berbew | 0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Size

92KB
MD5

7c42456285433a5be9b64071ddafd392
SHA1

8cd06466d6cea4607a92ede163ec5fba71ca17d0
SHA256

0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b
SHA512

e89c4b5a5ed1ef4ade012a93ea7dc7303da38bcc9727d8013dba6fa02f801cf08e521bffde35e86be479afa74b8873732c740bb0cca7b68c5d5a28a9554e300a
SSDEEP

1536:VUHgi1cXZxhAuKi5x25vUTquo/EumqcljPXSkVKrvAUDN3imnunGP+y:VyHGJxGuKiZoWJVGvDDVbe4+y

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 19 IoCs

pid	Process
624	Bbbpenco.exe
568	Bdqlajbb.exe
2504	Bdcifi32.exe
3056	Bmnnkl32.exe
2220	Boljgg32.exe
1948	Bjbndpmd.exe
2648	Bcjcme32.exe
2416	Bigkel32.exe
1712	Cenljmgq.exe
2356	Cocphf32.exe
1596	Cfmhdpnc.exe
2928	Cnimiblo.exe
2956	Cgaaah32.exe
2188	Cnkjnb32.exe
2156	Cjakccop.exe
2976	Cmpgpond.exe
1628	Djdgic32.exe
2292	Dmbcen32.exe
2580	Dpapaj32.exe

Loads dropped DLL 41 IoCs

pid	Process
956	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
956	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
624	Bbbpenco.exe
624	Bbbpenco.exe
568	Bdqlajbb.exe
568	Bdqlajbb.exe
2504	Bdcifi32.exe
2504	Bdcifi32.exe
3056	Bmnnkl32.exe
3056	Bmnnkl32.exe
2220	Boljgg32.exe
2220	Boljgg32.exe
1948	Bjbndpmd.exe
1948	Bjbndpmd.exe
2648	Bcjcme32.exe
2648	Bcjcme32.exe
2416	Bigkel32.exe
2416	Bigkel32.exe
1712	Cenljmgq.exe
1712	Cenljmgq.exe
2356	Cocphf32.exe
2356	Cocphf32.exe
1596	Cfmhdpnc.exe
1596	Cfmhdpnc.exe
2928	Cnimiblo.exe
2928	Cnimiblo.exe
2956	Cgaaah32.exe
2956	Cgaaah32.exe
2188	Cnkjnb32.exe
2188	Cnkjnb32.exe
2156	Cjakccop.exe
2156	Cjakccop.exe
2976	Cmpgpond.exe
2976	Cmpgpond.exe
1628	Djdgic32.exe
1628	Djdgic32.exe
2292	Dmbcen32.exe
2292	Dmbcen32.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Godonkii.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	2580	WerFault.exe	49

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bigkel32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 624	956	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe	31
PID 956 wrote to memory of 624	956	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe	31
PID 956 wrote to memory of 624	956	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe	31
PID 956 wrote to memory of 624	956	0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe	31
PID 624 wrote to memory of 568	624	Bbbpenco.exe	32
PID 624 wrote to memory of 568	624	Bbbpenco.exe	32
PID 624 wrote to memory of 568	624	Bbbpenco.exe	32
PID 624 wrote to memory of 568	624	Bbbpenco.exe	32
PID 568 wrote to memory of 2504	568	Bdqlajbb.exe	33
PID 568 wrote to memory of 2504	568	Bdqlajbb.exe	33
PID 568 wrote to memory of 2504	568	Bdqlajbb.exe	33
PID 568 wrote to memory of 2504	568	Bdqlajbb.exe	33
PID 2504 wrote to memory of 3056	2504	Bdcifi32.exe	34
PID 2504 wrote to memory of 3056	2504	Bdcifi32.exe	34
PID 2504 wrote to memory of 3056	2504	Bdcifi32.exe	34
PID 2504 wrote to memory of 3056	2504	Bdcifi32.exe	34
PID 3056 wrote to memory of 2220	3056	Bmnnkl32.exe	35
PID 3056 wrote to memory of 2220	3056	Bmnnkl32.exe	35
PID 3056 wrote to memory of 2220	3056	Bmnnkl32.exe	35
PID 3056 wrote to memory of 2220	3056	Bmnnkl32.exe	35
PID 2220 wrote to memory of 1948	2220	Boljgg32.exe	36
PID 2220 wrote to memory of 1948	2220	Boljgg32.exe	36
PID 2220 wrote to memory of 1948	2220	Boljgg32.exe	36
PID 2220 wrote to memory of 1948	2220	Boljgg32.exe	36
PID 1948 wrote to memory of 2648	1948	Bjbndpmd.exe	37
PID 1948 wrote to memory of 2648	1948	Bjbndpmd.exe	37
PID 1948 wrote to memory of 2648	1948	Bjbndpmd.exe	37
PID 1948 wrote to memory of 2648	1948	Bjbndpmd.exe	37
PID 2648 wrote to memory of 2416	2648	Bcjcme32.exe	38
PID 2648 wrote to memory of 2416	2648	Bcjcme32.exe	38
PID 2648 wrote to memory of 2416	2648	Bcjcme32.exe	38
PID 2648 wrote to memory of 2416	2648	Bcjcme32.exe	38
PID 2416 wrote to memory of 1712	2416	Bigkel32.exe	39
PID 2416 wrote to memory of 1712	2416	Bigkel32.exe	39
PID 2416 wrote to memory of 1712	2416	Bigkel32.exe	39
PID 2416 wrote to memory of 1712	2416	Bigkel32.exe	39
PID 1712 wrote to memory of 2356	1712	Cenljmgq.exe	40
PID 1712 wrote to memory of 2356	1712	Cenljmgq.exe	40
PID 1712 wrote to memory of 2356	1712	Cenljmgq.exe	40
PID 1712 wrote to memory of 2356	1712	Cenljmgq.exe	40
PID 2356 wrote to memory of 1596	2356	Cocphf32.exe	41
PID 2356 wrote to memory of 1596	2356	Cocphf32.exe	41
PID 2356 wrote to memory of 1596	2356	Cocphf32.exe	41
PID 2356 wrote to memory of 1596	2356	Cocphf32.exe	41
PID 1596 wrote to memory of 2928	1596	Cfmhdpnc.exe	42
PID 1596 wrote to memory of 2928	1596	Cfmhdpnc.exe	42
PID 1596 wrote to memory of 2928	1596	Cfmhdpnc.exe	42
PID 1596 wrote to memory of 2928	1596	Cfmhdpnc.exe	42
PID 2928 wrote to memory of 2956	2928	Cnimiblo.exe	43
PID 2928 wrote to memory of 2956	2928	Cnimiblo.exe	43
PID 2928 wrote to memory of 2956	2928	Cnimiblo.exe	43
PID 2928 wrote to memory of 2956	2928	Cnimiblo.exe	43
PID 2956 wrote to memory of 2188	2956	Cgaaah32.exe	44
PID 2956 wrote to memory of 2188	2956	Cgaaah32.exe	44
PID 2956 wrote to memory of 2188	2956	Cgaaah32.exe	44
PID 2956 wrote to memory of 2188	2956	Cgaaah32.exe	44
PID 2188 wrote to memory of 2156	2188	Cnkjnb32.exe	45
PID 2188 wrote to memory of 2156	2188	Cnkjnb32.exe	45
PID 2188 wrote to memory of 2156	2188	Cnkjnb32.exe	45
PID 2188 wrote to memory of 2156	2188	Cnkjnb32.exe	45
PID 2156 wrote to memory of 2976	2156	Cjakccop.exe	46
PID 2156 wrote to memory of 2976	2156	Cjakccop.exe	46
PID 2156 wrote to memory of 2976	2156	Cjakccop.exe	46
PID 2156 wrote to memory of 2976	2156	Cjakccop.exe	46

C:\Users\Admin\AppData\Local\Temp\0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe
"C:\Users\Admin\AppData\Local\Temp\0f8f4815fa82919b5f3c1e7d095ab3f3dea5470950e9eb8619aa9d6694d0d00b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\Bbbpenco.exe
  C:\Windows\system32\Bbbpenco.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\Bdqlajbb.exe
    C:\Windows\system32\Bdqlajbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\Bdcifi32.exe
      C:\Windows\system32\Bdcifi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 144
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
92KB

MD5
0016e0d3ff2e0a9abde8e3869074cdeb

SHA1
6fe0ba419ecc12a4d003f36e06321e6861eeaebe

SHA256
ba8e951f075c93dd912b6b7ee1e286eb6c10de3a56bee88f6acabc7514aeccff

SHA512
9e9318d84a499195c35c12b76472f53e77c9924e25eb1d726e151de5561b0b79b8535ce732ff06d9328776472758f8dfa804baea6e5de02d98fc576715a26226

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
92KB

MD5
0fea9601713c2c1e83ec6370f7e9f26e

SHA1
034420cbea2d131e94ed33b2e9a973e070200c75

SHA256
b6d01483fe7f235a954251421627200705f8be60a002ba685e2d84f305894659

SHA512
6b7022d59f684ce50f5d7cc0850853bb401774487d3f29871a80ddeae649fc76066c1696d0b95e81fb43b0b9f323ad643936b1ab96406bc9e92bee87c2d2baa6

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
92KB

MD5
25b654fcc5bae34fc025ae61f832aad3

SHA1
0e61e1364ee004cde96df16447c2c0cf1e949660

SHA256
ff8f4e3c43b1e20d182eb40944a687254173fe177873e00f1cf1ef3cf8ea3858

SHA512
fd5ca825875696362aeaeb6ee373d06fe910009e650f78fbdcac93743cdc8290c43288e49e34dcaad44c9d160316efea260ed7302b288e5e47d8f954c118ebf3

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
92KB

MD5
16731ab4f6e5221a663b2dfb388aea29

SHA1
3a7a3c7b81c052de900eb9ab4b62e8593799c1fc

SHA256
8510bdc7824a6e0abf5ffee4dd9648fb5bc2fa05882e248f0137b0abaa477409

SHA512
d170a24c906d86da6ae692946e03c46111b3c1d61fb7f4a3db58e087c6c7a60682a0213e3d9724c81e77077499a85a0e81d3e03d65992dd68ae8ae82c2894032

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
92KB

MD5
48560f5533cb035fc439de10f7f6d12f

SHA1
2314ac85d73cb1cc7a350871a204da46762e64e3

SHA256
fdc1a303765143d46286022eece8c81dab3512a4a9386b1416e5303a13cbe1d8

SHA512
b2bef4a67af8058ab3e1fdd879b4e895d40570bb288b3eec6b47d68f1379413b57847b74ad69167e77fd9e01fa77309adf2252094ab803f37ad596bc3e24de9e

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
92KB

MD5
b64ef1edef6f8d705a87dd9032a401d9

SHA1
74c32a1be33f9091bbe119ba5200faa78629d8db

SHA256
0f822bf5114ff6f76d59ae81c7dea41f7721a4ee7771de518498dc08f58835c8

SHA512
d0c896879c7ca13e0cdb033bba2b8628c1e8d9da4fe80e3235788c907e18b6267a3b1b6e940220e3389247a45bac39ffc515f756a45f4ea9db3bfd9dd15f3951

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
92KB

MD5
0da891c4b9dce4cbb7f1028ea1018f70

SHA1
f16ba4d7888251ba4e6190e49a82298c449f3da3

SHA256
f56befe067f48f9146723512f3d7547deaac217a1ff626b08a7d0714191cec02

SHA512
00134493d3518967e97d4cf13f6b09a3d3af369a145c186c82bd01d8e7e70ae65f0744d0647de1d0d7d12eed2ef5decedad3c45183d026932f6d20c443e9ac7b

Download Submit
C:\Windows\SysWOW64\Jdpkmjnb.dll

Filesize
7KB

MD5
1e6f6f5c7dcc628824db8be8b95dc162

SHA1
20fb1e7547be18d57f99446f890eae90b31d165b

SHA256
a8d27990bef1bb1109cadb45fd45af5485a6b013df68494688d9b2d1219355d5

SHA512
c1c3c3ba91184a4196c3931b6b886ce395db1e1d1e54ab2d09fd930c0a659adc264912001da900ef1a0f203479c7e5928250f8465f401606f974722403056504

Download Submit
\Windows\SysWOW64\Bcjcme32.exe

Filesize
92KB

MD5
9e406e84b8a622eb8359eb3ff8732a58

SHA1
a5f94b7e9fd31e5fa4687d670da471934a9c391d

SHA256
65497959127201ec6779494a3d5dad4c7a1e976a2b46b726d4aa7d77953042c2

SHA512
2c36fc68bf4ffbc961aded124fd0251d445bfecda012a6ff6df0a75bdc34e797ae7dcb9007028cfce2aa43285125448f1dcc2be162112e1223b1f2e189ca7fb4

Download Submit
\Windows\SysWOW64\Bdcifi32.exe

Filesize
92KB

MD5
5e1cbc3b60924d2f02547fe80e2eff62

SHA1
772ea80bd5a111954bba74a9d532e9928c51f7a9

SHA256
09be4636f0e5376741b941c7fe0087629ff71d137fba55989a294b65aa822755

SHA512
a0ea2aa67d40d2ea47316baa09befcd241d63d0f3b8055f3a67cf9a6f4268cc252bdbeb81e8553ab33609269addba7c76d5220225f559940ce66586193bb5ce3

Download Submit
\Windows\SysWOW64\Bjbndpmd.exe

Filesize
92KB

MD5
4d5733bf235e598d88cea8253abb389c

SHA1
4cc7cdd267dd04ad3e81012ece52f03640116f1f

SHA256
8d348365195175f350eb50848e8cbf7567d93eece34943ddfe8846188a075032

SHA512
00c430e0ca202aaf6cd4acf9625e46d5afc8bc9d76fc809b9e3a79e16245536d2a669a67ffdcfd5af60b83107271b746ba498d65eae04de901b97854fc4196f3

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
92KB

MD5
0d18d560b1a464bf34800a96ffad73e9

SHA1
717baf00696d8854d603f737be39f969904a3c4a

SHA256
5e8b915e301dd02e0be093b2458c99cf4c2b9d79387062253cd855c8c37b922e

SHA512
2352ea74821e818ee1ce9695c9ed900a18478ceedd9b8c82ebc5233ecb9be4bf59232fdd763e762f088ff26e66f021c933b0695e49b51ac9dd6ccb76d383ab0b

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
92KB

MD5
9f7f09d256a7dc520ac6b2b5fe9d438e

SHA1
7ca507256c1f0ab4b254dfcf9f08f2857cd83274

SHA256
2121f3aebf99ad08a614df911af47dbde730280d28cf18b17c7993e6610c7a22

SHA512
79cd0ee837c54514f3869b186fc26bc2680148e78655158713e5ceaf7c90982de635fc1ec3c77350831b495e0b8cf43ae05c345a5cecbe3ed56a3be82461b640

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
92KB

MD5
954c3a0a8131f4043e839df931861feb

SHA1
d37e07ddc09e11fec113241becc025fc2c25a711

SHA256
d592b100dba32ae05a9f10d06f68a8dfadabe06c38147cea9229e11e8d87030d

SHA512
b2bfb7f4fa91c715db29e17dcda0296b8e23989843236c729c312b23c03434c22792d67579bcfd6cedf418000a66c38479eb1b6e9318aaed60c531584b01e330

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
92KB

MD5
ee940dca75f9f740edaafd9e5edc0d45

SHA1
5e98ce762fe16fd331c6f81d113e7f41d62d7718

SHA256
390e13c0a6f525f51a54c9262a6a7c1cf1ba09a8fef9215eec2bea6bb6f0a512

SHA512
193301ef0b5b408a1bb6ed8c3e7e1bfbf5dc8e6a63e5b20a5e0f8be98cc5d4d72f7a438493d4e666dd4b701174ef74fc4ad3167dadea863288be185365373096

Download Submit
\Windows\SysWOW64\Cgaaah32.exe

Filesize
92KB

MD5
e20805bf609f2db0f7f5726ea1f60467

SHA1
1b7c12807839d028c039c0ea1524f5dbc01a9dd3

SHA256
6f3305991b505fe1b81eb7df0773e7205bcea93e3b3b9ba077b509cf8c333a38

SHA512
17677a383e5b2bb296b5c131d50ac8b56f0f8e4e08ae54e21ba106ca8cbf160e475cec5f932ce16714d1030d8f3fae2690972c8580b53f28ce17a6fc0cc32eb5

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
92KB

MD5
cf9fcf8a358a75f34b66045ec8f3057c

SHA1
2b9accc2092aec3068642102c84f5030abd5ab6a

SHA256
dfa7c4b992b55177bc56f5c13e6d655ab966ad25f7818e21364d4bbd94d40c39

SHA512
4b1bf8ec3a0bbdc9d47d9237ec594a2609d54547fdd2a9376f4869ec2e9538c57fc83ff50bf1aeb4824f94e20e5f0b56ebbbb7bd87126fe0cb03d69d066e82c8

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
92KB

MD5
5022f05989e41feeb9e254b19756ccf9

SHA1
c9f917ae997f734c656e049732e1545cb696db68

SHA256
f88706d9618cb01087472433cb7c82030caa5a29a7541641c18c106a8bbd752e

SHA512
fb3d8d6ddb7e0244eb1a19c5887757ff571c7d65f19a26bc3331d755595739507b48dd96c96fe6c9a34d348a94307cbdcd19bd43adecd35d5e4784df6cb8dfe4

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
92KB

MD5
11f3ade4c109136eee52fe2db243d271

SHA1
2fd45886a938f6e25f8ffacdf6dfa24178999b47

SHA256
f7e3f74a4b544f12ce8a97e7791b6148de5aa87c47b1bc6b3bfa57c9c6188623

SHA512
ebe0c085c74f88f10e3860c1ff71df535fdab97233754fb1f1590010e31ce96084931399382c87e6e59036f973fc8e2c0dbfe230cdc1b8267554183337343cac

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
92KB

MD5
bd146c3d96fc3f947bc356956819b1ef

SHA1
9318114e9279501a02f128c48ec1ab0af051e599

SHA256
d14b4fe74f6547d15c839db35677cb79f0234f43c81df7c8f490d0555ab97d7d

SHA512
e8790c8b52a7f48eaa2c010a0189130c892fe4dff900cf79c10bf996fcdb8c9e964031a53bc102b7def95eb4b1c38068ba8904451180ccf96b828d8d033cff29

Download Submit
memory/568-41-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/568-35-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/568-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/568-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/956-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/956-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/956-18-0x0000000000770000-0x00000000007A6000-memory.dmp

Filesize
216KB

Download
memory/956-17-0x0000000000770000-0x00000000007A6000-memory.dmp

Filesize
216KB

Download
memory/1596-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1712-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-88-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2156-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2156-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-194-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2188-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-75-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/2292-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2356-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2356-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2356-142-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2416-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-114-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2504-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-223-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2976-213-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3056-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3056-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads