berbew | 16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1e

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Size

57KB
MD5

ead1577eb1c9a5a96b2618c26e3f8e10
SHA1

a2a53845edc7dfc52c1a02d8642cb6dcac7cbe5e
SHA256

16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1e
SHA512

d49aced771811250956795670a72aced40d2a162c56ae5c6d1fe57e75dffac4c6f80dece508a7ff46944d02961f8b5fc1b82ac31f2738a22f939619e3e18a862
SSDEEP

768:KZqQ97z+ftFzkKEHNTgqbMaujRDfM5TpdNKSYHqpSzpGF+CPQ/0pljzo/1H5TXdO:Twz+foKEHBpYoYKupGF+iQMljO7O

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
624	Bnknoogp.exe
580	Boljgg32.exe
2744	Bmpkqklh.exe
3056	Boogmgkl.exe
2220	Bkegah32.exe
2924	Cfkloq32.exe
2652	Ckhdggom.exe
2396	Cbblda32.exe
536	Cgoelh32.exe
1740	Cpfmmf32.exe
1780	Cagienkb.exe
1048	Ckmnbg32.exe
1516	Ceebklai.exe
2956	Clojhf32.exe
2420	Cmpgpond.exe
2156	Cgfkmgnj.exe
2340	Djdgic32.exe
1348	Dpapaj32.exe

Loads dropped DLL 39 IoCs

pid	Process
1720	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
1720	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
624	Bnknoogp.exe
624	Bnknoogp.exe
580	Boljgg32.exe
580	Boljgg32.exe
2744	Bmpkqklh.exe
2744	Bmpkqklh.exe
3056	Boogmgkl.exe
3056	Boogmgkl.exe
2220	Bkegah32.exe
2220	Bkegah32.exe
2924	Cfkloq32.exe
2924	Cfkloq32.exe
2652	Ckhdggom.exe
2652	Ckhdggom.exe
2396	Cbblda32.exe
2396	Cbblda32.exe
536	Cgoelh32.exe
536	Cgoelh32.exe
1740	Cpfmmf32.exe
1740	Cpfmmf32.exe
1780	Cagienkb.exe
1780	Cagienkb.exe
1048	Ckmnbg32.exe
1048	Ckmnbg32.exe
1516	Ceebklai.exe
1516	Ceebklai.exe
2956	Clojhf32.exe
2956	Clojhf32.exe
2420	Cmpgpond.exe
2420	Cmpgpond.exe
2156	Cgfkmgnj.exe
2156	Cgfkmgnj.exe
2340	Djdgic32.exe
2340	Djdgic32.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1840	1348	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 624	1720	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe	31
PID 1720 wrote to memory of 624	1720	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe	31
PID 1720 wrote to memory of 624	1720	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe	31
PID 1720 wrote to memory of 624	1720	16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe	31
PID 624 wrote to memory of 580	624	Bnknoogp.exe	32
PID 624 wrote to memory of 580	624	Bnknoogp.exe	32
PID 624 wrote to memory of 580	624	Bnknoogp.exe	32
PID 624 wrote to memory of 580	624	Bnknoogp.exe	32
PID 580 wrote to memory of 2744	580	Boljgg32.exe	33
PID 580 wrote to memory of 2744	580	Boljgg32.exe	33
PID 580 wrote to memory of 2744	580	Boljgg32.exe	33
PID 580 wrote to memory of 2744	580	Boljgg32.exe	33
PID 2744 wrote to memory of 3056	2744	Bmpkqklh.exe	34
PID 2744 wrote to memory of 3056	2744	Bmpkqklh.exe	34
PID 2744 wrote to memory of 3056	2744	Bmpkqklh.exe	34
PID 2744 wrote to memory of 3056	2744	Bmpkqklh.exe	34
PID 3056 wrote to memory of 2220	3056	Boogmgkl.exe	35
PID 3056 wrote to memory of 2220	3056	Boogmgkl.exe	35
PID 3056 wrote to memory of 2220	3056	Boogmgkl.exe	35
PID 3056 wrote to memory of 2220	3056	Boogmgkl.exe	35
PID 2220 wrote to memory of 2924	2220	Bkegah32.exe	36
PID 2220 wrote to memory of 2924	2220	Bkegah32.exe	36
PID 2220 wrote to memory of 2924	2220	Bkegah32.exe	36
PID 2220 wrote to memory of 2924	2220	Bkegah32.exe	36
PID 2924 wrote to memory of 2652	2924	Cfkloq32.exe	37
PID 2924 wrote to memory of 2652	2924	Cfkloq32.exe	37
PID 2924 wrote to memory of 2652	2924	Cfkloq32.exe	37
PID 2924 wrote to memory of 2652	2924	Cfkloq32.exe	37
PID 2652 wrote to memory of 2396	2652	Ckhdggom.exe	38
PID 2652 wrote to memory of 2396	2652	Ckhdggom.exe	38
PID 2652 wrote to memory of 2396	2652	Ckhdggom.exe	38
PID 2652 wrote to memory of 2396	2652	Ckhdggom.exe	38
PID 2396 wrote to memory of 536	2396	Cbblda32.exe	39
PID 2396 wrote to memory of 536	2396	Cbblda32.exe	39
PID 2396 wrote to memory of 536	2396	Cbblda32.exe	39
PID 2396 wrote to memory of 536	2396	Cbblda32.exe	39
PID 536 wrote to memory of 1740	536	Cgoelh32.exe	40
PID 536 wrote to memory of 1740	536	Cgoelh32.exe	40
PID 536 wrote to memory of 1740	536	Cgoelh32.exe	40
PID 536 wrote to memory of 1740	536	Cgoelh32.exe	40
PID 1740 wrote to memory of 1780	1740	Cpfmmf32.exe	41
PID 1740 wrote to memory of 1780	1740	Cpfmmf32.exe	41
PID 1740 wrote to memory of 1780	1740	Cpfmmf32.exe	41
PID 1740 wrote to memory of 1780	1740	Cpfmmf32.exe	41
PID 1780 wrote to memory of 1048	1780	Cagienkb.exe	42
PID 1780 wrote to memory of 1048	1780	Cagienkb.exe	42
PID 1780 wrote to memory of 1048	1780	Cagienkb.exe	42
PID 1780 wrote to memory of 1048	1780	Cagienkb.exe	42
PID 1048 wrote to memory of 1516	1048	Ckmnbg32.exe	43
PID 1048 wrote to memory of 1516	1048	Ckmnbg32.exe	43
PID 1048 wrote to memory of 1516	1048	Ckmnbg32.exe	43
PID 1048 wrote to memory of 1516	1048	Ckmnbg32.exe	43
PID 1516 wrote to memory of 2956	1516	Ceebklai.exe	44
PID 1516 wrote to memory of 2956	1516	Ceebklai.exe	44
PID 1516 wrote to memory of 2956	1516	Ceebklai.exe	44
PID 1516 wrote to memory of 2956	1516	Ceebklai.exe	44
PID 2956 wrote to memory of 2420	2956	Clojhf32.exe	45
PID 2956 wrote to memory of 2420	2956	Clojhf32.exe	45
PID 2956 wrote to memory of 2420	2956	Clojhf32.exe	45
PID 2956 wrote to memory of 2420	2956	Clojhf32.exe	45
PID 2420 wrote to memory of 2156	2420	Cmpgpond.exe	46
PID 2420 wrote to memory of 2156	2420	Cmpgpond.exe	46
PID 2420 wrote to memory of 2156	2420	Cmpgpond.exe	46
PID 2420 wrote to memory of 2156	2420	Cmpgpond.exe	46

C:\Users\Admin\AppData\Local\Temp\16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe
"C:\Users\Admin\AppData\Local\Temp\16b4b059cbd1ac47675a3026ebe68186488c37fe2119e54e4315b4aad29abc1eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\Bnknoogp.exe
  C:\Windows\system32\Bnknoogp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\Boljgg32.exe
    C:\Windows\system32\Boljgg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\Bmpkqklh.exe
      C:\Windows\system32\Bmpkqklh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 144
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
57KB

MD5
608260aaf6ee1ca240a05d74e6b22b64

SHA1
f6c6d9da34ba9aa91e0026adc3f92c1a77804132

SHA256
8641c047f0199bdd48d988831a9c6e8c9b10f3379c59be62f76f07c66f39d73c

SHA512
13736b57fec421934f0d3ce7a3395d31bba3789860e11c2626d1a39f2e83c850a71e75ec9afb03cf3ae3ce953df14815c21ebf66cf651c0be398eae758f1d523

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
57KB

MD5
66a8b6c4c4c5c4f2f0d0d220eca6df25

SHA1
0c4086c4479f9478c80f0d18f1c821532b0f6b5a

SHA256
f248cf81503ffc0f352d1edf1c51e5383a5c4f3fc1115122bf89f588138efa28

SHA512
0cae8dbe4470223a297f7690533a3c30a30b382e85c525871e44a334f49e468c504338c322e9f4edc8451dbe6eb678664ab2a1886f46a421aa41949a444f2cd6

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
57KB

MD5
dc3a5da1c732b953112c72d2145051b9

SHA1
b070a544a6b2ce70dc6f895beaf491c69b54b363

SHA256
6d31699a806ebe672eac72233a2a95fcbd63d33158728c3412dea437bf1f6fe6

SHA512
5b27e3885a9f5ba7edae1ca5c9568ee924d33cf9f46b01f3becdbe1c8fd140b2c2899d96f6d327fc7369090ede9d6762f19101feb60d3d31126c58187db6556f

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
57KB

MD5
4059cbd33254525021e86ba4112b494f

SHA1
07a34863e3ccba0a253fec4d9172a932b8362d9a

SHA256
c960cab6ce94398eef95035a3daaf56646a0218308692fc835f378d9d80c816c

SHA512
525d7ab0ca68bb24c4c640c3ce7d841410985c881e3516130704e21d0434468c501be13752c0d9e762a8101fd735bd3e0b6803d202f97e9ebc8cf0b49058847b

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
57KB

MD5
93a841a30a69706e9d8d2a69b0a5ab60

SHA1
82c3da573f7850adb632c5f9421d03a45af3a8c1

SHA256
19e59038f46bec316cb2c164f9e31015810358fee1be4d19c30d1d9a1553d7d4

SHA512
9fa840cfbf42d2993e6feb8329836f6ce4ac9c09fd88d373f1b1f0081255f88b78f385de409a73ebd3018a4b1e48e5d7cbec0ea9c5dab206e17fb8483b70f0ac

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
57KB

MD5
2d609e6202d8e58c7cf1ad7f20399f4a

SHA1
98b09c938590b90f3c86042f7dfd598b0bfd0814

SHA256
617ccf0aa872d6ff5c9e7ae9234fd9158203c6872bf1ec85aac49d2e5b4fb96d

SHA512
35e011b4d62fd06878b99c23616b8e7fa5a7c5ee5b538f247b146ba63db5bfd109e849b853161571e3c341feaf770311c22181b92a89eb9a41a6430a9d8e088a

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
57KB

MD5
e1d90b00ebae2f580ecf3e53cc695b41

SHA1
815e3726d57e4f478db915aad33a5d56848d74b7

SHA256
d4acd970bcc1fc7d466795081a40fd1cb81da28b993325a90d69a4e66500fb66

SHA512
b5f3967f88976282f66366ac86630c46df067412de4f8a14ce5d32430bae59eea47ff9d2cd4bffd2a81b8af556e412517def5fdcf2638af9fe34cef9551a1eef

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
57KB

MD5
cf9a2775af73faae0a4ddd2d44805565

SHA1
dd5ed44cbe0942933494eb02245d066120d02c8c

SHA256
f17bbbfaa63a8be63fff1559d3e958256ffc153730196dbb4cfecf2572cc3b0c

SHA512
6158845d867aa749ce031c744fcfd3478754ecac040aff426157278c6f983f3c39b075095d6a3acab8de494c04140da11cc036b7000d9b931a6c216f380ae3a7

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
57KB

MD5
f409ffaade26fcac1000cb295fd55b8e

SHA1
4713917729fcc0332531023a509c1e8a7b634e3e

SHA256
6a1e655a741a43d020309273cb0616f91d54a4eea13ab09c4ba312440bad3058

SHA512
9f78a114c7ef8297ca6c68811bd8e7710136d45caceedee0ca9c7bd66593291fca2338fbf8995306459564ea30a68a76550413b28e71e9299797b6cb315b4df4

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
57KB

MD5
4c729f0caf6d9f439a4b92d014988fc2

SHA1
a268fcc0dbb66ffe7262dc64507052cf41a1132c

SHA256
85eea12a3742d9a6728d93b04d025b8878268d8fa5a4eb15e1cc72e633e98b02

SHA512
a7bbe4a18e07d4859a20c46144f209f1bedd18ad6f18e828fa76d491bf4628556622303bef678472df14f8c81e590217b78a5511c04c4604ec16dddeb2447d1d

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
57KB

MD5
818ac37dec04ec7035179961f22d656d

SHA1
bfc886685d1c0148f712efb7fb4c3d83b177082c

SHA256
abb873d48e681ae4c29897a854482bbc34c2596874888e7b2f18dae615adaa4e

SHA512
946a223cc8261bd200338c1b5caec0aa46a0f66a82a07df516c1eb6ce5d01f999f4b810d87c6968c9dbd69bdef15497b5b38395beed2a102f21e4ac75323913c

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
57KB

MD5
ada94e03f3f764350a6abad714e4315b

SHA1
4b46092eb534694e5b02c8bf808c5d5d73cdbaea

SHA256
a6adb7308569387283ad89fa27d99b170a1dadc18431b0c4b9ec251e1c894464

SHA512
1f911cdff6b7de5b2053fec68cdfee69cb6c7060e62f47ccc06086e2ef2fb406e2b842564f5d481b79e18a102889b1d802ea8ea958dbfc898efdf190d0c91488

Download Submit
\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
57KB

MD5
ae5f7fcb65ece82364e9d413335cd17c

SHA1
903ec6f3b5d04a2958457f3b474664d667a41581

SHA256
bd5e0dcc5d59c1f631428f05b08aa517ec207329a76f8823d75e9451efc65b03

SHA512
36a4047dd702992dc1ae4c1c4cb8688c9f145418d39a531929008db1bce9c7a9ada172b7ab1a890076ff34f31d82e837ed47ca594c45105561078ae7bf29e26b

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
57KB

MD5
ecebd072ef9bedaec6f5ff947d619791

SHA1
486f87bb7e4a5e32fe95f7937bca165bd8b98cf0

SHA256
7ce5122f06fa5895d5aca2dd2db2e30be0b88eabf896ae9cf6f8b8e7f1f9e89a

SHA512
4898a0bc3ff39b039de4a79cb33f71ad9bf7e0a7196f65bc3859fab77e8dd3578612f482ab755633289d726bb308622aaf103f498bd8a3405c12fe50e7606433

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
57KB

MD5
914d496859ef8de327d8f138c5c18fb6

SHA1
485168ba89caf0327895a141b702a1f8d89c49d8

SHA256
c1120038a808e151d9d324a51205f18d9b3a60c5476672aa105d9f1a7046838d

SHA512
ed6cb45c3e5d5ad674a8a8f199e41a7222ac4e8d099cd31f28c39c8f4894ec30c4eed8d384d692f58337c3539fc7fb01422e21090d4a67c2554a14911622bea3

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
57KB

MD5
f060d7723d50de443de85dda63456242

SHA1
c111a34c2ffb3a02d4f7e20c12fef40c1b450c13

SHA256
b2c3e532d0ba7b25eca85e916dcb15e929e164ad9dac6b2d2219facc3a9c5ffd

SHA512
d9abdb0ee2f2db2ea908865bbf16674c964be54dcd6334650e23b1c53c3a844105110151d967ce9768970ca47f98c2b10b9dd0e505d39d8f792eb22c691d4dab

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
57KB

MD5
8b3018cca9ce10143efee636588466c6

SHA1
fa383f0b2c02486ec457f1c6449c55317e6fda98

SHA256
6cba8baa28b3d9cd66a8cfda123e1f1e8b6d48610c3bbac24c1800d623254c75

SHA512
5bc8be374c125efe6028d8a40588d80ae02b9a28ac741a3cf96b8824c1586804a9a81d1ca055c51a633be7c073899e7693dc11381d7f78af283f836135de2d8c

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
57KB

MD5
bce08100395dcf6fda4d7f40fbec7ed1

SHA1
b76e4939d6324ff77bc8421415587501ab97a814

SHA256
eae003bf05acc3d0457884c74773aa0c1db61fd14f242378e92652c878445934

SHA512
6577babac3705ec1ab0fa38af72b018072ca15740d89053f6a31f37fdc665379614c443cc1c215b8a37e586548fdf6920e88e843ed083a5a126fce5c0e5a7f42

Download Submit
memory/536-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-132-0x0000000001F60000-0x0000000001F95000-memory.dmp

Filesize
212KB

Download
memory/580-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-169-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1348-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-13-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1720-24-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1720-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-142-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1740-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-221-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2220-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-115-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2396-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-88-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2956-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-195-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3056-61-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/3056-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads