Analysis
-
max time kernel
74s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe
Resource
win10v2004-20241007-en
General
-
Target
78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe
-
Size
96KB
-
MD5
56f58f9126358d3906cb2a11ebbc8ab0
-
SHA1
69fdfe23ac2fd7350c08f2b3d16633dcacb551d0
-
SHA256
78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294
-
SHA512
0aa0e0d40b2d78e24bf97a9b0ec8a9932104f63cfee58387756227c6932b5c5356200ad8a114493d7ab0faa566dff6f0178e598672367be2969a9efefa9fe857
-
SSDEEP
1536:wr50lM+SJq0uj23gLiiJ1G34h5D1N4ym7sqv222222aexj2NduV9jojTIvjr:wl0lHzy3gLiWVJw7Aa2Nd69jc0v
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkegah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjakccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Calcpm32.exe -
Berbew family
-
Executes dropped EXE 24 IoCs
pid Process 2472 Bfdenafn.exe 2900 Bnknoogp.exe 2284 Bjbndpmd.exe 2860 Bmpkqklh.exe 2844 Bcjcme32.exe 2832 Bjdkjpkb.exe 2576 Bkegah32.exe 2140 Cbppnbhm.exe 2776 Cfkloq32.exe 1756 Cmedlk32.exe 2620 Cnfqccna.exe 1144 Cfmhdpnc.exe 536 Cgoelh32.exe 2176 Cpfmmf32.exe 1952 Cebeem32.exe 444 Cgaaah32.exe 964 Cbffoabe.exe 1680 Caifjn32.exe 112 Ceebklai.exe 284 Cjakccop.exe 2268 Calcpm32.exe 2260 Cgfkmgnj.exe 2116 Dmbcen32.exe 2432 Dpapaj32.exe -
Loads dropped DLL 51 IoCs
pid Process 1852 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe 1852 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe 2472 Bfdenafn.exe 2472 Bfdenafn.exe 2900 Bnknoogp.exe 2900 Bnknoogp.exe 2284 Bjbndpmd.exe 2284 Bjbndpmd.exe 2860 Bmpkqklh.exe 2860 Bmpkqklh.exe 2844 Bcjcme32.exe 2844 Bcjcme32.exe 2832 Bjdkjpkb.exe 2832 Bjdkjpkb.exe 2576 Bkegah32.exe 2576 Bkegah32.exe 2140 Cbppnbhm.exe 2140 Cbppnbhm.exe 2776 Cfkloq32.exe 2776 Cfkloq32.exe 1756 Cmedlk32.exe 1756 Cmedlk32.exe 2620 Cnfqccna.exe 2620 Cnfqccna.exe 1144 Cfmhdpnc.exe 1144 Cfmhdpnc.exe 536 Cgoelh32.exe 536 Cgoelh32.exe 2176 Cpfmmf32.exe 2176 Cpfmmf32.exe 1952 Cebeem32.exe 1952 Cebeem32.exe 444 Cgaaah32.exe 444 Cgaaah32.exe 964 Cbffoabe.exe 964 Cbffoabe.exe 1680 Caifjn32.exe 1680 Caifjn32.exe 112 Ceebklai.exe 112 Ceebklai.exe 284 Cjakccop.exe 284 Cjakccop.exe 2268 Calcpm32.exe 2268 Calcpm32.exe 2260 Cgfkmgnj.exe 2260 Cgfkmgnj.exe 2116 Dmbcen32.exe 2116 Dmbcen32.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cfkloq32.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Cgoelh32.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Nefamd32.dll Cgoelh32.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Dmbcen32.exe File created C:\Windows\SysWOW64\Fnpeed32.dll Cmedlk32.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Caifjn32.exe Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Bjdkjpkb.exe Bcjcme32.exe File opened for modification C:\Windows\SysWOW64\Bjdkjpkb.exe Bcjcme32.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bjdkjpkb.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Cbppnbhm.exe File created C:\Windows\SysWOW64\Bkegah32.exe Bjdkjpkb.exe File created C:\Windows\SysWOW64\Kgloog32.dll Caifjn32.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Ceebklai.exe File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe Cgfkmgnj.exe File created C:\Windows\SysWOW64\Bfdenafn.exe 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe File created C:\Windows\SysWOW64\Dnbamjbm.dll 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe File opened for modification C:\Windows\SysWOW64\Cmedlk32.exe Cfkloq32.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File opened for modification C:\Windows\SysWOW64\Cbffoabe.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bnknoogp.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cbffoabe.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Caifjn32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Bcjcme32.exe Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Bkegah32.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bfdenafn.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cebeem32.exe File created C:\Windows\SysWOW64\Caifjn32.exe Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Hiablm32.dll Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Jidmcq32.dll Cfmhdpnc.exe File created C:\Windows\SysWOW64\Calcpm32.exe Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe Calcpm32.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Cjakccop.exe Ceebklai.exe File created C:\Windows\SysWOW64\Pijjilik.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Cfkloq32.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Cnfqccna.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Qgejemnf.dll Cnfqccna.exe File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe Cgoelh32.exe File opened for modification C:\Windows\SysWOW64\Calcpm32.exe Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Cbffoabe.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Hbocphim.dll Cgaaah32.exe File opened for modification C:\Windows\SysWOW64\Cjakccop.exe Ceebklai.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Lbmnig32.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Cmedlk32.exe Cfkloq32.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Calcpm32.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Calcpm32.exe File created C:\Windows\SysWOW64\Fikbiheg.dll Cgfkmgnj.exe File created C:\Windows\SysWOW64\Cpfmmf32.exe Cgoelh32.exe File created C:\Windows\SysWOW64\Ofaejacl.dll Cjakccop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1016 2432 WerFault.exe 54 -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgoelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmpkqklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" Bnknoogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcjcme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cebeem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgaaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfkloq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnfqccna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgoelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bcjcme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2472 1852 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe 31 PID 1852 wrote to memory of 2472 1852 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe 31 PID 1852 wrote to memory of 2472 1852 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe 31 PID 1852 wrote to memory of 2472 1852 78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe 31 PID 2472 wrote to memory of 2900 2472 Bfdenafn.exe 32 PID 2472 wrote to memory of 2900 2472 Bfdenafn.exe 32 PID 2472 wrote to memory of 2900 2472 Bfdenafn.exe 32 PID 2472 wrote to memory of 2900 2472 Bfdenafn.exe 32 PID 2900 wrote to memory of 2284 2900 Bnknoogp.exe 33 PID 2900 wrote to memory of 2284 2900 Bnknoogp.exe 33 PID 2900 wrote to memory of 2284 2900 Bnknoogp.exe 33 PID 2900 wrote to memory of 2284 2900 Bnknoogp.exe 33 PID 2284 wrote to memory of 2860 2284 Bjbndpmd.exe 34 PID 2284 wrote to memory of 2860 2284 Bjbndpmd.exe 34 PID 2284 wrote to memory of 2860 2284 Bjbndpmd.exe 34 PID 2284 wrote to memory of 2860 2284 Bjbndpmd.exe 34 PID 2860 wrote to memory of 2844 2860 Bmpkqklh.exe 35 PID 2860 wrote to memory of 2844 2860 Bmpkqklh.exe 35 PID 2860 wrote to memory of 2844 2860 Bmpkqklh.exe 35 PID 2860 wrote to memory of 2844 2860 Bmpkqklh.exe 35 PID 2844 wrote to memory of 2832 2844 Bcjcme32.exe 36 PID 2844 wrote to memory of 2832 2844 Bcjcme32.exe 36 PID 2844 wrote to memory of 2832 2844 Bcjcme32.exe 36 PID 2844 wrote to memory of 2832 2844 Bcjcme32.exe 36 PID 2832 wrote to memory of 2576 2832 Bjdkjpkb.exe 37 PID 2832 wrote to memory of 2576 2832 Bjdkjpkb.exe 37 PID 2832 wrote to memory of 2576 2832 Bjdkjpkb.exe 37 PID 2832 wrote to memory of 2576 2832 Bjdkjpkb.exe 37 PID 2576 wrote to memory of 2140 2576 Bkegah32.exe 38 PID 2576 wrote to memory of 2140 2576 Bkegah32.exe 38 PID 2576 wrote to memory of 2140 2576 Bkegah32.exe 38 PID 2576 wrote to memory of 2140 2576 Bkegah32.exe 38 PID 2140 wrote to memory of 2776 2140 Cbppnbhm.exe 39 PID 2140 wrote to memory of 2776 2140 Cbppnbhm.exe 39 PID 2140 wrote to memory of 2776 2140 Cbppnbhm.exe 39 PID 2140 wrote to memory of 2776 2140 Cbppnbhm.exe 39 PID 2776 wrote to memory of 1756 2776 Cfkloq32.exe 40 PID 2776 wrote to memory of 1756 2776 Cfkloq32.exe 40 PID 2776 wrote to memory of 1756 2776 Cfkloq32.exe 40 PID 2776 wrote to memory of 1756 2776 Cfkloq32.exe 40 PID 1756 wrote to memory of 2620 1756 Cmedlk32.exe 41 PID 1756 wrote to memory of 2620 1756 Cmedlk32.exe 41 PID 1756 wrote to memory of 2620 1756 Cmedlk32.exe 41 PID 1756 wrote to memory of 2620 1756 Cmedlk32.exe 41 PID 2620 wrote to memory of 1144 2620 Cnfqccna.exe 42 PID 2620 wrote to memory of 1144 2620 Cnfqccna.exe 42 PID 2620 wrote to memory of 1144 2620 Cnfqccna.exe 42 PID 2620 wrote to memory of 1144 2620 Cnfqccna.exe 42 PID 1144 wrote to memory of 536 1144 Cfmhdpnc.exe 43 PID 1144 wrote to memory of 536 1144 Cfmhdpnc.exe 43 PID 1144 wrote to memory of 536 1144 Cfmhdpnc.exe 43 PID 1144 wrote to memory of 536 1144 Cfmhdpnc.exe 43 PID 536 wrote to memory of 2176 536 Cgoelh32.exe 44 PID 536 wrote to memory of 2176 536 Cgoelh32.exe 44 PID 536 wrote to memory of 2176 536 Cgoelh32.exe 44 PID 536 wrote to memory of 2176 536 Cgoelh32.exe 44 PID 2176 wrote to memory of 1952 2176 Cpfmmf32.exe 45 PID 2176 wrote to memory of 1952 2176 Cpfmmf32.exe 45 PID 2176 wrote to memory of 1952 2176 Cpfmmf32.exe 45 PID 2176 wrote to memory of 1952 2176 Cpfmmf32.exe 45 PID 1952 wrote to memory of 444 1952 Cebeem32.exe 46 PID 1952 wrote to memory of 444 1952 Cebeem32.exe 46 PID 1952 wrote to memory of 444 1952 Cebeem32.exe 46 PID 1952 wrote to memory of 444 1952 Cebeem32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe"C:\Users\Admin\AppData\Local\Temp\78fbba4e1a641e91e085e1dfadbbd684c60be51a50dd0f1da03e1b6a44d0d294N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 14426⤵
- Loads dropped DLL
- Program crash
PID:1016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55b6abec618d752692cec159a443cd9e9
SHA13c24cb2fe7a21831c7d300ea8da837855915b4e6
SHA2565579f1b2a4efd2f0cbc6214a96677dff7d4e10179ae3fa0fe0033adad7126f36
SHA5125e72f27b7917c34ee98cf1951e6779de87910cc6b01a8bce8c65d3c8fcd4cf963725ae2e0de3dde454661131d6af9242bada007025bbc962b3dd1e990362e9b1
-
Filesize
96KB
MD5ac527d25df5b01e254212b648a5dbfb3
SHA1a9432596c2d204fe405953acd8dc855fa2943167
SHA256ab851798bc8b25d32d8e037a140f8de49859d2baad5954c24896fe9008cb5548
SHA512fb665ea477581fe251b3b6895bd278dacd533af6c182a55bd82bc03159edd46f76d3d073a711fdac3491db4fc0ee321bc64104b900dc03fa511283ea2507136e
-
Filesize
96KB
MD570549860f01c691431cbc9b97b559953
SHA1f3fba31db35d2ce67c53698a461e5c88d5a5bcaf
SHA25661d39eca4211b675100ee5be9a00a6ff960dedb512161cd9450034c3d73a4de0
SHA512d4cf5ccfc221edbdc1c3c4dd790cf4e4b18125dc2fdc78bbe3a54d6e96174b27167487ad02b0176dc4529803fd5e2ca75e4688ca30c48195ba33342d6e9c50cd
-
Filesize
96KB
MD52e4351b834ef9438bd93ed52e619329c
SHA13a6b61930b42af2d8df27aee9a62f1d97c67f79a
SHA256098d72f4bffa4afcf3a0d49d58121c8a3a7b3f3049d3a11ea2f4f39360d5b93f
SHA5126fa19b92e5d4d2ffdfee4e33aeab68dbf1ec66d3b286544d3687d2b1dfd94ef0fd7617417394248d93c50e8c08fca92557b2547b0ae6c8acf5587d1fcf2aec4f
-
Filesize
96KB
MD58d0f7a51d3ea9dcc968f45fbf6fd108e
SHA107d6d79923c00a3c53259ab7d244b24b6c076907
SHA256d88296ada8d581c57db4384e9c1db7b9029f78415b0a1927d2ae928df9fad2f7
SHA51294a2e5d6b105a98087b849f4e72cd7b9063a43cae3a53bfb78ad850273000abaef7704ee57f002a67a3b0d34dcab8458b55cd1b849c047f3cbe202b82bd6726b
-
Filesize
96KB
MD5f3aafe57da17d8412466278c5e6f5c6c
SHA1dd6790d0937d155c01566aece5e6e05070b07cf5
SHA256b3ebaf03f64eb7a95fd2d63a50234bb14f8a1e60672ae18206276cb854aebe46
SHA512036e32a3ecb6b06782687621282fd27409e4a1735a04cdfc8bb9af6258b1f674a66c426c5b1b13bb56a9f92b86c5c47789e7c412950a5c047a16805d194b77f4
-
Filesize
96KB
MD54ae6b36f9ff5b64fd1ec36327defd710
SHA1ed1e863eaca234e6f19367fd8eb276581d4f6287
SHA25695426bab49711f42b19d58be3204c5adb21e90480d93a1bff47da530fa2c333f
SHA512b0751e930e6443025d22197a52bb27db21d39e50330e1216ba8a5daf47e97663a308e29575557999ef90025386389b08dff5857752a1fcad0190e5999518db0a
-
Filesize
96KB
MD50925f767c79fa218e2468939ed6fa534
SHA1b5d5cf31a98be2f440bf15ec2dcdfa147eb39648
SHA2562bbd7dd136fa18b0bb46dd64c8d3d0ba5bcc41d9435ce70c83e355c8754fad91
SHA51230407a9da4ae267211cf3381763b6e18c82a74b0fd96f2101295494e3cc2ba617e5e3188c2dc81a080e9cc0f56a4077a48815f366c7778e22473b4f8ad8d64cc
-
Filesize
7KB
MD53ec6fe54b93ea4bf179b2ed2a7893712
SHA1ec558b98d5bf32b265ed2be1f454dca632a79b19
SHA256c50ae5d94a78818713c496d0433d12af4d0935b3e28f6d3ee3d848c1a22c26b0
SHA51280d47a468f7a70536c0dcfff6a1b873400c94bcf6d5e3ee4229ec4e29a24176e0074d43acdcd977fad4c4e106ec2a3063056784571a66822872c660043dcc407
-
Filesize
96KB
MD501c302fbae16b9da9645a4424ab5e5f7
SHA1cdc6d05269e62382ae1a733b591dc95eb1583bba
SHA25635417baeec2e0332944ce681e7b9f7dc8f5e77982959f78ee9ad8781cfe8f26a
SHA5126b8cfa96919198df0befbe914b203b68907fb0eeb60b030e743eeafec3f4011608d5c9e597342f2872bbbda45a12ecf6b48bab7e178f675209213471e0f1f953
-
Filesize
96KB
MD561b0edb47f7e09ce4c4c8b88b92d04cc
SHA13f9140397fb3d7ded5c87cdae34c4921c66bee7c
SHA256c3eafc786047f627908a72483e428f38e8f44f03256ab7034deb808801c184f8
SHA512f07b709a6842d30c3ecd1b783d1a01347294100ab4656848dfcd007fd380a537d07827764cf430a862a80ab9469c4b0df9e4c42dd7aaff18c27515df12e8aba3
-
Filesize
96KB
MD5e80b2a8f18e13dd919f8821c55e0b4f1
SHA1b141a39128617845ed6f0fa4bdea17841b23d50b
SHA256d65ca9a530d5cca749f56735929bcc528acf33f839d1e9e711b90ca4aa25bea4
SHA5128d4d49bcb1e096ee6120f526971f174d59db1d44a15125f713d45ece252e9230a0a54e59c6fb3bea3a400be7f2c0ceaba1d714e8705b0bc3f739b7a8f17bbb78
-
Filesize
96KB
MD59638dcbca62ca636efdf391578e33edb
SHA1f3e537429e71533b7f666449441d1bc5e8524c55
SHA25602b715396e0a3ebbfa80f10b3f70f5cc6693e7e78825a02bb0aead46aaa923ca
SHA51237a2474c80dd6431a5c099b060b9c8cd64820a760d57f319256038c445b8d1314ee14807b3a1c63ae648ae09a40a63c5d3ce3aaeee09d414de95ce35519f6220
-
Filesize
96KB
MD5b856f636bcba184c4bc515617feb87a8
SHA135a13749aac6dbf9c99f5a2660bbf7432f7d8b62
SHA2569adbe2020599d2367032a5d65ee48032d4295c3b44696385d4aeaf3583061c66
SHA512894ec47f17d0de3a81eaffb7c63538e5ecdc50691e2b42c4b132a5682743a6ec81f432b32c95f48e99b6d095004c70cd7b60ccddb64ecb6295794aa86d85c1c1
-
Filesize
96KB
MD58f6292d1461301c7dd42ea3787d8f776
SHA1a5b584cc5eb17d36ca27fb4407befcc2294cc15d
SHA2566c1f00a5bd5eedc59ab3722667aec858dd136efdbfa13feb30326cd0c37c1847
SHA512c75e00cd170d0c2e9a9dc8ecd1740795b4d3ece85ce0518d93f692886b04c6843dcd31fa14e53d52b6c0330363e35ddac629e0d321229724ba2e1ae7bf181185
-
Filesize
96KB
MD567ad50e6f1ac287d883588fbfa17819c
SHA142e5fe3c9a857bbf9baa03b30d15c293b00e8bd3
SHA2566c041025fc8aef2bab7eacc8f43da96d91bb478353f3f3a32ae1d8c50230ed2d
SHA512887521ea5eea15f1a7b5cd3eaa10c4418362b3a4a005546c2624b4925ef5fb721532b8e5208e8e7448a1980780ac00cc9ef17095d30afd93c8814d0318f34a67
-
Filesize
96KB
MD572ec6e5d32e41164a8b096171a68a689
SHA19524d5421a9b5911ff9fb11bdb59f5325bf2aa08
SHA256f98d1828f56efe14dde495e6ca925b59a924e5115ec7854c0aa745fbdabdfbb1
SHA512cc27206d06d57992214b699244438c87cedf9163f11b4cd98b462cb77049f090636766bf33884fc8ebe602e172b959504b11e4bf811b05c4ec0565291373b242
-
Filesize
96KB
MD59494ba9b4fdba76adf10bcefeac1a394
SHA177945cab7ed03c8ed797a1f2e7a1a18b84700703
SHA2566fea9fad14ca8f057bc0470b51ce170ecaf0007d812dd756dab397f6365bf0d9
SHA512911becd73723b539828e27eab18cc5578e213a4f1acf5917d3c59cafcc0f202cacafdb67214bc503f13a522a9e0c301d61b468a920708538826e171d5e6d04a1
-
Filesize
96KB
MD5ed986f2c637303adc86222cc3dd58a45
SHA1eb3d4d9a551cf6fcea352d8442f4b92426bd41c6
SHA256a5d960e3ee00825968831adea2c1f7c8c7f3826e32d1842bd2dd0062539ac55f
SHA51232886e6338f0fde54e4ea63563e2282a1fcc20e7b71c5d79ac4eb68edec2a395436c42088318b6d68bbc8d31d44fa0c969455a420a4c91f8f3fda931435d4aa9
-
Filesize
96KB
MD58f8183a2ce60dbfceca8f31e06d1aa28
SHA19123f94842812a993b87b58af9db16b7e917ce65
SHA2565cc8ec0197d91a2ef24d54d375213d13f88c5b6bc43b09e902f3b6714f9477b5
SHA512d9c2d7dc156611bcf69a433b8f9a00ce212e177f50e7db96713ff1ef9df4b93f23c6c3050ca0a84bf4f4f416678a14f8539ede71ed7a11a31d4efa85409a560c
-
Filesize
96KB
MD5aa98f2f56e817cb46a02de03286f3de4
SHA1c1073faa31a11955ae9aa39ee037fd45465492f0
SHA2560257a6df001c6427353ba1841964605e6d1bb8065da9914dbeb6731886a1d5d7
SHA512af20a4a5ac0c2e6d2f6316c69e267bad7c79738b8c168e52290e12fb29efa92f9a45e82df5440aec938e411da5f96f1b43c4df79ff238d4cfaacd832d4b6f3da
-
Filesize
96KB
MD5dde653eb4caeb6a377d5eb545ce8bcfd
SHA148e5f46dd93d94f67c8d175582522d392f5b7aac
SHA25600fcf7c645026f7da3f962c3614c79cc0dc16a30c8aa8b8298bc8feae7b30384
SHA5128504fc412c23dad2702f2444219aaee5b4b4a07ab01bcaa9137ce4050fa1ee6e824fd5b68d56f1262b486df214ee91812d890e86e1c5d6bde1c1bef46e30b0bb
-
Filesize
96KB
MD517848afa042d1b3409929130d19fee1a
SHA140ebfbff8d697d2db6a07b7cd734c24327654f7d
SHA25605a3c4024636dcaef4689f2aa80fbb812f89f933546e21927dc5af33fb47581e
SHA512ec0c6c8e53028d3c63919c72134b5c7b5f26b143e601624628672df3165010f764e8d9bb3d82c3933b31a499d67d0af28d5a8d40bfdd6488f6dd34affe1d9669
-
Filesize
96KB
MD5bb2a7a625bf2fff8785abbd983017063
SHA1a17a3a02167d16f0744a058aef803e84783364df
SHA2561a81fda14a752c27beaeb25afce2d80ba34547a42f8202d347f82b680f3d9811
SHA5122ac6736ca3e76138692eb37b0b61f7f641d63d55dd8b6471fdba2d745db77d66a43454cd63444f7afca55b33702b94c51c9b555086c9033037ce90fb82a8a13f
-
Filesize
96KB
MD5614bcb43ce8901cca2c017faec2a8f54
SHA1cae5a7a315957341042819a953a8b60e341ac90b
SHA2563d832632098a82d147ec2b377d2eaef2f20e8c41a15928ea35ef33e518bdb03a
SHA512c362ba58a35691f7fdbe3734b3c7a48fc582e88a0e3a30532f4a3b92c505f81465a966b088a271d6e3b657529d83cc539b13b57ecff5a551435f65d15d8d2493