d5a956afede81b6

SHA1
3a81bf7f8509db09389d2af9e16ec715ec5dd8e9

SHA256
6ab80b254cc46fac80949ab7ff5de0da3b2d074966ca1a0f215a34da8f47f89c

SHA512
4a4aba3730c6bfb3539463da8b43f082ec56ad6b48273228edd7332760f115d46da10c0c7a35e6c13f67d8f186a445ed822503c3c7db65fe2e983e09618250b1

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
57KB

MD5
5528c087894c24eff9f31d0ac569bfd0

SHA1
23a73ff7982ad2202827baed1fcf63912712ef8f

SHA256
c6aa1230d4ab86877119179a89174b793d9ccb7bbd75ea623099ed8a5a4153aa

SHA512
bdb914f1d1ab3dcea6a495359341113692e89fee9d48bdcba7c94b052095b202eb14428702a6f9d0a53e3cf46a8f36eca764a880f3956ed6b16dcc275f659d4b

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
57KB

MD5
ddbb8c37dfb738be9661b6768231a9c4

SHA1
608319d8b60a501d47e18557cb3f321c6835626a

SHA256
7c1cf5b0204f533b13861503d813cfa7b011a4aa5c648f5d71b7073619a311eb

SHA512
a85ea0a2709e3233b7ad49cdba00ae90e4846385ac0659006f6b7a2562a59f4bb2996761097107672acf77418814da8fda4321b17f91e013608b70887f804705

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
57KB

MD5
5eeae42f63bced3e63bc51e8da0b15a3

SHA1
c0a50cce78545d748f55d1c7c87e102f7263a8bd

SHA256
f005fe2c74935cbab9e08d06f5abf18df8a948022914c98bee2f3aa0c98b67d0

SHA512
057c73e6a74e1fd3ff3f66b93df0f2a52de78dfaa01abc4f6c5b87a5e4611fe235a986a0e4140e2fafe3f387c59e9a113c4de3ed318bab68e74100dce44447d8

Download Submit
memory/276-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/276-7-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/276-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-139-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1364-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-118-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-250-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1652-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-237-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1876-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-165-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1876-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-185-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1948-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-24-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2016-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-219-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2392-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-103-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2600-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-50-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-78-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-193-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads