berbew | e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Size

64KB
MD5

ed7950b1d8225b990506c2dfb148c38c
SHA1

bf31d876a94b7182f342b822e24392a4fcd48170
SHA256

e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79
SHA512

7c21ba5bb8bb7a36101924e82720daf06affe5735441c6b9aa44bd5a4d47d826e1a60b96c599972290520efc07e32a91199fd05672023a94a3be7e18ccc3cef1
SSDEEP

1536:Hqxmaj2VIuF+tTvwfSlLBsLnVLdGUHyNwW:HMPjI+tEfSlLBsLnVUUHyNwW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
884	Bccmmf32.exe
2780	Bniajoic.exe
1508	Bfdenafn.exe
2820	Bmnnkl32.exe
2600	Boljgg32.exe
2404	Bjbndpmd.exe
2984	Boogmgkl.exe
2268	Bjdkjpkb.exe
2816	Coacbfii.exe
1864	Cfkloq32.exe
1224	Ckhdggom.exe
1944	Cepipm32.exe
2316	Cpfmmf32.exe
1696	Cgaaah32.exe
2364	Cbffoabe.exe
1784	Cgcnghpl.exe
1900	Cjakccop.exe
1704	Cgfkmgnj.exe
1480	Djdgic32.exe
632	Dpapaj32.exe

Loads dropped DLL 43 IoCs

pid	Process
2860	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
2860	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
884	Bccmmf32.exe
884	Bccmmf32.exe
2780	Bniajoic.exe
2780	Bniajoic.exe
1508	Bfdenafn.exe
1508	Bfdenafn.exe
2820	Bmnnkl32.exe
2820	Bmnnkl32.exe
2600	Boljgg32.exe
2600	Boljgg32.exe
2404	Bjbndpmd.exe
2404	Bjbndpmd.exe
2984	Boogmgkl.exe
2984	Boogmgkl.exe
2268	Bjdkjpkb.exe
2268	Bjdkjpkb.exe
2816	Coacbfii.exe
2816	Coacbfii.exe
1864	Cfkloq32.exe
1864	Cfkloq32.exe
1224	Ckhdggom.exe
1224	Ckhdggom.exe
1944	Cepipm32.exe
1944	Cepipm32.exe
2316	Cpfmmf32.exe
2316	Cpfmmf32.exe
1696	Cgaaah32.exe
1696	Cgaaah32.exe
2364	Cbffoabe.exe
2364	Cbffoabe.exe
1784	Cgcnghpl.exe
1784	Cgcnghpl.exe
1900	Cjakccop.exe
1900	Cjakccop.exe
1704	Cgfkmgnj.exe
1704	Cgfkmgnj.exe
1480	Djdgic32.exe
1480	Djdgic32.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1856	632	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 884	2860	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe	31
PID 2860 wrote to memory of 884	2860	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe	31
PID 2860 wrote to memory of 884	2860	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe	31
PID 2860 wrote to memory of 884	2860	e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe	31
PID 884 wrote to memory of 2780	884	Bccmmf32.exe	32
PID 884 wrote to memory of 2780	884	Bccmmf32.exe	32
PID 884 wrote to memory of 2780	884	Bccmmf32.exe	32
PID 884 wrote to memory of 2780	884	Bccmmf32.exe	32
PID 2780 wrote to memory of 1508	2780	Bniajoic.exe	33
PID 2780 wrote to memory of 1508	2780	Bniajoic.exe	33
PID 2780 wrote to memory of 1508	2780	Bniajoic.exe	33
PID 2780 wrote to memory of 1508	2780	Bniajoic.exe	33
PID 1508 wrote to memory of 2820	1508	Bfdenafn.exe	34
PID 1508 wrote to memory of 2820	1508	Bfdenafn.exe	34
PID 1508 wrote to memory of 2820	1508	Bfdenafn.exe	34
PID 1508 wrote to memory of 2820	1508	Bfdenafn.exe	34
PID 2820 wrote to memory of 2600	2820	Bmnnkl32.exe	35
PID 2820 wrote to memory of 2600	2820	Bmnnkl32.exe	35
PID 2820 wrote to memory of 2600	2820	Bmnnkl32.exe	35
PID 2820 wrote to memory of 2600	2820	Bmnnkl32.exe	35
PID 2600 wrote to memory of 2404	2600	Boljgg32.exe	36
PID 2600 wrote to memory of 2404	2600	Boljgg32.exe	36
PID 2600 wrote to memory of 2404	2600	Boljgg32.exe	36
PID 2600 wrote to memory of 2404	2600	Boljgg32.exe	36
PID 2404 wrote to memory of 2984	2404	Bjbndpmd.exe	37
PID 2404 wrote to memory of 2984	2404	Bjbndpmd.exe	37
PID 2404 wrote to memory of 2984	2404	Bjbndpmd.exe	37
PID 2404 wrote to memory of 2984	2404	Bjbndpmd.exe	37
PID 2984 wrote to memory of 2268	2984	Boogmgkl.exe	38
PID 2984 wrote to memory of 2268	2984	Boogmgkl.exe	38
PID 2984 wrote to memory of 2268	2984	Boogmgkl.exe	38
PID 2984 wrote to memory of 2268	2984	Boogmgkl.exe	38
PID 2268 wrote to memory of 2816	2268	Bjdkjpkb.exe	39
PID 2268 wrote to memory of 2816	2268	Bjdkjpkb.exe	39
PID 2268 wrote to memory of 2816	2268	Bjdkjpkb.exe	39
PID 2268 wrote to memory of 2816	2268	Bjdkjpkb.exe	39
PID 2816 wrote to memory of 1864	2816	Coacbfii.exe	40
PID 2816 wrote to memory of 1864	2816	Coacbfii.exe	40
PID 2816 wrote to memory of 1864	2816	Coacbfii.exe	40
PID 2816 wrote to memory of 1864	2816	Coacbfii.exe	40
PID 1864 wrote to memory of 1224	1864	Cfkloq32.exe	41
PID 1864 wrote to memory of 1224	1864	Cfkloq32.exe	41
PID 1864 wrote to memory of 1224	1864	Cfkloq32.exe	41
PID 1864 wrote to memory of 1224	1864	Cfkloq32.exe	41
PID 1224 wrote to memory of 1944	1224	Ckhdggom.exe	42
PID 1224 wrote to memory of 1944	1224	Ckhdggom.exe	42
PID 1224 wrote to memory of 1944	1224	Ckhdggom.exe	42
PID 1224 wrote to memory of 1944	1224	Ckhdggom.exe	42
PID 1944 wrote to memory of 2316	1944	Cepipm32.exe	43
PID 1944 wrote to memory of 2316	1944	Cepipm32.exe	43
PID 1944 wrote to memory of 2316	1944	Cepipm32.exe	43
PID 1944 wrote to memory of 2316	1944	Cepipm32.exe	43
PID 2316 wrote to memory of 1696	2316	Cpfmmf32.exe	44
PID 2316 wrote to memory of 1696	2316	Cpfmmf32.exe	44
PID 2316 wrote to memory of 1696	2316	Cpfmmf32.exe	44
PID 2316 wrote to memory of 1696	2316	Cpfmmf32.exe	44
PID 1696 wrote to memory of 2364	1696	Cgaaah32.exe	45
PID 1696 wrote to memory of 2364	1696	Cgaaah32.exe	45
PID 1696 wrote to memory of 2364	1696	Cgaaah32.exe	45
PID 1696 wrote to memory of 2364	1696	Cgaaah32.exe	45
PID 2364 wrote to memory of 1784	2364	Cbffoabe.exe	46
PID 2364 wrote to memory of 1784	2364	Cbffoabe.exe	46
PID 2364 wrote to memory of 1784	2364	Cbffoabe.exe	46
PID 2364 wrote to memory of 1784	2364	Cbffoabe.exe	46

C:\Users\Admin\AppData\Local\Temp\e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe
"C:\Users\Admin\AppData\Local\Temp\e8985fbf1a5d1239668e029a8f41c3208e28308e990c3e9e7b3a104f09449d79.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\Bccmmf32.exe
  C:\Windows\system32\Bccmmf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\Bniajoic.exe
    C:\Windows\system32\Bniajoic.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Bfdenafn.exe
      C:\Windows\system32\Bfdenafn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 144
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
64KB

MD5
d6d14986a0d03ef14b8207a9dc147656

SHA1
fb6ae790d7aba84b2d49f9f527db8fab48374342

SHA256
a81c9f3ee25bf9f5ab9473bfbb8f22d9f13c0d86cfb3e108b0dd35cd0caf6a9e

SHA512
5ac737389151dfab3a3a09be0c89102c08cfdd0d995ba145330b534018d3a12bbf2661843fb8495d482aef2c3a1711f5e7713e6f0c5a41bcbb54942d4472dd83

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
64KB

MD5
e1268504f9d3cfeb2e5a6d4f0b4ebf37

SHA1
db0f148a2f06079dcfa91429c02ea599c63cd868

SHA256
74eb9c5fe1444ed5229d8ea46046ff2a45345c95b7aeb5f6734b4c0dc124fc1e

SHA512
7ee1c79fc406d45ff78ef86404065c0939514a45090a608ff8a285b0777e0e9b415ce4f9fa0effcb346d1527dee3c5731b3a9af0d64f83a9bca66007c1763c68

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
64KB

MD5
a6f96a7db3db050946232f7120ccd57a

SHA1
19f9733f8764a3248dec5eb77d4f73a430e68bf7

SHA256
81d79128c1ce29a72d7b4690fff0bee9a44034db5d36f4301fd103afb027cb0a

SHA512
607a075261dec629c3ed81373807e6fbf4363339c7d174b35512df71dda60e1d6f6d2b8de62726caa2f2867304ef13e1eacb67f8467705ebe258e825150f99c8

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
64KB

MD5
375914b8ab068a1654192afafa126eb9

SHA1
1a03e2f5259d97738ec6e7af4ff7de93a6045304

SHA256
690411f98068c8acc80d7db827592473ce30dde04399d4d3377faf5098143b9a

SHA512
0d1f61aea9c09fa93bd3d6e442b3e801732aa3b48f9e84362ff95d5338e43d6446995c81cc07bd690224773d48d8a048462088bfec9a1d888e32c4ca2a1d1fe9

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
21af2f579bda9a6ef4bbb83085be3395

SHA1
d6df01020b99080bfb319179e8db4e5c76334ccf

SHA256
f9f9f5d47bfb85a88298d29732672e3ae1998840ce09915ff058d7259d6720d5

SHA512
edf0d1a2949c7ec3c330a9731115c2627a79dd51c46f3945f70725c53c6bcb97163b5cdcd6f4d4214cfae62967d0bfeaa0cfb2bd9a735beb9f64153d554cbf94

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
64KB

MD5
b2bdec88ab9e37426c0f8c95d172ef7c

SHA1
2b5e4b7861b963680a61442b70dd191f4a9e896d

SHA256
4dc672e9c0d5c307f926971e6e0a6aa4204c4f535b81aaf410c76cce993d3dd5

SHA512
0f41d3fe559a2f5ea8e49f4f9587e7b96745c109819f3502be7a8f6105155c71ffe011bdf2b1b0daa756185cbc0e88f03c080710cd215ff65eab9c88067cfd08

Download Submit
\Windows\SysWOW64\Bjbndpmd.exe

Filesize
64KB

MD5
143cd7e40866a108bc569944a7ffbf10

SHA1
be1d075e2e256b4b3624b72626cfad702cbdb03e

SHA256
1236966feac196b28395a3371cca9f9df828c771096423b2bd07aa5155d1b260

SHA512
9a392e83b38874a92ab654f7c09422b0fe4653b40b1bf26e1472198ca14f72b4c44dc7ad69ba4522abd542c22c9625e8a471731e5ac7804ed1c1d0791617feca

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
64KB

MD5
f10673f6bd21c9ac4debe3c189a53fcf

SHA1
6839ae8d56f7aa6107c21212b74551b6bfd7e2f9

SHA256
4e78a88ee6ef2a6b6c2f9717b86ed3ee6b43d7e5a794d07546a59638b318f0be

SHA512
b516958bd56b3b57eee4b9fe2fb6cb635b167764a9718a1d27aed1e83b369e79e59431b2a8223f016928fdc6cc647332dce41a93fbeed76c03c1aa025b9d4b71

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
64KB

MD5
c83adad19c6280302d48bf33d8a9c6e2

SHA1
848282b5fb3c9d8f8fc95f0befc213ab159564e7

SHA256
eabe3809eec3627e5d580a5bcfcb0ff49f7510fc74b221f131e47353c5657d3e

SHA512
c785a2d71bb27186e0b0114996528b1d94c53eaa5b3d748619c7e572b18352a6f2c09e6eabeb68b51775d67af1ef2a38df86672f8b23c5f3da3ceaf9faf17acc

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
64KB

MD5
77d43b2e2dab69aa5ca6ccfe81d12812

SHA1
06468eb10f109db23a4dc5ec290db55d1afcfc9b

SHA256
96c2460b14c9458a6d64c350feeb9d79aa9473e947d842b6c1564c6eb8669bef

SHA512
3a6d7c34157210a9b6cc57c17e3e35bbeb66ad0edf0a4bfc313c395c79eae13865e488e1e8aee7716f7e0486523b067549225beb1d6ecfe066d597fb67a91268

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
64KB

MD5
c7d0147bf5478243855c0e0033d91141

SHA1
4d2728c3d2662ef244819121e5f98cf8d1d842c2

SHA256
74999371ff4fad8d49634e5641a670ae57d3bf8c996aad14fa131272d1f2a949

SHA512
449ef6176ede8e239b160c108ae34eedb02bb860df1175830b02f52a5559486ee3f756f1b4e8dbb3f0eddcefcfe9612989befa92a0969b0a7efcb8e71ce33bf4

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
64KB

MD5
c01d530fd2ed8a115231f271b1150d2a

SHA1
5195961bd2da890828df4c3e14d7fb2e83a0d1f8

SHA256
d0c24c4633b2fbc02ffdec772b2c259898dd8e3a836e721946cca9b1448b9f6c

SHA512
9221e740688b0452ad324d62fd0d43ad8048732afcb698c5004af3acd7df9990bbd56318da359e5254727e291413ac421a9c96d3faeb2426bd5ead5746cc5f82

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
64KB

MD5
d273d80f753b4dc12b2c63d66f2100d8

SHA1
d096d07237274839d5e67b4223a0ab68ba9cd355

SHA256
144935c4df55bfe519e862d24e917eb0ee13f9d00ed47b467d7a374671b10520

SHA512
cccda9f1190b48c7180edaceb96ffb00869a05f99dd4bc4fac2dc2cc4e4e08e0424c939a6d36936eaf700f8a6e3c56a86d5894271288e65bc2700a8b4ab87764

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
64KB

MD5
98bc2eedd31abab97860eab96e74d590

SHA1
60b9bc0b2038c5b9595d80bc327718e78f3b11f4

SHA256
f9c71627782bef5224d5851be9fcf37539f1656bf528b0f8f3e6366b25aef737

SHA512
267e2761b6d6bbb511c6d7925158d2bf51c0fea60725b54d2a9071bf01978ee734673c6a98358db55ec96e811361dfb2783c277b1601b8956a543928002d22a7

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
64KB

MD5
1ea284621749678e51791e80439ff00f

SHA1
d797d2f86e7856613ccbc2af033350d1cb236948

SHA256
74c6bd4e2d5809903790df33de18a2186006eec21fdf13df5c6124dd28479a34

SHA512
73796310acfff7fbdb3311752013684f01bd037ce2a93f8b8f4914c2081de743146fbb1f13db562532483a81f3ca4313c7d5ac9a07c8aa6fe9ab310fa7753c9a

Download Submit
\Windows\SysWOW64\Cgaaah32.exe

Filesize
64KB

MD5
704052b3b34c946fe5f7e78777f39978

SHA1
df77a352208fdc914db4da1896b002f066f2a3e2

SHA256
f92e9891da04dc218223332c7cf7e5f84a331f7cd775bbdea0ba07a8ce380a1b

SHA512
a563fffa57263a222289dde92af55d74847e2e9d3ce98c2e59bce41f15a6f2dfa9d20f0c16581f6bcb85a0eb7cf9378119416c71ccccff3fdc4962e55d2823ba

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
64KB

MD5
7830ce9da4197f27f9aa1b17a46a1513

SHA1
db0fe3a165d3351d5310c65bead532d0e569888c

SHA256
43fb03f7397aaed7dc3c3462836fed5773fe9e9b8ed0513b6d504ba853140d53

SHA512
bc13da0fed53118281393abaaba9bfcf0948ea68acbfe8bf414c2e5c7b7af29c33eefdd7936f609a1c44c8b2d1ff440580097b16cb32146a8fc3b13f79e8f80d

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
64KB

MD5
c6cdd84a3d60badef63ae7871bd6e90e

SHA1
e8bb9ae3468de2038c7ca10e0040d825bdc27c73

SHA256
87b834f22abdbebe1f522fe768eed201b03ac8a3d843c674e69d1c502335a577

SHA512
db6b9b572753ebf7f6bd3d8975c85df36aca69a09eb8695c642898c73dcdf90dcab0a372d3b0b47f3199184bbab4d7037799d0fe2611bdcc4d3137b9c36dca9d

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
64KB

MD5
f8085845be04a217cda32c25bb6ff283

SHA1
6e7c3271e548f2b6681665ed41a464b744649e82

SHA256
9aa8652a0f788212ac236693005021cdffee9f4de61cb537bccb738cdca3fe57

SHA512
92b440d76e73526e4a1d2bc53c2fc207b99dc9edf7e201ae53384a0bf99992e5cf6cf00dc96ba9da63962463c478c2e9cfb53de9379ab7bb4f9b02bc700ee814

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
64KB

MD5
461e7a10b0307441a9852e64ef9f05cb

SHA1
bf7aa3f07bb9e6d96527f735790fc930c486ac20

SHA256
abf614bf2bc0c54bf899fc395b776a87f0af2cfd685ae5ae99b71c75e8947d37

SHA512
4099a94abc36bc8928dab58d1cab7f0fd9d8b5a0a328a2ebc4edb1378531a74ef8e2caacb8cce31c3a2042c67531d514d2bb5c3bfe34e638ce4c8571aebb6791

Download Submit
memory/632-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-22-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1224-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-250-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1508-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-53-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1696-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-244-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1704-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-231-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1944-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-169-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1944-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-182-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2364-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-208-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2364-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-80-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2780-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-130-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2816-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-18-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2860-17-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2984-106-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2984-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads