Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 16:06
Static task
static1
Behavioral task
behavioral1
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
TrojanDownloader.Win32.Berbew.exe
-
Size
59KB
-
MD5
c1d25250f2495db4df0fac6e6816c760
-
SHA1
858b0849ce833f6409f487caf4278764262a4e1f
-
SHA256
eb6c83d512c14b63f8a4803ac8d5dcf3be4d40f49972e204b52b3cbe519bb6d5
-
SHA512
fb7bfad0628eb150e7de94ac9af3aec9a12255c2161debde33c7b53fbb1bb2e7f5a7faa4dbd5432d7d275cb98e62f2caeeb941c6639cc48b48e64883c3aeb7eb
-
SSDEEP
768:L2qq1EOIcbuI8KgtZa0+oMW37gcKc+UEuFrB40nkGBh4MBtWpVoLZ/1H5J5nf1fO:kiOIcT0rUcKJwl9ndh4qNNCyVs
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boljgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" TrojanDownloader.Win32.Berbew.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacbfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe -
Executes dropped EXE 27 IoCs
pid Process 824 Bgoime32.exe 2772 Bmlael32.exe 2732 Bgaebe32.exe 2892 Bmnnkl32.exe 2564 Boljgg32.exe 2580 Bjbndpmd.exe 2656 Bmpkqklh.exe 1676 Bcjcme32.exe 1252 Bfioia32.exe 1164 Bigkel32.exe 2524 Coacbfii.exe 1764 Ciihklpj.exe 1704 Ckhdggom.exe 3004 Cocphf32.exe 676 Cileqlmg.exe 2520 Cpfmmf32.exe 2912 Cagienkb.exe 1580 Cgaaah32.exe 888 Cjonncab.exe 1984 Cnkjnb32.exe 1080 Cbffoabe.exe 1812 Cchbgi32.exe 2280 Cmpgpond.exe 1076 Cgfkmgnj.exe 2296 Djdgic32.exe 1500 Dnpciaef.exe 2212 Dpapaj32.exe -
Loads dropped DLL 57 IoCs
pid Process 2512 TrojanDownloader.Win32.Berbew.exe 2512 TrojanDownloader.Win32.Berbew.exe 824 Bgoime32.exe 824 Bgoime32.exe 2772 Bmlael32.exe 2772 Bmlael32.exe 2732 Bgaebe32.exe 2732 Bgaebe32.exe 2892 Bmnnkl32.exe 2892 Bmnnkl32.exe 2564 Boljgg32.exe 2564 Boljgg32.exe 2580 Bjbndpmd.exe 2580 Bjbndpmd.exe 2656 Bmpkqklh.exe 2656 Bmpkqklh.exe 1676 Bcjcme32.exe 1676 Bcjcme32.exe 1252 Bfioia32.exe 1252 Bfioia32.exe 1164 Bigkel32.exe 1164 Bigkel32.exe 2524 Coacbfii.exe 2524 Coacbfii.exe 1764 Ciihklpj.exe 1764 Ciihklpj.exe 1704 Ckhdggom.exe 1704 Ckhdggom.exe 3004 Cocphf32.exe 3004 Cocphf32.exe 676 Cileqlmg.exe 676 Cileqlmg.exe 2520 Cpfmmf32.exe 2520 Cpfmmf32.exe 2912 Cagienkb.exe 2912 Cagienkb.exe 1580 Cgaaah32.exe 1580 Cgaaah32.exe 888 Cjonncab.exe 888 Cjonncab.exe 1984 Cnkjnb32.exe 1984 Cnkjnb32.exe 1080 Cbffoabe.exe 1080 Cbffoabe.exe 1812 Cchbgi32.exe 1812 Cchbgi32.exe 2280 Cmpgpond.exe 2280 Cmpgpond.exe 1076 Cgfkmgnj.exe 1076 Cgfkmgnj.exe 2296 Djdgic32.exe 2296 Djdgic32.exe 1500 Dnpciaef.exe 1500 Dnpciaef.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dpapaj32.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Dnpciaef.exe File created C:\Windows\SysWOW64\Bngpjpqe.dll Bgoime32.exe File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Cgaaah32.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cjonncab.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Cmpgpond.exe File created C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Jdpkmjnb.dll Bmnnkl32.exe File created C:\Windows\SysWOW64\Bgaebe32.exe Bmlael32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cchbgi32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Gjhmge32.dll Coacbfii.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cjonncab.exe File created C:\Windows\SysWOW64\Djdgic32.exe Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Bfioia32.exe Bcjcme32.exe File created C:\Windows\SysWOW64\Nefamd32.dll Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Acnenl32.dll Cbffoabe.exe File created C:\Windows\SysWOW64\Ccofjipn.dll Cgfkmgnj.exe File created C:\Windows\SysWOW64\Dnpciaef.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Coacbfii.exe Bigkel32.exe File created C:\Windows\SysWOW64\Hbcfdk32.dll Cpfmmf32.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cagienkb.exe File created C:\Windows\SysWOW64\Cileqlmg.exe Cocphf32.exe File created C:\Windows\SysWOW64\Cbffoabe.exe Cnkjnb32.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Coacbfii.exe File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Bgaebe32.exe Bmlael32.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bgaebe32.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Lloeec32.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Ckhdggom.exe Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Ckhdggom.exe Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cocphf32.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll Cocphf32.exe File created C:\Windows\SysWOW64\Obahbj32.dll TrojanDownloader.Win32.Berbew.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Boljgg32.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Pmiljc32.dll Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Bigkel32.exe Bfioia32.exe File created C:\Windows\SysWOW64\Ajaclncd.dll Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Cbffoabe.exe Cnkjnb32.exe File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Hiablm32.dll Bmpkqklh.exe File created C:\Windows\SysWOW64\Aqpmpahd.dll Ckhdggom.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Bgoime32.exe TrojanDownloader.Win32.Berbew.exe File opened for modification C:\Windows\SysWOW64\Coacbfii.exe Bigkel32.exe File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe Boljgg32.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cgaaah32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Djdgic32.exe Cgfkmgnj.exe File created C:\Windows\SysWOW64\Bmlael32.exe Bgoime32.exe File created C:\Windows\SysWOW64\Oabhggjd.dll Bmlael32.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Liempneg.dll Cjonncab.exe File created C:\Windows\SysWOW64\Cchbgi32.exe Cbffoabe.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Diidjpbe.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Diidjpbe.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2680 2212 WerFault.exe 57 -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacbfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfioia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanDownloader.Win32.Berbew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" Bcjcme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcjcme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll" Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bgaebe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" Bmpkqklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgaebe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cileqlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfioia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coacbfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll" Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll" TrojanDownloader.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" Cgaaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkjnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll" Bfioia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 824 2512 TrojanDownloader.Win32.Berbew.exe 31 PID 2512 wrote to memory of 824 2512 TrojanDownloader.Win32.Berbew.exe 31 PID 2512 wrote to memory of 824 2512 TrojanDownloader.Win32.Berbew.exe 31 PID 2512 wrote to memory of 824 2512 TrojanDownloader.Win32.Berbew.exe 31 PID 824 wrote to memory of 2772 824 Bgoime32.exe 32 PID 824 wrote to memory of 2772 824 Bgoime32.exe 32 PID 824 wrote to memory of 2772 824 Bgoime32.exe 32 PID 824 wrote to memory of 2772 824 Bgoime32.exe 32 PID 2772 wrote to memory of 2732 2772 Bmlael32.exe 33 PID 2772 wrote to memory of 2732 2772 Bmlael32.exe 33 PID 2772 wrote to memory of 2732 2772 Bmlael32.exe 33 PID 2772 wrote to memory of 2732 2772 Bmlael32.exe 33 PID 2732 wrote to memory of 2892 2732 Bgaebe32.exe 34 PID 2732 wrote to memory of 2892 2732 Bgaebe32.exe 34 PID 2732 wrote to memory of 2892 2732 Bgaebe32.exe 34 PID 2732 wrote to memory of 2892 2732 Bgaebe32.exe 34 PID 2892 wrote to memory of 2564 2892 Bmnnkl32.exe 35 PID 2892 wrote to memory of 2564 2892 Bmnnkl32.exe 35 PID 2892 wrote to memory of 2564 2892 Bmnnkl32.exe 35 PID 2892 wrote to memory of 2564 2892 Bmnnkl32.exe 35 PID 2564 wrote to memory of 2580 2564 Boljgg32.exe 36 PID 2564 wrote to memory of 2580 2564 Boljgg32.exe 36 PID 2564 wrote to memory of 2580 2564 Boljgg32.exe 36 PID 2564 wrote to memory of 2580 2564 Boljgg32.exe 36 PID 2580 wrote to memory of 2656 2580 Bjbndpmd.exe 37 PID 2580 wrote to memory of 2656 2580 Bjbndpmd.exe 37 PID 2580 wrote to memory of 2656 2580 Bjbndpmd.exe 37 PID 2580 wrote to memory of 2656 2580 Bjbndpmd.exe 37 PID 2656 wrote to memory of 1676 2656 Bmpkqklh.exe 38 PID 2656 wrote to memory of 1676 2656 Bmpkqklh.exe 38 PID 2656 wrote to memory of 1676 2656 Bmpkqklh.exe 38 PID 2656 wrote to memory of 1676 2656 Bmpkqklh.exe 38 PID 1676 wrote to memory of 1252 1676 Bcjcme32.exe 39 PID 1676 wrote to memory of 1252 1676 Bcjcme32.exe 39 PID 1676 wrote to memory of 1252 1676 Bcjcme32.exe 39 PID 1676 wrote to memory of 1252 1676 Bcjcme32.exe 39 PID 1252 wrote to memory of 1164 1252 Bfioia32.exe 40 PID 1252 wrote to memory of 1164 1252 Bfioia32.exe 40 PID 1252 wrote to memory of 1164 1252 Bfioia32.exe 40 PID 1252 wrote to memory of 1164 1252 Bfioia32.exe 40 PID 1164 wrote to memory of 2524 1164 Bigkel32.exe 41 PID 1164 wrote to memory of 2524 1164 Bigkel32.exe 41 PID 1164 wrote to memory of 2524 1164 Bigkel32.exe 41 PID 1164 wrote to memory of 2524 1164 Bigkel32.exe 41 PID 2524 wrote to memory of 1764 2524 Coacbfii.exe 42 PID 2524 wrote to memory of 1764 2524 Coacbfii.exe 42 PID 2524 wrote to memory of 1764 2524 Coacbfii.exe 42 PID 2524 wrote to memory of 1764 2524 Coacbfii.exe 42 PID 1764 wrote to memory of 1704 1764 Ciihklpj.exe 43 PID 1764 wrote to memory of 1704 1764 Ciihklpj.exe 43 PID 1764 wrote to memory of 1704 1764 Ciihklpj.exe 43 PID 1764 wrote to memory of 1704 1764 Ciihklpj.exe 43 PID 1704 wrote to memory of 3004 1704 Ckhdggom.exe 44 PID 1704 wrote to memory of 3004 1704 Ckhdggom.exe 44 PID 1704 wrote to memory of 3004 1704 Ckhdggom.exe 44 PID 1704 wrote to memory of 3004 1704 Ckhdggom.exe 44 PID 3004 wrote to memory of 676 3004 Cocphf32.exe 45 PID 3004 wrote to memory of 676 3004 Cocphf32.exe 45 PID 3004 wrote to memory of 676 3004 Cocphf32.exe 45 PID 3004 wrote to memory of 676 3004 Cocphf32.exe 45 PID 676 wrote to memory of 2520 676 Cileqlmg.exe 46 PID 676 wrote to memory of 2520 676 Cileqlmg.exe 46 PID 676 wrote to memory of 2520 676 Cileqlmg.exe 46 PID 676 wrote to memory of 2520 676 Cileqlmg.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe28⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 14429⤵
- Loads dropped DLL
- Program crash
PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD54a9cc1c2e31a2d08745b54c3c208397c
SHA14dd2d0a2eb399282bbbcb2b22c03545a0f6c244b
SHA25671b6803b672887abbb21e7d125a7d2d9f4a96a8ea0da341dfc6b735f2c0df2e9
SHA512f99d23d7517e9a67cda9ab76f32c2471b57cbd552bdbed87d9952db2b15d3ad78921bd1c27b952c19491de32b6d6efcafe9bfd6e76b31a059c250fdc12e7b85c
-
Filesize
59KB
MD526bdb79eba82e3d169071c6de97bb76d
SHA16b5c9dd4342a7bd7574504db7948d86e551ff99f
SHA2561bc29a431aa28b6760a42e6f1f3a85c7e56cb2c82fba8d4225d41de18422c9bd
SHA512a2667e11c2ad7b09274b09e93ee891b0fb1e5c9eded22ae90616ad4f8c3d39c5066687a5d1e426b1b6e87e0af7e076b8b360f18230378b8bd8c1d8a11fdc2147
-
Filesize
59KB
MD556c60ecfe2121436efa544193f554637
SHA161b6447b5e9dc86c0d5cfc5c9306459652c19fb6
SHA256fd887d3283a01356e87f5b7067cddf54bad9c62f7dc5f306ce38931da8e98158
SHA512f647687b3c2d2e34fc01a0751ab96983a1b33dd7311735c27f0ce01bfd32f9a0e55bf5cacd2f9016e038b2e2c4ba1b6abbe1d6146d7f106ad4712477890fd970
-
Filesize
59KB
MD580acea2aa647a8ec66ca379d01ee326a
SHA1a425c2550fe8d25af881850ce5f3b513e3603c3f
SHA2561585220897ef57e53b4318019f8c6a90a79ec53aadd1f6262626af568384e575
SHA512167ee855ae54cab843794b67a38209c787ad6bbf38e0b448b80e05fba837c2410cbb667d1b497b9ba7d678076386a92dec86956cd21ee9b067e5f869d2cad93f
-
Filesize
59KB
MD54f12dfaa2cc2d0162f8dc58dcc53577f
SHA16b11a1953a2262bbab222bcd9628c277f5cda4a9
SHA25630b765e9a0532bbc4da8a7e96b4c7529c6a1770085ee0c8791b9d81cbefe7ea3
SHA512744ab8f5b8aa6be6bfaabffb1e3a8e633e999e51fe4f2094331b855ab472a3db10317363018487b1f983357fac275131088311c060c502b909c25f3bdaba39be
-
Filesize
59KB
MD55cd5a5b36a5db0e54535e02b0df20132
SHA1686eff194d8ac0847d706cea16fa7d819b514b62
SHA2564d3c0721f6c0af1f07f15ceeac7b65f129d2239d0753e50b2d7212e0e2342e1c
SHA5123c326d2940909df233497cb02a7edb5ad4e14dbb87a38244ae4bd5d7fe6b8bee0d2388367a99413631b65e3174d6893ddc6080f572e4b0a366f101357a41ba62
-
Filesize
59KB
MD5bbd410fce40f56073fedcbaf65c9ec72
SHA1ab7ee4112667485eb823a46505f61d685fdfe2ef
SHA25644a07e6e987ddb9ef2af3e309e9f43a6fd5bfb81208f86180bddabf1604baf11
SHA512f56436edc1fe867a83f907bd6421421acf1c2b37f46a3fe8723cc0b3ec3b62b819ff57fc4366ce1d49f719b70f0fb12cf1ec611926ac3bedceeef356ffc6e363
-
Filesize
59KB
MD5595926abe7b261a34684e5a811e473db
SHA100c164b185a74afe58398a946d13603212567422
SHA256b8fbae3e5076f74bf3851872b5307844da48c7acead92d47c4ce3082a938c310
SHA512fa9592887fce203e3db29219c3c20113e6c349893909763ac2447bb2015317ee9ca91c6b5b67125d2780550edf00fadefae4852be24f789e73bb5887cc7735c6
-
Filesize
59KB
MD5836fef112337723403882dab81333b2b
SHA1b0d19053965849b7aa9a29fe5bb95b9ffc38892c
SHA25630ea8489baabfea590ba33c2e1c744aa2be7c4d688338c5f6f03ab56369aa7a1
SHA5121187676130b9b579f2ad042bf417bd8c179ddce7f9e13b7506ab20c0c102840f99d499e49bd1a41077668c1b4216a88c645eb59b75cb3929b85062302e205bce
-
Filesize
59KB
MD55c7fb8a8b37d2a79856f327662291779
SHA116561823a8bb55bd4a5d7009ca22d2d0ffc7bb42
SHA2560a74c8b7ee6f89b941545a8e9c89ac20237820d6b4f32f121a6496ae09afca9f
SHA5127d8137547d313031671322066683f61f0b121a959ade72950b41047de7f27886c70e35be2fa8e1511ea597bffc3571a491c9de2767ca445af947869da3d4004e
-
Filesize
59KB
MD5c88be3d84382a1dda52ca5e9751349e7
SHA139b01f664602f1eb2e5e41ca65f5b6a330a26538
SHA25637083c1cc1c8b3105ce13252d6e88f5f51dc18aa0d5465cdad2befd79b8b3537
SHA5124059fe1f0ec0c7e5330da1adf705890907bf6ece061ff75743a619b394b672c27e9c6fff91de954dc3b8eb76d3ac07c4b678fe0946ea28393187fe8917f4917c
-
Filesize
59KB
MD5c1b59e78ecf750ecd1172b8f1899f5b4
SHA1480e3a9c08a4e6e53c153966907ccf62be18be61
SHA2568138ac0fd256b26a4d1cc91358de3697300a5c53815a257b98cb1a0fa9716c58
SHA512c716cf20b7c2be467c1b8fa3e32136283ae27afa94eb631fe22d308905a0bb11826e03f2d7903a2bbdc1d9335deddf015bb619158d89d0f2fd746e8ad7658ac0
-
Filesize
59KB
MD5107ae582a202cb41b76caec12d544b90
SHA1f34a8f39d7aa274f6af50d4f61bef0378e0b0fcd
SHA256c4ec774d44d786465fb712c6f4d59e76faf56d3aee77285b04894beb6c599526
SHA512852b607e7ae8194a2921d1765a44cd24f665a22447a596764f66dd06ace3c8e48648814e2fe8e3190037faa8a5a1ea21f4fd9adca9c29413150ee0f13b16cbde
-
Filesize
59KB
MD5b05d3b6583590fdfa3b51e8029f10c4e
SHA195ba9a61a2a6a33b0f9134c56cc45f339683ee6a
SHA256d851cecbb960aaefb4db7a20f2bb89e97015fc2c7836fd43e44fa861ee52219a
SHA512b7e1cd3fb7b6353cbb35f6f8fe16ae6ff22f57bdeeae126bca8ea4ea597c35ced53922a45d60ed637b4214d59b47afc311b9be2e3d0e40d0860f5596c0e77172
-
Filesize
59KB
MD5856c23981dc764617474af280ad053ee
SHA1772051bc709602065a2810956c4e50f146ae894c
SHA25677489574ec8c3dd291b14cf7aa5c520d3aef177d4b2522f9e8624964b085d0be
SHA5123160bc1315c219ea4f1488612552bb1789a6a7386973994a419560785a72b37b8b735e8137fa369ae1e0ba5888dd9e2d03b4d6dd1e424076cf8d2db985103b15
-
Filesize
59KB
MD5e76b776b5a245e5e740652ee9cfe5bd7
SHA148c32ab9d6839d7e6e217ae4ba7ae033232475a3
SHA256d313c4f55a4307575566d0490f4faa14a6b46e22354207140b85e48b9cdb8e77
SHA5124d7cf0de800870535316c54c08e7b10a304cdc66080f5ddfc991005e85266668465ec63c3d298f9db5a98d1fa9f22da34d15628eb453c63a6f6ed5ef3789f8f5
-
Filesize
59KB
MD513e0d4b64560f94474f7deb9b2f8d6a3
SHA18460a5cd8b36acce0f42ba1acc6a4aa44fda3a61
SHA25636dd016ae4101c0e9d5367e49e7d4f1ddf13dcd39b6b232f3694db005c8f1d8c
SHA5120849667d759f4fec19aa714cc85559caeec46af7d35a5cbee6b29d7a402bf68fa6ba6f9e43d53731c4dd7f5aa15d0b02c6457d93ad10e0de74e181f179e098f6
-
Filesize
59KB
MD52f4462bed2d7ff1b1be68f0a52077803
SHA10c0e917bbcb558224ca6095102d533e3ef67ba96
SHA2564791339a23f997db9a36e4f995f6ae74404e31ee946d3a7eedeb0a70efe331f9
SHA512d7bfb1a731c6c632cdf26231ec419e962e0c168e19376cbab7c8256a5b1ee45aeb481ec4aaaf8f1c93cb7bc0e990698350b386e254cf7a5c1c9a8fe37acb0def
-
Filesize
59KB
MD5829acaaf2056a89bf3c7d9b7a9943dc1
SHA17cc3de85a5aaedf8b3f517df86c014a745e512e7
SHA256d38fbe9fafd3e9c34496aedff1a772c049530af21b7272c711eae295d4fe2cee
SHA51258b102bd0d04ecc2555671f3d5703201b09f231027beeef140bbd8d129498cb21209d1d0bb7b12f7ec7d43cee6cd8ac86924bce9201105ff2b57c5a2bcc5550d
-
Filesize
59KB
MD580140e52e777916d01c79aa238f27a24
SHA13ed69de47713bf89a69c0de6050272e10f762b3f
SHA256c7e9d049f555b558154231ca74a10f824930429799770883d86036d8e3f1c052
SHA512c3e78e39855705110fce48d47a0133fc30b9f580769c3cf07e28ef900a2df27cd64955580e76e36640121a5328a577534fed97b22a6fb64cd88db56cd9d6a790
-
Filesize
59KB
MD533c9ee5ee37de878b4c2aaad70676675
SHA17a2fc4deb88340ed230e5a3c2c9bf7935aec79b8
SHA2564cdef88dc8ec52a671c298768197d863cf190c1120d185f047dd06b6cf03afdf
SHA5127bf27995c5c75b5457ea2e584777885c27738aa02cc37c385261e7fc4fc2b01c94925a4cbd18741a053f37c915929376f48d981f550f05540f273446add1f3a9
-
Filesize
59KB
MD57ccee213f8b242919059f5736b39a915
SHA14f28e6e05519bddcb10a72552e8520ce61e453dd
SHA2562c1569984f5e8d166b686f83e157df3d771940d66faaa412a5ca6ddb9da7f03c
SHA5121aabc0fb40692612a06c41b3cb002d3d86e14f0cb7ca98fd492e8cae8ce7b254a2471465994e6a967e0bbd97d086d8d70b2bdd013327a8298ba4b96aaff5f124
-
Filesize
59KB
MD5827a2781c8d02ed55da6456546ea406a
SHA12917e367a42abf5d8f79538e264ba0b2be61b1d5
SHA256936375b66f37c5d769edb02f915447381b419feae46c268727caab621f57fd2c
SHA51276c0c50133cceb03c6653b0c05b749315080d12c7fec2f9437819acc4282a144364d1830b6644399d9ef24ec1c15b1679b2d63dd7b740f8057ea2d151a24cdf2
-
Filesize
59KB
MD5900dbd786b3058c778a9d8caeec833ad
SHA15c031e14d4120bcfbd0e7155cb43ed38f5624900
SHA2564afd6b5f24d946f538fe4a99c3e34ca7c96dfa81491cdcaccdb5be58a5e91bf8
SHA5128cdf3516e2d235d39a5df6aca90156f4e540592b787ee5fadae87cb691310a903b3e66f3c6937300de2a198e281b1e1390fc2c7e6ab21e4f8524f087be3eed63
-
Filesize
59KB
MD56c2ca10cff9508bddfd7b08f56ab8d8c
SHA1d744abc763d0b8f26b00c185d17963ce14a61f8f
SHA2563f5cfe79696cbf17258f208e8c8329550b58ae83d32c5d3334c2bfbf68ec3ac4
SHA512ac2dc6a13a518e442dd8629d9ef10d0ff79335115d333a68c5de2696e507733b9820b94b8162e2c87429ca4da59f5b0c58d690dca056c222c18d70014cd2bad7
-
Filesize
59KB
MD5bb3597bb88408a8231f17a8bc62ae58b
SHA1e0b64c905fb10a071d06f67d4098355d785b27c3
SHA2568731dbe6615022b9bcb765636331d6cf44041fcf1062f1a951deab6247928116
SHA512bb3dd4d40aa634c696494418ff860560527801d2e8e9dbde53416c6b7f9965d2b0a6f9c051c9967dbd42f8e9cfcee4768fca35d3d12deb2045a4a0ef62ca0cc5
-
Filesize
59KB
MD5fbaae9e4fb8bec5b0eee8a18bcb3e708
SHA15b6919288bba976a3c7f3ea9c15ae995b5baaf0a
SHA2564c6a8c75bd49807490c4aee623c1892cefa54c8021eca68789341aea60644010
SHA512954bf59874f68fe7b3a8cf1d7776b34cb225ec8dcb71e84513c86f412b6a73b0772278980130ece0c756e179645ba5200668f8a9d6019f8e8abd29368c21deee