berbew | a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317

Analysis

max time kernel
82s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Size

94KB
MD5

d067d105cf111114d23991eeb4ab59a4
SHA1

f0ca7b7be3801363ff998b841d3f4e122f8a68b8
SHA256

a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317
SHA512

9eb5ecbb70c68fb760ebfb4f18bec966fb24e0231e94c26c3c19087a4d2be11d9771d16e527bceb8a7db34a6e215d98d43819c1e2f894c54fc2d454b679c99c2
SSDEEP

1536:NOdjSjIhsRu/nxRHLlYPq9zawWzLPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9rQJg:NOBsMPXLlYPq9zDWzjH6KU90uGimj1iZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caenkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caenkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beggec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkkioeig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobhdhha.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
2536	Bhjpnj32.exe
2836	Bmgifa32.exe
2864	Bdaabk32.exe
3008	Bhmmcjjd.exe
2876	Bkkioeig.exe
2768	Bknfeege.exe
2764	Bpjnmlel.exe
2476	Beggec32.exe
636	Bmnofp32.exe
2124	Cbkgog32.exe
2916	Clclhmin.exe
948	Cobhdhha.exe
2908	Ciglaa32.exe
2372	Ckiiiine.exe
2300	Cabaec32.exe
2200	Chmibmlo.exe
2060	Caenkc32.exe
2504	Cdcjgnbc.exe
560	Cgbfcjag.exe
340	Coindgbi.exe

Loads dropped DLL 40 IoCs

pid	Process
528	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
528	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
2536	Bhjpnj32.exe
2536	Bhjpnj32.exe
2836	Bmgifa32.exe
2836	Bmgifa32.exe
2864	Bdaabk32.exe
2864	Bdaabk32.exe
3008	Bhmmcjjd.exe
3008	Bhmmcjjd.exe
2876	Bkkioeig.exe
2876	Bkkioeig.exe
2768	Bknfeege.exe
2768	Bknfeege.exe
2764	Bpjnmlel.exe
2764	Bpjnmlel.exe
2476	Beggec32.exe
2476	Beggec32.exe
636	Bmnofp32.exe
636	Bmnofp32.exe
2124	Cbkgog32.exe
2124	Cbkgog32.exe
2916	Clclhmin.exe
2916	Clclhmin.exe
948	Cobhdhha.exe
948	Cobhdhha.exe
2908	Ciglaa32.exe
2908	Ciglaa32.exe
2372	Ckiiiine.exe
2372	Ckiiiine.exe
2300	Cabaec32.exe
2300	Cabaec32.exe
2200	Chmibmlo.exe
2200	Chmibmlo.exe
2060	Caenkc32.exe
2060	Caenkc32.exe
2504	Cdcjgnbc.exe
2504	Cdcjgnbc.exe
560	Cgbfcjag.exe
560	Cgbfcjag.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aohiimmp.dll	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Beggec32.exe	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Cdcjgnbc.exe	Caenkc32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Bhjpnj32.exe	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
File created	C:\Windows\SysWOW64\Bdaabk32.exe	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Idcnlffk.dll	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Cbkgog32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Jqlidcln.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Cabaec32.exe
File created	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bdaabk32.exe
File created	C:\Windows\SysWOW64\Fbflbd32.dll	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Cgbfcjag.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Bmgifa32.exe	Bhjpnj32.exe
File opened for modification	C:\Windows\SysWOW64\Cobhdhha.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Edalmn32.dll	Beggec32.exe
File created	C:\Windows\SysWOW64\Cbkgog32.exe	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Bpjnmlel.exe	Bknfeege.exe
File opened for modification	C:\Windows\SysWOW64\Bmnofp32.exe	Beggec32.exe
File opened for modification	C:\Windows\SysWOW64\Cabaec32.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Bhjpnj32.exe	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
File created	C:\Windows\SysWOW64\Bkkioeig.exe	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Bpjnmlel.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Iafehn32.dll	Caenkc32.exe
File created	C:\Windows\SysWOW64\Hkfggj32.dll	Clclhmin.exe
File created	C:\Windows\SysWOW64\Dhhdmc32.dll	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Cobhdhha.exe	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfcjag.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Befddlni.dll	Cdcjgnbc.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File created	C:\Windows\SysWOW64\Beggec32.exe	Bpjnmlel.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Kbmamh32.dll	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Bmnofp32.exe	Beggec32.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Caenkc32.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Hdjgff32.dll	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
File created	C:\Windows\SysWOW64\Kpijio32.dll	Bknfeege.exe
File opened for modification	C:\Windows\SysWOW64\Bknfeege.exe	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Mokegi32.dll	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Bijpeihq.dll	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Bknfeege.exe	Bkkioeig.exe
File opened for modification	C:\Windows\SysWOW64\Cdcjgnbc.exe	Caenkc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmgifa32.exe	Bhjpnj32.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkgog32.exe	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Cmpbigma.dll	Bhjpnj32.exe
File opened for modification	C:\Windows\SysWOW64\Clclhmin.exe	Cbkgog32.exe
File opened for modification	C:\Windows\SysWOW64\Bkkioeig.exe	Bhmmcjjd.exe
File opened for modification	C:\Windows\SysWOW64\Caenkc32.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Hakhbifq.dll	Chmibmlo.exe
File opened for modification	C:\Windows\SysWOW64\Bdaabk32.exe	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Cabaec32.exe	Ckiiiine.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caenkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfcjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkioeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beggec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknfeege.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhdhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcjgnbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdaabk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjnmlel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnofp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjpnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmgifa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmmcjjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll"	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll"	Bkkioeig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgff32.dll"	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpbigma.dll"	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll"	Beggec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caenkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijio32.dll"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll"	Caenkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohiimmp.dll"	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll"	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caenkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll"	Bhmmcjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabaec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 2536	528	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe	30
PID 528 wrote to memory of 2536	528	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe	30
PID 528 wrote to memory of 2536	528	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe	30
PID 528 wrote to memory of 2536	528	a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe	30
PID 2536 wrote to memory of 2836	2536	Bhjpnj32.exe	31
PID 2536 wrote to memory of 2836	2536	Bhjpnj32.exe	31
PID 2536 wrote to memory of 2836	2536	Bhjpnj32.exe	31
PID 2536 wrote to memory of 2836	2536	Bhjpnj32.exe	31
PID 2836 wrote to memory of 2864	2836	Bmgifa32.exe	32
PID 2836 wrote to memory of 2864	2836	Bmgifa32.exe	32
PID 2836 wrote to memory of 2864	2836	Bmgifa32.exe	32
PID 2836 wrote to memory of 2864	2836	Bmgifa32.exe	32
PID 2864 wrote to memory of 3008	2864	Bdaabk32.exe	33
PID 2864 wrote to memory of 3008	2864	Bdaabk32.exe	33
PID 2864 wrote to memory of 3008	2864	Bdaabk32.exe	33
PID 2864 wrote to memory of 3008	2864	Bdaabk32.exe	33
PID 3008 wrote to memory of 2876	3008	Bhmmcjjd.exe	34
PID 3008 wrote to memory of 2876	3008	Bhmmcjjd.exe	34
PID 3008 wrote to memory of 2876	3008	Bhmmcjjd.exe	34
PID 3008 wrote to memory of 2876	3008	Bhmmcjjd.exe	34
PID 2876 wrote to memory of 2768	2876	Bkkioeig.exe	35
PID 2876 wrote to memory of 2768	2876	Bkkioeig.exe	35
PID 2876 wrote to memory of 2768	2876	Bkkioeig.exe	35
PID 2876 wrote to memory of 2768	2876	Bkkioeig.exe	35
PID 2768 wrote to memory of 2764	2768	Bknfeege.exe	36
PID 2768 wrote to memory of 2764	2768	Bknfeege.exe	36
PID 2768 wrote to memory of 2764	2768	Bknfeege.exe	36
PID 2768 wrote to memory of 2764	2768	Bknfeege.exe	36
PID 2764 wrote to memory of 2476	2764	Bpjnmlel.exe	37
PID 2764 wrote to memory of 2476	2764	Bpjnmlel.exe	37
PID 2764 wrote to memory of 2476	2764	Bpjnmlel.exe	37
PID 2764 wrote to memory of 2476	2764	Bpjnmlel.exe	37
PID 2476 wrote to memory of 636	2476	Beggec32.exe	38
PID 2476 wrote to memory of 636	2476	Beggec32.exe	38
PID 2476 wrote to memory of 636	2476	Beggec32.exe	38
PID 2476 wrote to memory of 636	2476	Beggec32.exe	38
PID 636 wrote to memory of 2124	636	Bmnofp32.exe	39
PID 636 wrote to memory of 2124	636	Bmnofp32.exe	39
PID 636 wrote to memory of 2124	636	Bmnofp32.exe	39
PID 636 wrote to memory of 2124	636	Bmnofp32.exe	39
PID 2124 wrote to memory of 2916	2124	Cbkgog32.exe	40
PID 2124 wrote to memory of 2916	2124	Cbkgog32.exe	40
PID 2124 wrote to memory of 2916	2124	Cbkgog32.exe	40
PID 2124 wrote to memory of 2916	2124	Cbkgog32.exe	40
PID 2916 wrote to memory of 948	2916	Clclhmin.exe	41
PID 2916 wrote to memory of 948	2916	Clclhmin.exe	41
PID 2916 wrote to memory of 948	2916	Clclhmin.exe	41
PID 2916 wrote to memory of 948	2916	Clclhmin.exe	41
PID 948 wrote to memory of 2908	948	Cobhdhha.exe	42
PID 948 wrote to memory of 2908	948	Cobhdhha.exe	42
PID 948 wrote to memory of 2908	948	Cobhdhha.exe	42
PID 948 wrote to memory of 2908	948	Cobhdhha.exe	42
PID 2908 wrote to memory of 2372	2908	Ciglaa32.exe	43
PID 2908 wrote to memory of 2372	2908	Ciglaa32.exe	43
PID 2908 wrote to memory of 2372	2908	Ciglaa32.exe	43
PID 2908 wrote to memory of 2372	2908	Ciglaa32.exe	43
PID 2372 wrote to memory of 2300	2372	Ckiiiine.exe	44
PID 2372 wrote to memory of 2300	2372	Ckiiiine.exe	44
PID 2372 wrote to memory of 2300	2372	Ckiiiine.exe	44
PID 2372 wrote to memory of 2300	2372	Ckiiiine.exe	44
PID 2300 wrote to memory of 2200	2300	Cabaec32.exe	45
PID 2300 wrote to memory of 2200	2300	Cabaec32.exe	45
PID 2300 wrote to memory of 2200	2300	Cabaec32.exe	45
PID 2300 wrote to memory of 2200	2300	Cabaec32.exe	45

C:\Users\Admin\AppData\Local\Temp\a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe
"C:\Users\Admin\AppData\Local\Temp\a00a432c94c939da9e2c8851ec8d9124aafad2a359b2113c38d996610c67f317.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\Bhjpnj32.exe
  C:\Windows\system32\Bhjpnj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\Bmgifa32.exe
    C:\Windows\system32\Bmgifa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Bdaabk32.exe
      C:\Windows\system32\Bdaabk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Bhmmcjjd.exe
        
        C:\Windows\system32\Bhmmcjjd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\SysWOW64\Bkkioeig.exe
        
        C:\Windows\system32\Bkkioeig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Bknfeege.exe
        
        C:\Windows\system32\Bknfeege.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Bpjnmlel.exe
        
        C:\Windows\system32\Bpjnmlel.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Beggec32.exe
        
        C:\Windows\system32\Beggec32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Bmnofp32.exe
        
        C:\Windows\system32\Bmnofp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Cobhdhha.exe
        
        C:\Windows\system32\Cobhdhha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Caenkc32.exe
        
        C:\Windows\system32\Caenkc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Cdcjgnbc.exe
        
        C:\Windows\system32\Cdcjgnbc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Cgbfcjag.exe
        
        C:\Windows\system32\Cgbfcjag.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdaabk32.exe

Filesize
94KB

MD5
9f3a7c80e89c624a7cae030526372ec4

SHA1
324ea177e91803a11d694216ac72f66ef8729663

SHA256
03b95581730032ee2bc5ef38e53ea0f598ef9fd83aa2f32a72d24f5e078fee97

SHA512
47b7e0dfac0ee4c398860535e4e47f14bbbe192f55b30649fe31ccfb394dfc24b9a62c28db4f71b5b8e575441cfea884ab77214716ede80d11a09d363878ce35

Download Submit
C:\Windows\SysWOW64\Bhmmcjjd.exe

Filesize
94KB

MD5
12caa570f3be8736083172926e98508c

SHA1
507375379fd3173061923942df4948dcc7671cd4

SHA256
f58e031f84e1eea7613b146e86b9f1db7a2c9194e92a01e2ae0513ed36ae7ad8

SHA512
3d5ca589a5f9fe2799f91a837d5f465a01b4eba5e72475a8f1bc342a574e2c7c534e0b72778c86a28ab9122eb7bd463a9cc33b6e7d943fa431e4b5a40ba3229b

Download Submit
C:\Windows\SysWOW64\Bknfeege.exe

Filesize
94KB

MD5
1e5f435964395c24fafadc8115c05e28

SHA1
c4721156ad49844f8b5fbdcd22dc44b4c0c40819

SHA256
e12eaa6f43bd0ca14fba1a4b16ab89608ad2ecf3f34728e2574e50c9cdde2259

SHA512
78793752c642d37034b9046e43fc0e2d853621e6bfe74351ba33c9ec1959520968e5dbe62e653e2c7c0eeb98ec7447adc5464feea096eb5f1e5c48435307bf40

Download Submit
C:\Windows\SysWOW64\Bmgifa32.exe

Filesize
94KB

MD5
919cf03d6581e578a7af0306086a0e11

SHA1
5e5ef6786d7d3b34cfd26cff8d303773a8ffd7f2

SHA256
a5101edadb06a5c68a10099f2810249c577eb1db2483038134175d1137c88b52

SHA512
d0dc9e8874f368f1c4b3020e7fe25f88cfdabe35bf64a4c850e0daa0d29201f3f70e5683d9cbd895a292d6d1f66b7ac5cec1594f3f99a6899c9937de6ccd743b

Download Submit
C:\Windows\SysWOW64\Caenkc32.exe

Filesize
94KB

MD5
468824622dda8c00281b6938c2553b94

SHA1
4aa16ac3e43b16cf7c3f34f8017daf738489a90e

SHA256
6c5f94aec2528cc649008d2eb9b10734a150c6444a3bbb379b403123e9a538a8

SHA512
f98f294a81f8df54ad7e0d8d9f941541db9d44404e8cf0e51c785a29fc0c602bb37cff1dc1e4c018e451394e07acb4de92823688f4923fd6466dd77995ccb5e7

Download Submit
C:\Windows\SysWOW64\Cbkgog32.exe

Filesize
94KB

MD5
44755e2cd6aa82537e5ef18e3aebc35b

SHA1
8f39b212b8e9414259003a8a23128b8a4c89bfba

SHA256
8575879d2c2fae2cd8172c70af391a6aab8adac44236d442fc44afe55cd775e2

SHA512
14e88ddd578cef92f76f73457bf1c3f933b179fd5bb757ad954e7fea4fddb85a040e2a634be91ca4bc226b2988531a570213599c49dfac72d64e07fa58fb2e99

Download Submit
C:\Windows\SysWOW64\Cdcjgnbc.exe

Filesize
94KB

MD5
8b34e91db02e6672db40dc69409551d1

SHA1
1fb906db4e405f9bcc4e29e721b366c261c5034f

SHA256
68a7f4f353822062fb82d128a69c74b61fcf23214dab065e69444c94b46ad6a4

SHA512
1359428d20cc642cfb1e560c26789af10e01b80e63aaae495f5b374333e4a23a72e61f11d702814014355dd53376880862cfad5e69825c54c14b269a5dd2e7a4

Download Submit
C:\Windows\SysWOW64\Cgbfcjag.exe

Filesize
94KB

MD5
add388171731cda6f1a9535f2d9d48ca

SHA1
0dc5a7ef29e7c97ad91e4c651f173c32f9d70921

SHA256
bc46712e1789b2f52a63ae5489b956d7eb9783305d498840ffebb2430373c83d

SHA512
88e28e5fa22d138518effc800737a9253a8ec580c704611aef4e2112effd5195ae8c594190f85083b678636d0c25013188cfb2ba0d55ad192bfd996dac000adc

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
94KB

MD5
39a2bd5d1f16c775330ffa0fd29d63ca

SHA1
7139d117fbcfa99a61c3ead7f5f1d6fb878e69eb

SHA256
badbb2e6501e5eb0b21cc1c2ed721e9d9b960b41446693770c32c6279114881e

SHA512
ea4aa1b23c11643c17e190dd41b1f7449ea915abf7c737ddedb2b4b0828919ba91a9089cb84610f596bc8eac193c1464e06fb536279e4203070fe363ab727eea

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
94KB

MD5
8910783ebf1699a7d207d7d2f2df630f

SHA1
f0e89af9602f24e1b49b1afa63b98af3f226119c

SHA256
d27b0e1180f3530e63599eb15a9897be8dcd073edb4e3596d000a7ccf0b9df66

SHA512
f37952583e49311cdf1a9d79285f6818a34697c53fdea79704afbba8ddd0564e1904dafad511d5487e19fc64fcf1950db1f30233cf899a890886296bffc62709

Download Submit
C:\Windows\SysWOW64\Cobhdhha.exe

Filesize
94KB

MD5
d7f39a96245b08e40a2fe10de776cc42

SHA1
e57407e578f764d8d65a34d28d19059f92a886d8

SHA256
1a55d1377eaaf3e385b3955e7ddc811d947d163b1c6ac44030cf743b253bc253

SHA512
14024321a882d3d01f983d1854c6fb52cd113a22b243b8a640d28b41aceb15ee9aeb2bd2939a7288264e6aa8081e0f7b2797dd4fb4d580479d59273136330649

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
94KB

MD5
57011cd06de944923432224c06e9eab6

SHA1
dab14eb1a419008091df8c2d383a041964a77f64

SHA256
190b677de8dc6f50120b8683dd592ef2b39a17d70486b0973c03836bc3bb56c9

SHA512
4049f6a16ffe5b7baf8119ce81eba0b1a14d16eee845414e3dbdf4646f6a5a73b6ac9ae51cd6a31e187f8484efcb7cddde67cbe2fa6b8d76c1b37100864dd85f

Download Submit
\Windows\SysWOW64\Beggec32.exe

Filesize
94KB

MD5
ce3fa6503eb651248f1a3825a7ea88dd

SHA1
b32ca1b75cf93ee0cfe75b2edfdc086ddb40b9e2

SHA256
ebd8ff003a03388dbfba187fbb002f033cd243f45fe9e0b99bf839c9f065bff1

SHA512
2657d9390e1541e5099bdc636f5370f44da980afb196adcb03d473aa89214b904126291c9fa418a49a947fccc93a25c438a2941478f889322141f0b3a51a491b

Download Submit
\Windows\SysWOW64\Bhjpnj32.exe

Filesize
94KB

MD5
26289ffcc24f1128b9894be97d11c3d3

SHA1
1127a2c0ed658e1792c4507aef53a9a55f7c14c5

SHA256
e5bdd37500f85c33bab4d8d335ef09b4fa5bb3151c7273abf0faeb0f10413607

SHA512
c2c9c7401b8e1eac1d719d5fa4e23823cebfcba6ed5cd2e14c62b39e490f8a4b9b7fcb9054deb22452fcae44909cc8a40bee787842903f94469b0ced6770dbfc

Download Submit
\Windows\SysWOW64\Bkkioeig.exe

Filesize
94KB

MD5
de3974296b690aea99e76659140e7eae

SHA1
c2e179e0b07bfd54734dbf9444e68ae0ae33a08f

SHA256
a79540577df6d2ab43b75ebc5c27e35ba7f06e16a4455b77448c3fe654fb9277

SHA512
7b90c818e5c9e0a1cba25f6c6779ff5e8a20cd918dbc9f67013200c7e67eb8f2354e704be46ebb857a5229e6321d52fc17d6052eae72c7598929c4c6580a3243

Download Submit
\Windows\SysWOW64\Bmnofp32.exe

Filesize
94KB

MD5
4417abc9e56f2ca85ece27b22de3187e

SHA1
e59b69581f1c2ff4007e982367c425e2f2efdbb8

SHA256
2c7b7a30b3825bb1058ac82bb68af6c3c204c345c19b80fd560d7278e7d810e1

SHA512
0ca3c1a1d559ab6cb35067aef5c29391ddbdab8d69c93e218332f53ecab29f492cdc993ece458a0050236a5ab67e076488666cff6ae34ca742bf448422d23dd3

Download Submit
\Windows\SysWOW64\Bpjnmlel.exe

Filesize
94KB

MD5
4afbbf250470b9f35e8cff39768573c8

SHA1
da63443b39f1431bc069a13c2d21b3b74386d459

SHA256
32dec1756e4d636137eaa52abf60618847165d339760b663c4be7f3f9aee029e

SHA512
d1c48a7c1c11bb2ab012fe480e0e1c9d4f1d0999037b940450769a2f2b8aaa89d721c2c1f3884d51163df74c9921d480fd5ffeb5a1b5e9f8497dbe2ea7af6090

Download Submit
\Windows\SysWOW64\Cabaec32.exe

Filesize
94KB

MD5
14d9984b2714c8cad8ca4a72e03d4740

SHA1
81bec2f1cbe575768f9c1ac62e3017ddd5b208de

SHA256
41a3642c3cb1b3071173919216a4a86a0eadb529436373caa9aa9e70b529353e

SHA512
952b1a89b8b27765bd4d6c6e121dc3344a86b41da72af653d16d578c1a1a99fc0515025a09b1a1b9302c372fdf3037120575f37bb5b8e6dd65e232750d0703d1

Download Submit
\Windows\SysWOW64\Ciglaa32.exe

Filesize
94KB

MD5
a13cdca89866f33a994c018ecf470e92

SHA1
3ec924578fea29ab1727d24452a6dcec1c26d67d

SHA256
a683094e3d6e91cef8e7a4db0172bf60946a83e0e6c1884421a798bb8a23122d

SHA512
a962bc12ae9b45b0efc9477f15f8721830d15175f978a522aa7bb6bac081b898909965396b8a8cbfade6f9df987b4c30f04036ac3242f025a64a99e3913bda52

Download Submit
\Windows\SysWOW64\Clclhmin.exe

Filesize
94KB

MD5
fed9241a5490b1d9937adff485e4a7b7

SHA1
feb8e5b11955ce2a9eea95b08e5b9eecc5000285

SHA256
f61b0f0a981b6b9908930f106294652a62d14805fd69d4eb2cae6f4125f8c8d1

SHA512
d086f16ec73df0d10d9006d18cbad75f085dabdee540301c004f54c48330e995c13dad207a1a410fb8d00b9f12bb5bbb55a18400d661ad6265f54df44afc06be

Download Submit
memory/340-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/340-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-7-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/528-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-255-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/560-254-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/560-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-168-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2060-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-142-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/2124-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-222-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2300-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-195-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2372-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-115-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2476-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-244-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2504-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-30-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2536-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-259-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2836-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-34-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2864-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-79-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2876-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-161-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2916-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-61-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads