berbew | d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Size

93KB
MD5

9779d8f71f27e8d0f2a5c06ae6c81a60
SHA1

63e7f7a2f946e9b2993959a3a6d5b1262686c53c
SHA256

d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122
SHA512

736e20b7af217bea56c0c8c5905ab4c6385fd18bdd84a9952010e54de55776c40d893f5e6d0eb5732db91119fab001a44c071c46b722f0274218a9ab464d47b9
SSDEEP

1536:sC23xTTWOiSNhHuHrE0Yv13DmRHe7Tdxvfs1DaYfMZRWuLsV+1Z:sJBTqOhTv1T77jsgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 21 IoCs

pid	Process
2216	Bccmmf32.exe
2788	Bniajoic.exe
2732	Bqgmfkhg.exe
1200	Bmnnkl32.exe
2560	Bffbdadk.exe
1776	Bieopm32.exe
2928	Bbmcibjp.exe
2100	Bjdkjpkb.exe
664	Cbppnbhm.exe
2956	Ckhdggom.exe
2880	Cbblda32.exe
1848	Cnimiblo.exe
1892	Cbdiia32.exe
1988	Cgaaah32.exe
1740	Ckmnbg32.exe
300	Cgcnghpl.exe
940	Cnmfdb32.exe
2524	Calcpm32.exe
1656	Cfhkhd32.exe
2444	Dmbcen32.exe
2460	Dpapaj32.exe

Loads dropped DLL 45 IoCs

pid	Process
2756	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
2756	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
2216	Bccmmf32.exe
2216	Bccmmf32.exe
2788	Bniajoic.exe
2788	Bniajoic.exe
2732	Bqgmfkhg.exe
2732	Bqgmfkhg.exe
1200	Bmnnkl32.exe
1200	Bmnnkl32.exe
2560	Bffbdadk.exe
2560	Bffbdadk.exe
1776	Bieopm32.exe
1776	Bieopm32.exe
2928	Bbmcibjp.exe
2928	Bbmcibjp.exe
2100	Bjdkjpkb.exe
2100	Bjdkjpkb.exe
664	Cbppnbhm.exe
664	Cbppnbhm.exe
2956	Ckhdggom.exe
2956	Ckhdggom.exe
2880	Cbblda32.exe
2880	Cbblda32.exe
1848	Cnimiblo.exe
1848	Cnimiblo.exe
1892	Cbdiia32.exe
1892	Cbdiia32.exe
1988	Cgaaah32.exe
1988	Cgaaah32.exe
1740	Ckmnbg32.exe
1740	Ckmnbg32.exe
300	Cgcnghpl.exe
300	Cgcnghpl.exe
940	Cnmfdb32.exe
940	Cnmfdb32.exe
2524	Calcpm32.exe
2524	Calcpm32.exe
1656	Cfhkhd32.exe
1656	Cfhkhd32.exe
2444	Dmbcen32.exe
2444	Dmbcen32.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bniajoic.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2004	2460	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2216	2756	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe	31
PID 2756 wrote to memory of 2216	2756	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe	31
PID 2756 wrote to memory of 2216	2756	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe	31
PID 2756 wrote to memory of 2216	2756	d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe	31
PID 2216 wrote to memory of 2788	2216	Bccmmf32.exe	32
PID 2216 wrote to memory of 2788	2216	Bccmmf32.exe	32
PID 2216 wrote to memory of 2788	2216	Bccmmf32.exe	32
PID 2216 wrote to memory of 2788	2216	Bccmmf32.exe	32
PID 2788 wrote to memory of 2732	2788	Bniajoic.exe	33
PID 2788 wrote to memory of 2732	2788	Bniajoic.exe	33
PID 2788 wrote to memory of 2732	2788	Bniajoic.exe	33
PID 2788 wrote to memory of 2732	2788	Bniajoic.exe	33
PID 2732 wrote to memory of 1200	2732	Bqgmfkhg.exe	34
PID 2732 wrote to memory of 1200	2732	Bqgmfkhg.exe	34
PID 2732 wrote to memory of 1200	2732	Bqgmfkhg.exe	34
PID 2732 wrote to memory of 1200	2732	Bqgmfkhg.exe	34
PID 1200 wrote to memory of 2560	1200	Bmnnkl32.exe	35
PID 1200 wrote to memory of 2560	1200	Bmnnkl32.exe	35
PID 1200 wrote to memory of 2560	1200	Bmnnkl32.exe	35
PID 1200 wrote to memory of 2560	1200	Bmnnkl32.exe	35
PID 2560 wrote to memory of 1776	2560	Bffbdadk.exe	36
PID 2560 wrote to memory of 1776	2560	Bffbdadk.exe	36
PID 2560 wrote to memory of 1776	2560	Bffbdadk.exe	36
PID 2560 wrote to memory of 1776	2560	Bffbdadk.exe	36
PID 1776 wrote to memory of 2928	1776	Bieopm32.exe	37
PID 1776 wrote to memory of 2928	1776	Bieopm32.exe	37
PID 1776 wrote to memory of 2928	1776	Bieopm32.exe	37
PID 1776 wrote to memory of 2928	1776	Bieopm32.exe	37
PID 2928 wrote to memory of 2100	2928	Bbmcibjp.exe	38
PID 2928 wrote to memory of 2100	2928	Bbmcibjp.exe	38
PID 2928 wrote to memory of 2100	2928	Bbmcibjp.exe	38
PID 2928 wrote to memory of 2100	2928	Bbmcibjp.exe	38
PID 2100 wrote to memory of 664	2100	Bjdkjpkb.exe	39
PID 2100 wrote to memory of 664	2100	Bjdkjpkb.exe	39
PID 2100 wrote to memory of 664	2100	Bjdkjpkb.exe	39
PID 2100 wrote to memory of 664	2100	Bjdkjpkb.exe	39
PID 664 wrote to memory of 2956	664	Cbppnbhm.exe	40
PID 664 wrote to memory of 2956	664	Cbppnbhm.exe	40
PID 664 wrote to memory of 2956	664	Cbppnbhm.exe	40
PID 664 wrote to memory of 2956	664	Cbppnbhm.exe	40
PID 2956 wrote to memory of 2880	2956	Ckhdggom.exe	41
PID 2956 wrote to memory of 2880	2956	Ckhdggom.exe	41
PID 2956 wrote to memory of 2880	2956	Ckhdggom.exe	41
PID 2956 wrote to memory of 2880	2956	Ckhdggom.exe	41
PID 2880 wrote to memory of 1848	2880	Cbblda32.exe	42
PID 2880 wrote to memory of 1848	2880	Cbblda32.exe	42
PID 2880 wrote to memory of 1848	2880	Cbblda32.exe	42
PID 2880 wrote to memory of 1848	2880	Cbblda32.exe	42
PID 1848 wrote to memory of 1892	1848	Cnimiblo.exe	43
PID 1848 wrote to memory of 1892	1848	Cnimiblo.exe	43
PID 1848 wrote to memory of 1892	1848	Cnimiblo.exe	43
PID 1848 wrote to memory of 1892	1848	Cnimiblo.exe	43
PID 1892 wrote to memory of 1988	1892	Cbdiia32.exe	44
PID 1892 wrote to memory of 1988	1892	Cbdiia32.exe	44
PID 1892 wrote to memory of 1988	1892	Cbdiia32.exe	44
PID 1892 wrote to memory of 1988	1892	Cbdiia32.exe	44
PID 1988 wrote to memory of 1740	1988	Cgaaah32.exe	45
PID 1988 wrote to memory of 1740	1988	Cgaaah32.exe	45
PID 1988 wrote to memory of 1740	1988	Cgaaah32.exe	45
PID 1988 wrote to memory of 1740	1988	Cgaaah32.exe	45
PID 1740 wrote to memory of 300	1740	Ckmnbg32.exe	46
PID 1740 wrote to memory of 300	1740	Ckmnbg32.exe	46
PID 1740 wrote to memory of 300	1740	Ckmnbg32.exe	46
PID 1740 wrote to memory of 300	1740	Ckmnbg32.exe	46

C:\Users\Admin\AppData\Local\Temp\d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe
"C:\Users\Admin\AppData\Local\Temp\d566a4aa3b3c4e10b6fc08f8b9c351acea70b5f6afa55ded98f8bbdaf0550122N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\Bccmmf32.exe
  C:\Windows\system32\Bccmmf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Bniajoic.exe
    C:\Windows\system32\Bniajoic.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Bqgmfkhg.exe
      C:\Windows\system32\Bqgmfkhg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 144
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bniajoic.exe

Filesize
93KB

MD5
ce0e8a0aee09fb75702a7be466d53e3f

SHA1
b34cf14031914eebafe6f51c6599b73d2eeefd3b

SHA256
9ec13f244e20d5db99938744276185e68d918613960935917d4f6d1caf45f538

SHA512
eb03f170f7436e3eb19271b2b6960e1acc2b81beaf8494b6527c3c40877db92c266382acc07f648984fa5e039e2b9ef64dc5a34cd2498352a9f2ea62ffd88ce0

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
93KB

MD5
842d01629aa867e6e6a0163ed58c2beb

SHA1
4b58461840cd5b28f8cd961b4e292bb94085feb5

SHA256
a452d11c4847c41471fa7deeffcc64cc067567e9f03db973f448c13e93ee98ec

SHA512
9fde112b05238c020940593108aff23cc08e7ebd2eeafe846a93b94105f15a343a18f7d4329f7096f3ac185c09e93231348da3d173b33c5de9396fc76a3c2e13

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
befab6969f9545520cb80a9bbdcc4e33

SHA1
7b418d27b3025d660e94cb2058f64f4db43f29d9

SHA256
2ba24ad7e19c53097a6548c7e495dfc65572369c9ffdbfaea3c579c4c65ca4b9

SHA512
a84600ecb24374616d2fef962963ffa3cdd043a1747e9262938b31811292ff4498056ffa3c728db30e29f2446f683949f6f7d49d57ae97fb12e39f5a05b27609

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
93KB

MD5
1e35f26120b04bbb53d276d4cdad2506

SHA1
91d3fed7883cc79814e8dba39fc75a8574e5140f

SHA256
7252261c55aae44eb927d6474a9f2d9a68e83e4b5ee226a21ad5f693b2b9dc14

SHA512
109220c403bcf3c8a00d30560576815607d20ece201a15ca66e79baa4c8dcbeff5dd9eb85af0856b24bf7dd7451664d659c27a798033ae8766b29a92b34fbcfe

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
93KB

MD5
7f52bda05c2c0bed67afab11d7ec156f

SHA1
274ea6cf4662344b68fb6ac51ba3d24ff887da56

SHA256
b6c4c870e905600f122329810828b7a4e40a6996a4587801ad47f50f78d12689

SHA512
23ed91955b9b0e0a2abad8042bec122713d0237e0ca98796ab5606fc47724716d19e4e5fad1270c0d541342b1f58c8a60ede32b6c6ffcb100a004beed9dd2586

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
93KB

MD5
ea76ecc8587586238d3fa5754bf140e4

SHA1
a22b3e2c06fbc216787a920e98d9362941edccc4

SHA256
3e1f16f3a5510170b9efd26b695f5d2da36856941aa9d6361e47233e35635047

SHA512
072c45b505d0d35407ef1ee0c51fae60a7d09e482766db2d51964b65b1ece77c3d55ae680271b3c8bcb0a03d61e3fb551908a1b8374f3a42164e2891133e6872

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
93KB

MD5
f09bf67b6cc0400a24087a669079d765

SHA1
34ad639b1b9c23cad2a02de66bef8d6e94068e0a

SHA256
0d8ece7dc5221d0602ed4c79c28fb6ca4d7b99276531662efe403733e1404f4f

SHA512
14ed17a991cbbfc447b15e1b8661dea6b3dc8fe4b98080da01ff6b962656c51e961b637e10a3c0b0c5eb050c515e12a8077cdb2ea5a06141bcdd58021401676e

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
99a4472aaedb89ba1678ab3b66f680ea

SHA1
b66aa0655f997d642b40e0d69615e60b01bcff50

SHA256
8ef014c140616333b7b25a30d8ec3ad1533c9d146e637d01de52fe3e018b094f

SHA512
94785da59d6c20127ad9e1ec56bd28131c96c797cc6e934368e43bd5ce49a14deb0c7896a05e62f8e3c44fb965dc556f41ca116d5b615e740d7eaf9db3ac742c

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
93KB

MD5
48baf90c9832ac79c68059d6d87cfca8

SHA1
bacb444eba1df9e95e96c0de758ec54c2a868d45

SHA256
44c4ded46f9945f871f6acbaf973e06f5362d219dcb57be6e0af067277b75ccf

SHA512
78625e1649718ed40c893474e2b0b9ae8134248f4dc4860ec23610c0a5f10a4e61213df222de9f04421eacd62d0735fb815467a383f75a568afc2419d41a7441

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
93KB

MD5
aebee855abf31c94cd9a33d2595443e2

SHA1
1ff37b813bb3ca9640fcfdf8ad5ae87c11c2a047

SHA256
ecb33a7a44828e134b099b36c36cc4986696d6abf042fee37ef9e7acab984fc4

SHA512
34116b5973e42c83dc518317ef7d0aeb368dcc0d87afca0e2a72f7609880bc1dd314b940bc5496f290dc787f9ec7836dd7b6451ac7b81ff83829209874c0070a

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
93KB

MD5
dc74045a15b25525207993f295632494

SHA1
ea97ce8d319332258892543a5cbba8810cf5fb9f

SHA256
7fa37bc11e0739e91d0e249f708980cd9b1dd41932a27af1d7f75ca436d86b4e

SHA512
eaaf5e9b75f3369c3977c62c824b0c477bccc0fe10e36951a96c81c33cfd375b79fd089628c180c011d0e25b7b52c5021ad296c9ba93795059c992f62675b6b2

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
93KB

MD5
49cae37fee5fd8c73f6eb12688ca2220

SHA1
b5f0902a2adce1c595d5dcd56850d1eb3365d40a

SHA256
a6e4b0e8adcd6bd7cb3ce5c40e100376a10be25496c25aac6722ff023b7c4921

SHA512
ddf299ab2cfeded8a257e675a87ad7b60e366f45bd11eb8076b7345cd38cb569ee15153ee85b2a9d2ecbc643d9f4eb8469e316119f313027a96245376232a991

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
93KB

MD5
e85e4b4a8336c893c866863d334514fe

SHA1
db22c65d49dec724973839c0a8fd34afaf94bd5e

SHA256
abca555f11bbe927e5e4b7d6924d96167138d119d5e5a3e1cdd625557eb8289f

SHA512
6299dcb29f0c18deeeb3b3afc2a4bb3d973d96ab8d58e88a8d6bdd44fed82b2ff0548b7bca91c0b908debdd4fb3c9e3312d865716947d65afde864851e64cac4

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
93KB

MD5
f9d22713a6df21937097be7b54cd3117

SHA1
14f98d8b95529b975909a70ad377c68684ac56ce

SHA256
248bd7355241fcbdb55c01df932ab0a58f92f3d0b002c27b6f82723b1df25fe8

SHA512
e2f6e0d058182ec83850c07ddab474ac04a56d0a84ab8184e5984f556269ba4b6087861ee03e15c5e525e4c511010baafd027625a42b161f8f61ba87268622bb

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
93KB

MD5
0c76b2387d4f43a26289835aa6257c87

SHA1
77b5f04ff2e93755d50b4303ef9c1cd322d94a40

SHA256
5f099a94ed29e5a77cb8ce8f2ac66f1af81c64b9d3d1602bdd4c9275bfb75a01

SHA512
2a739d012bc66b3713a8c1602ad7ee769e5f78dbeba3a3ca310a079189242de76c4d6c0643eca44bc3f8ab071e5b315337432db056e11cf239409e6df9fa0826

Download Submit
\Windows\SysWOW64\Cbdiia32.exe

Filesize
93KB

MD5
621439423eee7c2199f53d4ffefe2125

SHA1
efbc2881ba791a007e3be3306bb1f272cfbca32d

SHA256
12199588b059218130a88eea10f89bc368746d47099406fa30aae6481fccc664

SHA512
7451a012456aa2b17015023333b800aaddaca5d54b960e4490afd009221d5fed30bc42bfdbfc9c81d3be06bcfc409254e0b5246fb720bf0c95362df6b56ab843

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
93KB

MD5
89e4ab9751815f2354b12af2c19b897c

SHA1
cbe0c3bd931f7beaee01773c207a0cb336aaf68e

SHA256
7ffed038b04fffb667aef17c37aa8c80aeb7f67028f283c5851d59d3feffd350

SHA512
1e304571f74af1dbe317d99ca1208dda2d11ae55b7d3c06172ee40aea6677be58c6a41ecb6474f2920d070829ef1946b4f34fc12361d24314eb5d9047341ab5b

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
93KB

MD5
e5ce3ec88ed6180b0aee276179a9d5d0

SHA1
20b241524c40fe17f2abce0fbf8acff3ed225ca4

SHA256
cbca86f5ae00ab75f8fe2bfe14ef63bd187724a3b4da5e9dd2c4386e6de1a758

SHA512
e12f777270d50b6a1219ec16265d6861ccda5cb8d58c7923f0e7e2a0080dddaa74f415e90428ef8e9fe4da994417deeaaa8da124406ad9d033e35c54e4124f2a

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
93KB

MD5
9958aadc8ae142e1e9eb0050ba79f934

SHA1
fc016aa997049a05e82d312f328acfd2e24fb23f

SHA256
cd5f561f209d7a9d7f22341eca6dfe60800ac0a07792cd615e2e283b7f8befba

SHA512
54136064477068e97e3fdb449647f929c941b71f5e3a536453a45a13310eee7a8601e1464614e3f03304a1e93d41e135bf23a33781dbf686eef41bbbad060b39

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
93KB

MD5
5537b0a882f374b7159b3e161dc7c2ea

SHA1
b0d899e708e0b52a77e1c93badd8fa3dfa148704

SHA256
7f1578ad2255666e7c33c9090a16c9d76d8a262fb46f70bd4332747c257f4374

SHA512
a388f10e3af17b3474085d9d41a4f51dfff7aee713f27b6a090f3580d546bdfb1043882c9c03e738a58f15d4db942b9e676d3a20f5830312549603ac7e46821f

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
93KB

MD5
c397400128dde975c92dc9f0d35fe766

SHA1
b1a29bd6d90e462cf918466f585f2f5a72993eeb

SHA256
c3412c5fc45f3b406235338369166747d879e3aa87ed6c7b3a92d9524232660c

SHA512
64df40a60caedd05e5a9dd0cd219923d1e700ff069b29902942e0ea65bd4b8ee9979e26a6a6b4ca73c8d50b8ba34e2331e09a0bb7ad02ce73af9f9dd8b301639

Download Submit
memory/300-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/300-221-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/664-131-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/664-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-206-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1740-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-117-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2100-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-75-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2560-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-52-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2732-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-13-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2756-12-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2756-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-104-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2928-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads