berbew | caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Size

76KB
MD5

cc5fd664849aa5b1dc04110884b85a5b
SHA1

c67f95b2926b385c8e1a6a67322f41751471cd20
SHA256

caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6
SHA512

e65d94b66c13138b47e7d6f895d484ffa20d43156f7d932c7486e21bd14c41517a4ea113587923d462472609f421d435fc2d1a1b97678f8f350b5c0bc0368cd2
SSDEEP

1536:Qm92uxpC4DS4C+5bqBtoSpXBpIaUg2V6JQ2yewHioQV+/eCeyvCQy:39lxpC4DST+5bqBK0fIaUg2oJ2VHrk+M

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
2216	Bkjdndjo.exe
2788	Bqgmfkhg.exe
2848	Bnknoogp.exe
2768	Bchfhfeh.exe
2580	Bffbdadk.exe
2124	Bcjcme32.exe
2912	Bbmcibjp.exe
2312	Bkegah32.exe
1920	Cfkloq32.exe
2964	Cenljmgq.exe
2880	Cocphf32.exe
1848	Cgoelh32.exe
2400	Cnimiblo.exe
1948	Ckmnbg32.exe
1040	Cnkjnb32.exe
408	Cchbgi32.exe
620	Cjakccop.exe
1172	Cgfkmgnj.exe
1632	Cfhkhd32.exe
2024	Dpapaj32.exe

Loads dropped DLL 43 IoCs

pid	Process
824	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
824	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
2216	Bkjdndjo.exe
2216	Bkjdndjo.exe
2788	Bqgmfkhg.exe
2788	Bqgmfkhg.exe
2848	Bnknoogp.exe
2848	Bnknoogp.exe
2768	Bchfhfeh.exe
2768	Bchfhfeh.exe
2580	Bffbdadk.exe
2580	Bffbdadk.exe
2124	Bcjcme32.exe
2124	Bcjcme32.exe
2912	Bbmcibjp.exe
2912	Bbmcibjp.exe
2312	Bkegah32.exe
2312	Bkegah32.exe
1920	Cfkloq32.exe
1920	Cfkloq32.exe
2964	Cenljmgq.exe
2964	Cenljmgq.exe
2880	Cocphf32.exe
2880	Cocphf32.exe
1848	Cgoelh32.exe
1848	Cgoelh32.exe
2400	Cnimiblo.exe
2400	Cnimiblo.exe
1948	Ckmnbg32.exe
1948	Ckmnbg32.exe
1040	Cnkjnb32.exe
1040	Cnkjnb32.exe
408	Cchbgi32.exe
408	Cchbgi32.exe
620	Cjakccop.exe
620	Cjakccop.exe
1172	Cgfkmgnj.exe
1172	Cgfkmgnj.exe
1632	Cfhkhd32.exe
1632	Cfhkhd32.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	2024	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2216	824	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe	31
PID 824 wrote to memory of 2216	824	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe	31
PID 824 wrote to memory of 2216	824	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe	31
PID 824 wrote to memory of 2216	824	caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe	31
PID 2216 wrote to memory of 2788	2216	Bkjdndjo.exe	32
PID 2216 wrote to memory of 2788	2216	Bkjdndjo.exe	32
PID 2216 wrote to memory of 2788	2216	Bkjdndjo.exe	32
PID 2216 wrote to memory of 2788	2216	Bkjdndjo.exe	32
PID 2788 wrote to memory of 2848	2788	Bqgmfkhg.exe	33
PID 2788 wrote to memory of 2848	2788	Bqgmfkhg.exe	33
PID 2788 wrote to memory of 2848	2788	Bqgmfkhg.exe	33
PID 2788 wrote to memory of 2848	2788	Bqgmfkhg.exe	33
PID 2848 wrote to memory of 2768	2848	Bnknoogp.exe	34
PID 2848 wrote to memory of 2768	2848	Bnknoogp.exe	34
PID 2848 wrote to memory of 2768	2848	Bnknoogp.exe	34
PID 2848 wrote to memory of 2768	2848	Bnknoogp.exe	34
PID 2768 wrote to memory of 2580	2768	Bchfhfeh.exe	35
PID 2768 wrote to memory of 2580	2768	Bchfhfeh.exe	35
PID 2768 wrote to memory of 2580	2768	Bchfhfeh.exe	35
PID 2768 wrote to memory of 2580	2768	Bchfhfeh.exe	35
PID 2580 wrote to memory of 2124	2580	Bffbdadk.exe	36
PID 2580 wrote to memory of 2124	2580	Bffbdadk.exe	36
PID 2580 wrote to memory of 2124	2580	Bffbdadk.exe	36
PID 2580 wrote to memory of 2124	2580	Bffbdadk.exe	36
PID 2124 wrote to memory of 2912	2124	Bcjcme32.exe	37
PID 2124 wrote to memory of 2912	2124	Bcjcme32.exe	37
PID 2124 wrote to memory of 2912	2124	Bcjcme32.exe	37
PID 2124 wrote to memory of 2912	2124	Bcjcme32.exe	37
PID 2912 wrote to memory of 2312	2912	Bbmcibjp.exe	38
PID 2912 wrote to memory of 2312	2912	Bbmcibjp.exe	38
PID 2912 wrote to memory of 2312	2912	Bbmcibjp.exe	38
PID 2912 wrote to memory of 2312	2912	Bbmcibjp.exe	38
PID 2312 wrote to memory of 1920	2312	Bkegah32.exe	39
PID 2312 wrote to memory of 1920	2312	Bkegah32.exe	39
PID 2312 wrote to memory of 1920	2312	Bkegah32.exe	39
PID 2312 wrote to memory of 1920	2312	Bkegah32.exe	39
PID 1920 wrote to memory of 2964	1920	Cfkloq32.exe	40
PID 1920 wrote to memory of 2964	1920	Cfkloq32.exe	40
PID 1920 wrote to memory of 2964	1920	Cfkloq32.exe	40
PID 1920 wrote to memory of 2964	1920	Cfkloq32.exe	40
PID 2964 wrote to memory of 2880	2964	Cenljmgq.exe	41
PID 2964 wrote to memory of 2880	2964	Cenljmgq.exe	41
PID 2964 wrote to memory of 2880	2964	Cenljmgq.exe	41
PID 2964 wrote to memory of 2880	2964	Cenljmgq.exe	41
PID 2880 wrote to memory of 1848	2880	Cocphf32.exe	42
PID 2880 wrote to memory of 1848	2880	Cocphf32.exe	42
PID 2880 wrote to memory of 1848	2880	Cocphf32.exe	42
PID 2880 wrote to memory of 1848	2880	Cocphf32.exe	42
PID 1848 wrote to memory of 2400	1848	Cgoelh32.exe	43
PID 1848 wrote to memory of 2400	1848	Cgoelh32.exe	43
PID 1848 wrote to memory of 2400	1848	Cgoelh32.exe	43
PID 1848 wrote to memory of 2400	1848	Cgoelh32.exe	43
PID 2400 wrote to memory of 1948	2400	Cnimiblo.exe	44
PID 2400 wrote to memory of 1948	2400	Cnimiblo.exe	44
PID 2400 wrote to memory of 1948	2400	Cnimiblo.exe	44
PID 2400 wrote to memory of 1948	2400	Cnimiblo.exe	44
PID 1948 wrote to memory of 1040	1948	Ckmnbg32.exe	45
PID 1948 wrote to memory of 1040	1948	Ckmnbg32.exe	45
PID 1948 wrote to memory of 1040	1948	Ckmnbg32.exe	45
PID 1948 wrote to memory of 1040	1948	Ckmnbg32.exe	45
PID 1040 wrote to memory of 408	1040	Cnkjnb32.exe	46
PID 1040 wrote to memory of 408	1040	Cnkjnb32.exe	46
PID 1040 wrote to memory of 408	1040	Cnkjnb32.exe	46
PID 1040 wrote to memory of 408	1040	Cnkjnb32.exe	46

C:\Users\Admin\AppData\Local\Temp\caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe
"C:\Users\Admin\AppData\Local\Temp\caf2a01a8124f7590103def084ce1024790fc24f8e47916bba1d2663df106fe6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Bkjdndjo.exe
  C:\Windows\system32\Bkjdndjo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Bqgmfkhg.exe
    C:\Windows\system32\Bqgmfkhg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Bnknoogp.exe
      C:\Windows\system32\Bnknoogp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 144
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
76KB

MD5
cfb59012ad9e5b9276298f74ed437a01

SHA1
f9468751fff8ef6d1a96a63fec5dc0489435aaf7

SHA256
cca9f7d58cb812614f7d2de1070bc7aefe5b7d049f8cd98a8a0e4825060db1d0

SHA512
73ffa28cfd67499fa5ad60449b8d2f256eaea90762a6d40b2e750737c7f5b1417b464121215e45aad6e7f3f81756b8d8a3bd8b3c766e432d0ec646c0826225e3

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
76KB

MD5
6793cdaf0c7bbd9b60fd8d13504806a1

SHA1
056310cf742d330b99071c983c9724a57fedfa83

SHA256
e1997dfcb1d85419c52ccab2a86ff2f1e591e6e398b2c4606024f3fd626d1db5

SHA512
7b1a9088739b3c8bd1aba38f7f1b3b3b0192c647129f890292d056b8516899859f5a19687218baebfc88ff4e73d13ce6e4fb75367d7bc00d50f51ac28295aa25

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
76KB

MD5
cd29d19fedec28615cf129b62de1fd12

SHA1
6ede3ef0cc65a33fb3657cb0f0b326f6c9ba1d4d

SHA256
923fb63ee4bb92e14b9d8b5668167a290c371e7f9aaa098947132dde2f6ad14e

SHA512
fb2bafe75e7ee55a832959e17e3463664ce9f73c4fca91231e87d3f5c063997fad6be79a602237cc075e1d1a85c3bba11b9df5b319ff43a38f5015694a0ed573

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
76KB

MD5
800ed310cdc227a748367239c70dbbd9

SHA1
a8148a34d052a90e11af673c5c05c9323b4ee8e0

SHA256
87f98156eb6dfc42059c8f392e7222c44cd80c76422784ff1a4668ec6bb5647e

SHA512
6d74a8c0fd77542fc5da14a9101afaab253344a0d32ae962de587d93689ed9e068a0402bc5f99920149d2a47b7571a5a0e714bd0dd503fa1875fa9439c32c475

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
76KB

MD5
738766453009f3eb69b39eba5aee8f5b

SHA1
df363c698e4cbb4377b83f134f86a293ef021897

SHA256
4c672d9ec63983bf54861214271bb0828aab12ca545b8230b10acb8cf1fde0e3

SHA512
1fe7bcdc4195990627ae9ff2097c9447db26c4230d619f43b7f81ddc281e92a36905e40069a6ad882f3a5203e9df9b31f461a82fcdc49649fb29ef7376b184c3

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
76KB

MD5
46128f9c7b83160775a802aacbd2efd8

SHA1
b31bcf3790d5bba5548456217359d8f31c0842c8

SHA256
ae659aa3e3662703128a92f9d39f748b0da1baa8f03f08149dc436fda2e161e2

SHA512
a9bd9a19fd58586c254fdcb51c0a1ea2700a48d4e0c6423556af5abe83455e1eb6d34c43217d257f422a0c507786f42b751e82020f26d2ffcc36347245ef893e

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
76KB

MD5
28ff68f0d58a7ba183f8b9520267ee7f

SHA1
9c6ca16de0a0c967e94ad70c66232bb95879187f

SHA256
5ca53bd4e2586edc6cb6b3b13d9ad328a31f8ecb5cbff3f5337d82377087f198

SHA512
8afe0f3d0eb1d36f4ab5068ab7b72df0de74052aa234aac5d06d89e617ab3aff9851bc1eba9794aba6603eb2117dd712831476f5ccb619685cd0725c0e3b7005

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
76KB

MD5
5f8586ec3788985aef305cb5b4126568

SHA1
6dd68f2160d550e44b7f0b4a004b202c175f3fa6

SHA256
6511c8bda614048345cedbbc72ad6b6a7b80c2688eea497538b667e90b7aaa9a

SHA512
ab6fe69e0bcea6e6907ce0c461282c1a073c06e477d19fe7776cbfd306f5b2b1b49610f8959f32fabf06dcf37b6a7ada35f041dcdd792aa8fe27c5384d9ebe6f

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
76KB

MD5
0b93fcbff683048d981f039fa87e50f6

SHA1
a668d947818b489b5607c4d569606c42e0c26718

SHA256
5c4d6d4d7f7ce0ce09e09eb4db64f91f30c1b8b2507c7961402c1b3f6abcd4bd

SHA512
fe1681b947c122bb21d547bfeccff8046dd07f755c47086ef2a9394480ec2af6e50ba49e4c30894decad0c4b13d6cea5eba5dafbfe3dbb0e04b8ef0c001341c7

Download Submit
\Windows\SysWOW64\Bcjcme32.exe

Filesize
76KB

MD5
e6f98913db10edaf32870623d8cd47e9

SHA1
eb063f67da57bf1773c1fe698dc63c7a354cd06d

SHA256
99375d6bd9c04bae3fcc98599a6275011d6b5c1784e0f1083360f20807d2d0a5

SHA512
fe7d84afff7af1b89a196dc89f1f14ca41e242877767b66fcf99c17cf6acf8ce008886cb5621a911fd76904e1218a0b772f851e046cf312d0189b0a64944e89f

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
76KB

MD5
f6d3413c9272806d98f041a53593c31d

SHA1
ef0c2e56164a48d67381a61820422e1708e255fa

SHA256
8172fe90870637e0cfa11aa6ff7e5c2fd760081e2d3831bcc190f4460204236b

SHA512
b002a942abe0f85438e61b241b4152df89a243779285f41696ae97a87f1857da89b78f60d9c9df9677485a20177e1cb3f3be188e0bb64d330f8b8f7be34cde32

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
76KB

MD5
53f39492eca02c185238a3837fb9b9cb

SHA1
dd0e2e1f31d5a331d6f3ef3b9909315e561875d2

SHA256
d23fc3f93ffbe687c9e2635e1861d1cf787eaab6fc293a95d484c756c7c38975

SHA512
d40bc913ab637722f62a6ea4b5d65cfd63349f355f2cc8bdc16725a61c09b1a93430cf9b13f7ec54a7d5092daf2745346b4fe139f72a8cef02cf80f6af22187c

Download Submit
\Windows\SysWOW64\Bkjdndjo.exe

Filesize
76KB

MD5
f163b3ec165da6794672f7cf62330dc4

SHA1
ad7bfdc99d54c00018618ea43052c72fe44f7785

SHA256
2439f66e789c1963e0a93da43bcbbfde796ab9cbe514fa4de8e100b962c68bc1

SHA512
3a3927ec578f801f04870d0652006369a87cc4ebcf101ca0414e19826653195c7aae70a4e9d560144d5aa19ce3642035ab241df737d91bcb0bd9f4176f6322e7

Download Submit
\Windows\SysWOW64\Bnknoogp.exe

Filesize
76KB

MD5
f926c771818caf19eb0f2dfcc1876dbf

SHA1
33484e72b64cfd8573c0a2f781b81d2e568127ea

SHA256
aeb018771ec943372c5520ce3c0e4e96365d66ff3d0a6524335a5b3c16da1141

SHA512
a38a72341538fc222ebc437331e397e219c9ce789cef7d0beefdb3980876164f08287313be634c879545d4ebd2b1b854ff2fcc57989e32f90193199d7d36f785

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
76KB

MD5
8c004784db76042a9f9cd59faadeb34a

SHA1
559da593834f86110c69d45599335e8eea84da97

SHA256
e6eb63dec606c5e980e7815aad5e68919bb983dc045cf841d2332369c52592f5

SHA512
af244a1f4f952778b587e3eb8f0d38ffdfe69890ae339463d09b11d4360ce228588fc97580ad06fcc231bf0f40cc00140688ff10f8afeb25b81acdfaa0f9ba1e

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
76KB

MD5
5612f5157c13112028092316fc50e28e

SHA1
86abdb9c6941844872c102262f7b4e3c11bbce3b

SHA256
d2da08d501da4ff369ea17b5bb52fc419e757763274f89ffec76656e9ccf1bd6

SHA512
5e9db474008574d912b0775f00e4606587eae404fcf226b235dd38afd5563ce36961f1d2f846ca358f4e461c364e1fb396c2327ad39e9280d808cd558e055801

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
76KB

MD5
05350464263e4afdb3ce95ea11aa32e1

SHA1
13d4beb232d7d6dcd4ffe28e8eb0f8242e6c2835

SHA256
1ca7d74931712dfa1daa6a79af4de2e6f06f6eff30bbb607b49f8119508d246f

SHA512
7197189669faafe52a05454a1d13b50409426527880ada8ad14b06190b5c3347d8ac1b7f1e5ccce58f9f49ec6eb8278a092e9421b06e5105457b8e4f74cb851d

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
76KB

MD5
3ab514c152a426737841170e1cca4f00

SHA1
1d6b5d48f32451201213103f2501e3e12f47118a

SHA256
66498686d1373efc9ac010ce02b9cb9fcd5a630d13693f1b91d3012ddb3eb2e8

SHA512
81db47523848571c1e20fd7145b977ec307bac2557e594299abbbcb07629dadb339012e6c000300712645e2b702b23cbd56421253f8dc780352aec6cc302283e

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
76KB

MD5
749c1a687a98563fa5449f702f3e3944

SHA1
73f71a0d970f23af95d93a6cb1041cf1e33e778b

SHA256
1e33dce0f066a65d7f861345bd1d16875c971259a821b8653de37957fa34f614

SHA512
2fccb85664549b4f94f6f73fcf4b75d994a466903f59bd695a47ae00d5e12246375b3c732d2808d311c47f619f7530ef254254c9b4573b4878581289e4bfbdc6

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
76KB

MD5
ca95e200ef864b7136e9b2afb761bfe7

SHA1
837c42f63352488825d31596f2a7591ee6348268

SHA256
fff85bd6b0c600902d44f5b178037c1fe77a1627a9f70e2ac98215bc952fc88a

SHA512
3838e08fcf64fed384a1476c7e27aa3303196f336b6c59d99fa436fa668fc0e11ff1e50d5cb225c78085bea084c6b23c13a64451794c48b1290c0ca64f343439

Download Submit
memory/408-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-219-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/408-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/824-12-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/824-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/824-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-210-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1172-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-241-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1172-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-252-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1632-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-248-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1632-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-26-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2216-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-157-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2912-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-100-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2964-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads