berbew | 8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Size

96KB
MD5

3dc01301d36522dcb7e8a92397520845
SHA1

b30790b367b041e892913180c2ed173c6904d09a
SHA256

8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f
SHA512

6c6ffa38cf017d6b20ea4263a9cfc1057a419dbd2b0eff33f33e7911f1d2afc2651a13e442acdbbd15ba26235949b5c3579914b890d9efd34375aad691ba2692
SSDEEP

1536:owCEs1t+rBb1i2Z7tG2Li7RZObZUUWaegPYA:tC5t+rBbIeBriClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 18 IoCs

pid	Process
1636	Bjbndpmd.exe
2472	Bqlfaj32.exe
2720	Boogmgkl.exe
2884	Bkegah32.exe
2280	Cenljmgq.exe
2712	Cmedlk32.exe
2600	Cbblda32.exe
3052	Cileqlmg.exe
2940	Cpfmmf32.exe
2800	Cbdiia32.exe
2540	Cgaaah32.exe
2608	Cnkjnb32.exe
1760	Cgcnghpl.exe
1436	Cjakccop.exe
1776	Calcpm32.exe
1124	Cgfkmgnj.exe
680	Dmbcen32.exe
2400	Dpapaj32.exe

Loads dropped DLL 39 IoCs

pid	Process
1708	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
1708	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
1636	Bjbndpmd.exe
1636	Bjbndpmd.exe
2472	Bqlfaj32.exe
2472	Bqlfaj32.exe
2720	Boogmgkl.exe
2720	Boogmgkl.exe
2884	Bkegah32.exe
2884	Bkegah32.exe
2280	Cenljmgq.exe
2280	Cenljmgq.exe
2712	Cmedlk32.exe
2712	Cmedlk32.exe
2600	Cbblda32.exe
2600	Cbblda32.exe
3052	Cileqlmg.exe
3052	Cileqlmg.exe
2940	Cpfmmf32.exe
2940	Cpfmmf32.exe
2800	Cbdiia32.exe
2800	Cbdiia32.exe
2540	Cgaaah32.exe
2540	Cgaaah32.exe
2608	Cnkjnb32.exe
2608	Cnkjnb32.exe
1760	Cgcnghpl.exe
1760	Cgcnghpl.exe
1436	Cjakccop.exe
1436	Cjakccop.exe
1776	Calcpm32.exe
1776	Calcpm32.exe
1124	Cgfkmgnj.exe
1124	Cgfkmgnj.exe
680	Dmbcen32.exe
680	Dmbcen32.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	2400	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1636	1708	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe	31
PID 1708 wrote to memory of 1636	1708	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe	31
PID 1708 wrote to memory of 1636	1708	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe	31
PID 1708 wrote to memory of 1636	1708	8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe	31
PID 1636 wrote to memory of 2472	1636	Bjbndpmd.exe	32
PID 1636 wrote to memory of 2472	1636	Bjbndpmd.exe	32
PID 1636 wrote to memory of 2472	1636	Bjbndpmd.exe	32
PID 1636 wrote to memory of 2472	1636	Bjbndpmd.exe	32
PID 2472 wrote to memory of 2720	2472	Bqlfaj32.exe	33
PID 2472 wrote to memory of 2720	2472	Bqlfaj32.exe	33
PID 2472 wrote to memory of 2720	2472	Bqlfaj32.exe	33
PID 2472 wrote to memory of 2720	2472	Bqlfaj32.exe	33
PID 2720 wrote to memory of 2884	2720	Boogmgkl.exe	34
PID 2720 wrote to memory of 2884	2720	Boogmgkl.exe	34
PID 2720 wrote to memory of 2884	2720	Boogmgkl.exe	34
PID 2720 wrote to memory of 2884	2720	Boogmgkl.exe	34
PID 2884 wrote to memory of 2280	2884	Bkegah32.exe	35
PID 2884 wrote to memory of 2280	2884	Bkegah32.exe	35
PID 2884 wrote to memory of 2280	2884	Bkegah32.exe	35
PID 2884 wrote to memory of 2280	2884	Bkegah32.exe	35
PID 2280 wrote to memory of 2712	2280	Cenljmgq.exe	36
PID 2280 wrote to memory of 2712	2280	Cenljmgq.exe	36
PID 2280 wrote to memory of 2712	2280	Cenljmgq.exe	36
PID 2280 wrote to memory of 2712	2280	Cenljmgq.exe	36
PID 2712 wrote to memory of 2600	2712	Cmedlk32.exe	37
PID 2712 wrote to memory of 2600	2712	Cmedlk32.exe	37
PID 2712 wrote to memory of 2600	2712	Cmedlk32.exe	37
PID 2712 wrote to memory of 2600	2712	Cmedlk32.exe	37
PID 2600 wrote to memory of 3052	2600	Cbblda32.exe	38
PID 2600 wrote to memory of 3052	2600	Cbblda32.exe	38
PID 2600 wrote to memory of 3052	2600	Cbblda32.exe	38
PID 2600 wrote to memory of 3052	2600	Cbblda32.exe	38
PID 3052 wrote to memory of 2940	3052	Cileqlmg.exe	39
PID 3052 wrote to memory of 2940	3052	Cileqlmg.exe	39
PID 3052 wrote to memory of 2940	3052	Cileqlmg.exe	39
PID 3052 wrote to memory of 2940	3052	Cileqlmg.exe	39
PID 2940 wrote to memory of 2800	2940	Cpfmmf32.exe	40
PID 2940 wrote to memory of 2800	2940	Cpfmmf32.exe	40
PID 2940 wrote to memory of 2800	2940	Cpfmmf32.exe	40
PID 2940 wrote to memory of 2800	2940	Cpfmmf32.exe	40
PID 2800 wrote to memory of 2540	2800	Cbdiia32.exe	41
PID 2800 wrote to memory of 2540	2800	Cbdiia32.exe	41
PID 2800 wrote to memory of 2540	2800	Cbdiia32.exe	41
PID 2800 wrote to memory of 2540	2800	Cbdiia32.exe	41
PID 2540 wrote to memory of 2608	2540	Cgaaah32.exe	42
PID 2540 wrote to memory of 2608	2540	Cgaaah32.exe	42
PID 2540 wrote to memory of 2608	2540	Cgaaah32.exe	42
PID 2540 wrote to memory of 2608	2540	Cgaaah32.exe	42
PID 2608 wrote to memory of 1760	2608	Cnkjnb32.exe	43
PID 2608 wrote to memory of 1760	2608	Cnkjnb32.exe	43
PID 2608 wrote to memory of 1760	2608	Cnkjnb32.exe	43
PID 2608 wrote to memory of 1760	2608	Cnkjnb32.exe	43
PID 1760 wrote to memory of 1436	1760	Cgcnghpl.exe	44
PID 1760 wrote to memory of 1436	1760	Cgcnghpl.exe	44
PID 1760 wrote to memory of 1436	1760	Cgcnghpl.exe	44
PID 1760 wrote to memory of 1436	1760	Cgcnghpl.exe	44
PID 1436 wrote to memory of 1776	1436	Cjakccop.exe	45
PID 1436 wrote to memory of 1776	1436	Cjakccop.exe	45
PID 1436 wrote to memory of 1776	1436	Cjakccop.exe	45
PID 1436 wrote to memory of 1776	1436	Cjakccop.exe	45
PID 1776 wrote to memory of 1124	1776	Calcpm32.exe	46
PID 1776 wrote to memory of 1124	1776	Calcpm32.exe	46
PID 1776 wrote to memory of 1124	1776	Calcpm32.exe	46
PID 1776 wrote to memory of 1124	1776	Calcpm32.exe	46

C:\Users\Admin\AppData\Local\Temp\8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe
"C:\Users\Admin\AppData\Local\Temp\8e8e23352c9a1d9dc075c48d3757a2fb8563f54b91c9f291a9075856499ca60f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Bjbndpmd.exe
  C:\Windows\system32\Bjbndpmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\Bqlfaj32.exe
    C:\Windows\system32\Bqlfaj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\Boogmgkl.exe
      C:\Windows\system32\Boogmgkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 144
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
c535b8bb77bb0217d559f68f4e4ae638

SHA1
06df3222ea2e44997d027f6b0d9ec6e453f34cb8

SHA256
7adc6bc438eaeaba7af365cf2d9a624ef34561934a17e7886f190dcd9d0e9bd5

SHA512
a538765078f663b614ba34d6e60c650b107cd1a66790c466c7183e599d7909cbf3647c91fb19d415fc69797f8fe4008460a5c90d01b84fd838ba72e87e09f35a

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
7ab297a58788a2fd65732e914a5f66cc

SHA1
0d77dfde6542c1b2194f4be96a2763dd589f3908

SHA256
af41fcfe66a9e10da89de8cc0ed875e3be5e8156c6acb50f44dab05e222d14f6

SHA512
00b6ba95cab8543e6124c98e7ecdf0ca6dc27bdf7402526d01a11485b185195c6e073dfc082fbb47add9d1a53e82eac85446f0f8dc2fd6d6fe8869606c93570e

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
db62222d9f07d519f203d478c343b3a9

SHA1
f58ff35d98706b343dc9e23984bb03a0888e0d6e

SHA256
a6217683f07be21542ee960bd92a9766f645243d8d83c26ae5d74cf06b0d14c3

SHA512
7e6c9221f315d490311ce7c4dc5d6dd42f39db3e06d9238e6dd2e62037eb27210fba0c29580665b7602c0f14be3a2d3e9c59e71db602d68d7114ec2bff98370e

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
1e1b352b1f936fba1862160206ecaa5d

SHA1
a7998626410c845ea5676890198050b0993a3b3f

SHA256
0c40f99e63b49247c8339db25d7716e95d27616569feea5931568e8f12e0252c

SHA512
54dcfe7d1fca30a4569db3a0d5f3043cb51f5844f7222908942f2e7234974e4ebb6a46cb943ebf3ad1b4e0e67940d84ad6bd560db9ef607a3ff3496590b8deec

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
96KB

MD5
a3b353734b0b9931844ccc568ea07d31

SHA1
28d3ff737ac0e33ff77d2fbd2df84e772c020d98

SHA256
336bef0546da8394f097cae8e7d574566ffc9fc8cbce1698d7b8ad86a978d85f

SHA512
2f1be5ceee79c2d018bc9758d37b829e916c26470557ff57da551018894a983d94ecd075674b79f7e960fa7b0ea7a7787275816c70ef946d701e45b9e4f53d5a

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
060bcc2509054cca56da7831d3d0e12a

SHA1
f0e0c5810eb81f2df77dd4d35a5f347f6a28399e

SHA256
9e752035966a8f6015296ecb96b1549f6d35feb3d907eb43aab1fe338f224118

SHA512
6f8982cfae09a7c084afd682c62d244ea21bf0781061e996392622e8f26b35328dfe8dd288798a011c344331782cb1baba5a263541b6b1f323ccfe1d309a8f74

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
2a5e4c1f3bcf0fa194d37d63b9168ffa

SHA1
d914d7e35ce2c223e8227c9c824bc9fdfadff629

SHA256
10843e283574b1cc468f3365f0b1a89df65c5c06c9488e7b9cf579d5b6038876

SHA512
8c98cd7868f39c6abcc36269f8df6131187339beff34d80a542353e2765700c99a2e3c4b97f4000eb890c847b78ceaaa06667de4f32eb2f3021c41ce7e30c35a

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
96KB

MD5
2625e8faf1d8a6dbcec8cc2eb2d6393b

SHA1
8622c65c4b000656aef181540a16b47d486b3cdb

SHA256
a74f8a38e022fbfc4bb9df399d2b31b6ee1bcca8b17f958b8b1f5e6942dfd8d6

SHA512
ac17fa65f5929eb854cc3753b8ebe84484437e3a7d4d14064da0571639b8c0ac10db1c5283e2f4229ceb4c73d1fe81ba6a3489653e5ff3ecd825d0e872098c71

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
542822a17b310a6ae58836b840ea2566

SHA1
9db9dc5f0154bcbd5bb93d424b28aced1b8f70eb

SHA256
3bab5299b45d64221b53d5e68d6092511a6dd2914bd96b35b0ae3a9fabbc1719

SHA512
4d3951c54dd87dd2916bc086af835d8843fda7147737b47621adfaa5046005f7cf3f7041c3713ca4f3e538d8d2b3ed16e5626ea766c68c5144dd8eb6be305c1c

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
1a7591b0ef55addda68cd0dcdca3d2eb

SHA1
d7760aeca39b39a2e87415876b2b9f7a4331e2cd

SHA256
6b3e76e75e1131cf3dda2f52b1b19a5030110f57472907282e0a14da7b28d587

SHA512
cb901a5b649437d10f05be93abcb63b897c235c845ac5fbedce2f52de53710b181c3ed2e8b3e7a4756cfede96b35492058054e3832f4c59e3327f2b6096f801c

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
96KB

MD5
0bfe666c8eb5d919ae80eb465ae926ec

SHA1
631a41add6b732295c9ca7d4e7848462b8057f3a

SHA256
c2d3b93b98d7f5dce527ca2051cf67f3d6e32b12ac9cea4703bb7a9751cb7b2d

SHA512
c835b5c7f514451cae5afb2f8e42deb80fb6f190b67c17ae781b60ce806c49ec4123002c118839e8047228923ac291c0c878402789e7d0c6b44c4d03431eb515

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
96KB

MD5
fc667d5ee6ecc62e8056fa4dfbd7639e

SHA1
75b0e6f2f162d526cb199b9feb878533c73cdf18

SHA256
1de36ba159acec492633a583a1942038572ee46e23a631f7e9f557c19423e26e

SHA512
3d13f5e579806b99af7d3f18bd4ea2b19534b854eea93b5a4a6860a2d219eace1c9968bd82749443f48d166cbca1294db07e0d2370775ae1bf29d23f97957bcd

Download Submit
\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
8014d90470de127b12debe313956e066

SHA1
f75080b7b67483deab3b55fb86c2e11e774aad7b

SHA256
7dae24547552dd6dec9823eae52e2ec618e644a1e926cd1723ec8c2eb0f4695b

SHA512
b6bcf8770b9de602303770cca58de686954462170b73120f57c6e20098a6934810f766de0a9467fb9749379154c3c8d4ca9db7050a6de2fad6269b16c6bed907

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
d74be32d8559e8265daa4179af2b5c4f

SHA1
7e5886d56a515382f75bfdb507489bafd7f9f13f

SHA256
ef91131ce309342ef1bcaa368fde13f48c30c84ebbc7072c2367ca24633e2f79

SHA512
18d7fc5792b0a22d9a449d4256478ccfe7eece3f0215cd076f34341a11fea68600035dcac87cb5ef363fbb618bb50c5e78d2bb7c6994390e8e5ccdbeaf2a1d23

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
2cd860f767d49319cf46735455f63c9f

SHA1
51eca025d2b079407d12f8d0e7df37c2fbeb0c4d

SHA256
93752f72694f12bd8fe1e3c3a4d2fc3a4ba1bf4414c9d57b327b8d971953c191

SHA512
6bfd2631ccd87578aa79958b3077d960c2e40c681fa792ff10da479cb5edacc581edeb463f59712085b252bb9269f2a04c2bd07cbab1f0fed60aa452ae387e72

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
96KB

MD5
c26f780a51dc96a9a69a944038f99db6

SHA1
70010a5ea396eff9ad0d753972d7d3b4cce51983

SHA256
4f5bb68589811bb91ea0f2f368605c4a5176e55b23fc49581bf76787e06cbb8b

SHA512
378300fe7327e47d57d2b2ae23bb9bb37caa4f431335fd612f145b1286af4313fec05a5b6792dcbf096c024136a7e202561346a2e1a8671f5dc71d57889dd39d

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
96KB

MD5
6c4eb182ea02cbb82b90bbaca92a91f7

SHA1
ad2d9948ad5a97e9e99c86e81a0a750053f1000c

SHA256
29ea9cbeeac4955b179ee527f3020486d4f97a8f7210b853ac703bf17e518f30

SHA512
97928816ce3c2cb243ef2de420e6da433f957469fde0a9aa0717944cab02c80ef2405d678f0dfbeb5086d5ad59108978dd6e381cd18735a5155cf03aa503e973

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
96KB

MD5
7e43ed1233eedd81556268b5f8eda6b2

SHA1
775e46dd26d2086b165eec3bce9944f98a009ffc

SHA256
bb4f08939e2b651e2e564a1633f28a70d32d5de0750d41dd031a9b205f7f189c

SHA512
afa9839007ca744a18c1bb6c8941a1f9564ba535029ea2e033db4ab7318843c0a83531e8939ae5784a118b2b56f038f13e5dc46781f5b6b0c87e4c8e3bfa8020

Download Submit
memory/680-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-220-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1124-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-195-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1436-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-17-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1708-18-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1760-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-34-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2472-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-160-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2540-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-168-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2608-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-89-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2712-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-140-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2884-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2884-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-114-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads