berbew | 9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9

Analysis

max time kernel
94s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Size

96KB
MD5

336a63a540602e2f1786152739e51db8
SHA1

41d6ab7b10db5e789ad82faf8098e17c8276b1f3
SHA256

9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9
SHA512

3f02fc811f92485f876cad216dae0338b9ede72edb8ab2224dcb0900f5ab275d003354a454e3030fbd522eab15f8bfc0e52af13127d42375e22fb2247236efb5
SSDEEP

1536:+6KN54eWrFsN3nawDiEWXDtBxdLYfBreyE5JulyOiF2LT7RZObZUUWaegPYAC:+6e4PG3ntiEWXJF0U/2TClUUWaen

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
2472	Bnknoogp.exe
2752	Bgcbhd32.exe
2792	Bjbndpmd.exe
2696	Bbmcibjp.exe
2888	Bkegah32.exe
2736	Cenljmgq.exe
1236	Cmedlk32.exe
1984	Cnfqccna.exe
2804	Cileqlmg.exe
1680	Cpfmmf32.exe
1148	Cebeem32.exe
1036	Cjonncab.exe
2252	Caifjn32.exe
2140	Cgcnghpl.exe
2188	Cmpgpond.exe
1128	Cgfkmgnj.exe
1596	Dmbcen32.exe
1308	Dpapaj32.exe

Loads dropped DLL 39 IoCs

pid	Process
2520	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
2520	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
2472	Bnknoogp.exe
2472	Bnknoogp.exe
2752	Bgcbhd32.exe
2752	Bgcbhd32.exe
2792	Bjbndpmd.exe
2792	Bjbndpmd.exe
2696	Bbmcibjp.exe
2696	Bbmcibjp.exe
2888	Bkegah32.exe
2888	Bkegah32.exe
2736	Cenljmgq.exe
2736	Cenljmgq.exe
1236	Cmedlk32.exe
1236	Cmedlk32.exe
1984	Cnfqccna.exe
1984	Cnfqccna.exe
2804	Cileqlmg.exe
2804	Cileqlmg.exe
1680	Cpfmmf32.exe
1680	Cpfmmf32.exe
1148	Cebeem32.exe
1148	Cebeem32.exe
1036	Cjonncab.exe
1036	Cjonncab.exe
2252	Caifjn32.exe
2252	Caifjn32.exe
2140	Cgcnghpl.exe
2140	Cgcnghpl.exe
2188	Cmpgpond.exe
2188	Cmpgpond.exe
1128	Cgfkmgnj.exe
1128	Cgfkmgnj.exe
1596	Dmbcen32.exe
1596	Dmbcen32.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
928	1308	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2472	2520	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe	31
PID 2520 wrote to memory of 2472	2520	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe	31
PID 2520 wrote to memory of 2472	2520	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe	31
PID 2520 wrote to memory of 2472	2520	9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe	31
PID 2472 wrote to memory of 2752	2472	Bnknoogp.exe	32
PID 2472 wrote to memory of 2752	2472	Bnknoogp.exe	32
PID 2472 wrote to memory of 2752	2472	Bnknoogp.exe	32
PID 2472 wrote to memory of 2752	2472	Bnknoogp.exe	32
PID 2752 wrote to memory of 2792	2752	Bgcbhd32.exe	33
PID 2752 wrote to memory of 2792	2752	Bgcbhd32.exe	33
PID 2752 wrote to memory of 2792	2752	Bgcbhd32.exe	33
PID 2752 wrote to memory of 2792	2752	Bgcbhd32.exe	33
PID 2792 wrote to memory of 2696	2792	Bjbndpmd.exe	34
PID 2792 wrote to memory of 2696	2792	Bjbndpmd.exe	34
PID 2792 wrote to memory of 2696	2792	Bjbndpmd.exe	34
PID 2792 wrote to memory of 2696	2792	Bjbndpmd.exe	34
PID 2696 wrote to memory of 2888	2696	Bbmcibjp.exe	35
PID 2696 wrote to memory of 2888	2696	Bbmcibjp.exe	35
PID 2696 wrote to memory of 2888	2696	Bbmcibjp.exe	35
PID 2696 wrote to memory of 2888	2696	Bbmcibjp.exe	35
PID 2888 wrote to memory of 2736	2888	Bkegah32.exe	36
PID 2888 wrote to memory of 2736	2888	Bkegah32.exe	36
PID 2888 wrote to memory of 2736	2888	Bkegah32.exe	36
PID 2888 wrote to memory of 2736	2888	Bkegah32.exe	36
PID 2736 wrote to memory of 1236	2736	Cenljmgq.exe	37
PID 2736 wrote to memory of 1236	2736	Cenljmgq.exe	37
PID 2736 wrote to memory of 1236	2736	Cenljmgq.exe	37
PID 2736 wrote to memory of 1236	2736	Cenljmgq.exe	37
PID 1236 wrote to memory of 1984	1236	Cmedlk32.exe	38
PID 1236 wrote to memory of 1984	1236	Cmedlk32.exe	38
PID 1236 wrote to memory of 1984	1236	Cmedlk32.exe	38
PID 1236 wrote to memory of 1984	1236	Cmedlk32.exe	38
PID 1984 wrote to memory of 2804	1984	Cnfqccna.exe	39
PID 1984 wrote to memory of 2804	1984	Cnfqccna.exe	39
PID 1984 wrote to memory of 2804	1984	Cnfqccna.exe	39
PID 1984 wrote to memory of 2804	1984	Cnfqccna.exe	39
PID 2804 wrote to memory of 1680	2804	Cileqlmg.exe	40
PID 2804 wrote to memory of 1680	2804	Cileqlmg.exe	40
PID 2804 wrote to memory of 1680	2804	Cileqlmg.exe	40
PID 2804 wrote to memory of 1680	2804	Cileqlmg.exe	40
PID 1680 wrote to memory of 1148	1680	Cpfmmf32.exe	41
PID 1680 wrote to memory of 1148	1680	Cpfmmf32.exe	41
PID 1680 wrote to memory of 1148	1680	Cpfmmf32.exe	41
PID 1680 wrote to memory of 1148	1680	Cpfmmf32.exe	41
PID 1148 wrote to memory of 1036	1148	Cebeem32.exe	42
PID 1148 wrote to memory of 1036	1148	Cebeem32.exe	42
PID 1148 wrote to memory of 1036	1148	Cebeem32.exe	42
PID 1148 wrote to memory of 1036	1148	Cebeem32.exe	42
PID 1036 wrote to memory of 2252	1036	Cjonncab.exe	43
PID 1036 wrote to memory of 2252	1036	Cjonncab.exe	43
PID 1036 wrote to memory of 2252	1036	Cjonncab.exe	43
PID 1036 wrote to memory of 2252	1036	Cjonncab.exe	43
PID 2252 wrote to memory of 2140	2252	Caifjn32.exe	44
PID 2252 wrote to memory of 2140	2252	Caifjn32.exe	44
PID 2252 wrote to memory of 2140	2252	Caifjn32.exe	44
PID 2252 wrote to memory of 2140	2252	Caifjn32.exe	44
PID 2140 wrote to memory of 2188	2140	Cgcnghpl.exe	45
PID 2140 wrote to memory of 2188	2140	Cgcnghpl.exe	45
PID 2140 wrote to memory of 2188	2140	Cgcnghpl.exe	45
PID 2140 wrote to memory of 2188	2140	Cgcnghpl.exe	45
PID 2188 wrote to memory of 1128	2188	Cmpgpond.exe	46
PID 2188 wrote to memory of 1128	2188	Cmpgpond.exe	46
PID 2188 wrote to memory of 1128	2188	Cmpgpond.exe	46
PID 2188 wrote to memory of 1128	2188	Cmpgpond.exe	46

C:\Users\Admin\AppData\Local\Temp\9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe
"C:\Users\Admin\AppData\Local\Temp\9a63cebe57ed4078042077d15840078a6a69e1d11a63e16637733f28eafb5ac9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\Bnknoogp.exe
  C:\Windows\system32\Bnknoogp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\Bgcbhd32.exe
    C:\Windows\system32\Bgcbhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\Bjbndpmd.exe
      C:\Windows\system32\Bjbndpmd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 144
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
2fb71bb98771a017ca58dda6a0a204d8

SHA1
9afba1625121ccc448a66fdf6986e31e6123ac89

SHA256
93a4ea49164ed5f7bfec08a54513bd6f01fe1c26943f425baa1a4b5b62aa25cb

SHA512
5b1a9921bb6da6e201f46ce75e99d5ebf47399220d0472de6a6b295417196c5e933e91ab722292998b7cdee4414cb19f4d4a4529832931bca3f9e4e4f496bbe3

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
96KB

MD5
4d83a01f2208b3dda3d9fbbea60da52b

SHA1
559259072837d0c94ec5afe0ee43c28310f98441

SHA256
c94217cf806a1c1caf5377025aaa948faff75b8b225f670853105da1443aadf2

SHA512
98c6170d4e6a2c83037eceb6bd6c247cbe8cba12fc8ea282b93faf1b820ddc3f956891a39287beaadde60291351d65039fb9469b6b1d268295357eb018a14129

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
5beae2be4188fbb22a861545e0dbc724

SHA1
b964ad97042da057140c92c348e1701b2c649f71

SHA256
220f2bae467a40d8d82bc634454654db1ede97888c0ca670a677726927d7cb64

SHA512
86856c822186ee7ca78054c1bbc8be6e610d1a26571f3e8f893443b8dc1c62939001dbb45dda61d7f61b76bbb192b0a2e81a2ac712f24d5710f56aff850742a5

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
31991f542c84597857cdcf9be0a25fb5

SHA1
170bce8a69133d7e818480628bc08e955ca64783

SHA256
a3114d5123c677b4c5a6514ac6a99d0c08fb7e955f714a90ac1a4ddf78386319

SHA512
78e75b37ecb10f2e3d1677ca7e552937ba51f223e53ee136eb28bfe41efa98e70bff45acd8ea885f82383980d76cf63678effe02bb8856bbc91e8bcdd569ebf9

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
96KB

MD5
1d4dffb8b05b28b29f069d8789780163

SHA1
1b64b85ff6e5176ccee70f7479f14fd1296dacf4

SHA256
4b8ec9fd6cecfa89ffbc04c08fc251643a1d78b91776871ef01cfbedd6991f98

SHA512
d2ff62459f1cd494aa2492422f1c985443b3c16ea1d662c9604426062100403d0b21f0863a41f4c597b7dc665f4d4180e992379cb6713f925cdf5a679811667d

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
3f33c0eacd131fa58ba13f2efc9fd3f6

SHA1
b58509126cb2846902c105dec06d53ef12fa144c

SHA256
46190edf62e68dcaab07d4da41f0fd122a11ac0f53223d2c14c180fef6890d70

SHA512
ed29fd0b7fba7b5ccce5ed823cd4abf1c3ffcecf4e4679dbecaab13b871414f9f765db680542cf034aaa7df420c494417ab4b65e1ad0d12e7b603514708c49bb

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
091ae6d7682baac6b4083ba05dee5636

SHA1
bf015a1e2ff016220f06946d4fd016120486231a

SHA256
e7393b5bb27c5256e9bfc0e055bbb054e4b3a6a3169455d23c536b6c25c02b93

SHA512
c355f292c31a706f5c163c82cc46d3f6e6de562764104263753c477ca78ee5f81888769c77563901011803bdde019bf437bc254006889132571091d553edf81f

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
d7d1a0375a929cf54880f0942c5b938e

SHA1
050326bd2e174947e5eed093026d66109768ceb3

SHA256
ba1d0ff4420e90445dad3a7b49e9dabe255acef3c1639119496ba02981a2d890

SHA512
11187def87d7aa0dd5d225265a80bf50ecf3e1e804394f390a3523613920781b9b453a0f4066acd1d8e29da047eddd52727c45188fa011931a52a2951424ee64

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
1c5363afbd0ded774fea39ad0817846a

SHA1
e04898293d8fd89d7155718629b4b2790ed2b52c

SHA256
5724fdae33cbb746430bbb221424a4f92c8c93983368f238e241eeda3475a348

SHA512
471223a093468d1396e3ee6f6426445e59ca6905158de075458b4c1b03dbc6c759caed71d326502885a8c4de456099b9b0b674f7b560cbe507eed748ce519b56

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
fa8b6ac8101ea0bca66e7117b571d709

SHA1
c479fbdfabc9e436089dcc3b2004bc61be84854c

SHA256
a4500efbac4da9e7d5864bc74a48fd7718f504bea358696b88d04fd224b42d2e

SHA512
2c96e78bb6ad65656060150c702aa1ad3f9ec18db76f45cca9786044b53db30131054a4941fdb1e65d9fbf6eaaa7865f608ed33f2993b30ed1e13911c881c964

Download Submit
\Windows\SysWOW64\Bnknoogp.exe

Filesize
96KB

MD5
11d72d2dbafa18d3ed74d7a72f915994

SHA1
6ed53a646616b436834f22d93c9c1427af27deaf

SHA256
b7ceb0de43e96ec8b991ff0a4a44eee24935664739c286aaba73d5485fd55059

SHA512
eb050dd6aa764c7915d7892e8727e1385a7ed09be35245bff6b726f144774c09189b46e4fd8f0ef7c1f6afa88ca5cc379b21cf6e087cb7e2ee24477f7a2fb20e

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
81521593303c844ba9db6095168ffdc1

SHA1
5024c78ffb4f2bea83840cd39eed7c8f229f8df8

SHA256
1f7d5feb8cd187f88b03b1b0d6cc5a053bf782ae918cafbad69da36a5b5d2bab

SHA512
dc9879c1966468766fcb9b0803a5dbdf8ddc3fa4310fea65755da8114549a27a0ad42971492a07749ff4e40d22d039ca5d592deb04237297f2ef8fd2a9bff36b

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
96KB

MD5
20dfd7cc608d828b24aa38fb5be26a44

SHA1
c0c5ce30e6e75ed5092355caa00b086da6973804

SHA256
5e49956feb695802a438cdba8888d28632a9efc2fb74af4c62a04897f7d2d743

SHA512
dfb61aceb9fe1ec20b5cb2b11a854559fd0d75a30eaa22ef601c0d89ba4c00964d6f250be27767c13a95a3c1892ba7e8f584ee6b0660b1f9eb977ef7d0813283

Download Submit
\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
d3491673ea933dd255a861eb5dab5ebf

SHA1
5098d5a2f6ba8ed34321e6f88199e41742b0c185

SHA256
8261f976690bfc097970dfb5f3e2369083b78d8d8d35b3b7d3a9df3157a9621f

SHA512
2cb9ec496e95a5950bc2ca4e7b78a660e4e480a51a0be339e504d12286364c676c9ba269521512598edf5ce62908bab56c94d5205be78a5445ae3d25423ab931

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
6e1c411000050a27b005dfc3e5cd9278

SHA1
281ff783c625bfd0a72c32a325d7d0f80447cce5

SHA256
959fbe20e503e48cd873abaff6f1f30ec25d746654ba4a2865b6f54b0e38db67

SHA512
ff89124aa0c8c64feffc05fccfd792d02dfa28fe22da17c898614645110dc66d484af20f7529316c777a9add18839db300798b4ffeaa6a9eddb02d769d5b2641

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
3facc83c30e64ec960b1d09b2894b193

SHA1
b43b116a90cfc0391caaa9fe503ae524079c5733

SHA256
5fabb2098a23298fc813ded3cc4c4c1ae4f4a7302a49ea35cffeeb9d1eed3072

SHA512
b86e027fda6e13f125221599b0fc5ad1d02512887ff73a6687af3f71e332a65c06503955130932274d1811f1b1183264cfea58a40f7cc94eecfd45dbd2c8dabc

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
96KB

MD5
9e5cb8ddb9f395502760a9237112b714

SHA1
89fdcc1a1cc6e665ff38c72dae281a0a32805594

SHA256
436123b2085885eaebc3576c5577e7eb71d69f9129aa29d8cda0747ce4504f54

SHA512
a7dc64b20c43e37248d452a47ea41deebfa08d6b5825b734f2bb3f8c6c99a90087d36df9c043a197c8b37737d1b4f7ae883ba088252b94073a5906751f7eb76e

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
b583c537fc0fe0e844c14c76ca9ed929

SHA1
38a7b991adaef20d168c27215e930de11899efcf

SHA256
753ed7241bfb8f66028c2a3cac5aa7e27343ec8b20011a24d6ba5e543f52b26e

SHA512
29d5c4964c2d82cdd35433ed22320dbb58a09b69fac84091a570cb085c91bee4f0f7115a7776d647331f2dbed67e1b73843945d9a30641a2dbd66cba074ca48f

Download Submit
memory/1036-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-175-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1036-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-227-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1148-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-143-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1680-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-117-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2140-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-198-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2188-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-25-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2520-12-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2520-7-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2520-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-62-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2696-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-90-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2752-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-35-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads