Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe
Resource
win10v2004-20241007-en
General
-
Target
a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe
-
Size
71KB
-
MD5
6685c9fe331d440e05cccbd11367378d
-
SHA1
8323ca8b66a5076e41e82a4425c7d209a446a408
-
SHA256
a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845
-
SHA512
29804f1267773d14036b5bc2697e6b19bb92c6c7e0a8cacadb7fda29d795494484e2c5d06d6a05f4e172b5de6588c2c739a0d8b248a76a8724e0172a29e15a79
-
SSDEEP
1536:WArBT0b3AGgY5uUVJhWsaco9JRQEDbEyRCRRRoR4Rk:WArBTitrWsWJeCEy032ya
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
Processes:
Cdoajb32.exea12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exeBnielm32.exeBfpnmj32.exeBhhpeafc.exeBaadng32.exeBeejng32.exeBehgcf32.exeBmclhi32.exeBonoflae.exeBlkioa32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beejng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Behgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beejng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkioa32.exe -
Berbew family
-
Executes dropped EXE 11 IoCs
Processes:
Blkioa32.exeBnielm32.exeBfpnmj32.exeBeejng32.exeBonoflae.exeBehgcf32.exeBmclhi32.exeBhhpeafc.exeBaadng32.exeCdoajb32.exeCacacg32.exepid process 2796 Blkioa32.exe 2756 Bnielm32.exe 2940 Bfpnmj32.exe 2192 Beejng32.exe 768 Bonoflae.exe 808 Behgcf32.exe 2880 Bmclhi32.exe 2116 Bhhpeafc.exe 2060 Baadng32.exe 1936 Cdoajb32.exe 1800 Cacacg32.exe -
Loads dropped DLL 26 IoCs
Processes:
a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exeBlkioa32.exeBnielm32.exeBfpnmj32.exeBeejng32.exeBonoflae.exeBehgcf32.exeBmclhi32.exeBhhpeafc.exeBaadng32.exeCdoajb32.exeWerFault.exepid process 2924 a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe 2924 a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe 2796 Blkioa32.exe 2796 Blkioa32.exe 2756 Bnielm32.exe 2756 Bnielm32.exe 2940 Bfpnmj32.exe 2940 Bfpnmj32.exe 2192 Beejng32.exe 2192 Beejng32.exe 768 Bonoflae.exe 768 Bonoflae.exe 808 Behgcf32.exe 808 Behgcf32.exe 2880 Bmclhi32.exe 2880 Bmclhi32.exe 2116 Bhhpeafc.exe 2116 Bhhpeafc.exe 2060 Baadng32.exe 2060 Baadng32.exe 1936 Cdoajb32.exe 1936 Cdoajb32.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe -
Drops file in System32 directory 33 IoCs
Processes:
a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exeBnielm32.exeBaadng32.exeCdoajb32.exeBonoflae.exeBfpnmj32.exeBmclhi32.exeBhhpeafc.exeBeejng32.exeBehgcf32.exeBlkioa32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Blkioa32.exe a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe File created C:\Windows\SysWOW64\Jhgkeald.dll Bnielm32.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Baadng32.exe File created C:\Windows\SysWOW64\Cacacg32.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Dhnook32.dll Bonoflae.exe File created C:\Windows\SysWOW64\Dnabbkhk.dll Baadng32.exe File created C:\Windows\SysWOW64\Blkioa32.exe a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe File created C:\Windows\SysWOW64\Ajpjcomh.dll a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe File created C:\Windows\SysWOW64\Beejng32.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Behgcf32.exe Bonoflae.exe File opened for modification C:\Windows\SysWOW64\Bhhpeafc.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Baadng32.exe Bhhpeafc.exe File created C:\Windows\SysWOW64\Bonoflae.exe Beejng32.exe File created C:\Windows\SysWOW64\Ljacemio.dll Bhhpeafc.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Eoqbnm32.dll Bfpnmj32.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bonoflae.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Behgcf32.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Behgcf32.exe File opened for modification C:\Windows\SysWOW64\Baadng32.exe Bhhpeafc.exe File opened for modification C:\Windows\SysWOW64\Bnielm32.exe Blkioa32.exe File created C:\Windows\SysWOW64\Ennlme32.dll Blkioa32.exe File created C:\Windows\SysWOW64\Eignpade.dll Beejng32.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Behgcf32.exe File created C:\Windows\SysWOW64\Bnielm32.exe Blkioa32.exe File opened for modification C:\Windows\SysWOW64\Beejng32.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Jodjlm32.dll Bmclhi32.exe File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe Baadng32.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll Cdoajb32.exe File created C:\Windows\SysWOW64\Bfpnmj32.exe Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Bfpnmj32.exe Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Bonoflae.exe Beejng32.exe File created C:\Windows\SysWOW64\Bhhpeafc.exe Bmclhi32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1304 1800 WerFault.exe Cacacg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bonoflae.exeBehgcf32.exeBaadng32.exeBlkioa32.exeBnielm32.exeBeejng32.exeBhhpeafc.exeCdoajb32.exeCacacg32.exea12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exeBfpnmj32.exeBmclhi32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonoflae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnielm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beejng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhpeafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdoajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmclhi32.exe -
Modifies registry class 36 IoCs
Processes:
Behgcf32.exeBhhpeafc.exeCdoajb32.exeBlkioa32.exeBnielm32.exeBfpnmj32.exeBmclhi32.exeBaadng32.exea12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exeBonoflae.exeBeejng32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" Bfpnmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmclhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bonoflae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" Cdoajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhhpeafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll" Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bonoflae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll" Bonoflae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blkioa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beejng32.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exeBlkioa32.exeBnielm32.exeBfpnmj32.exeBeejng32.exeBonoflae.exeBehgcf32.exeBmclhi32.exeBhhpeafc.exeBaadng32.exeCdoajb32.exeCacacg32.exedescription pid process target process PID 2924 wrote to memory of 2796 2924 a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Blkioa32.exe PID 2924 wrote to memory of 2796 2924 a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Blkioa32.exe PID 2924 wrote to memory of 2796 2924 a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Blkioa32.exe PID 2924 wrote to memory of 2796 2924 a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe Blkioa32.exe PID 2796 wrote to memory of 2756 2796 Blkioa32.exe Bnielm32.exe PID 2796 wrote to memory of 2756 2796 Blkioa32.exe Bnielm32.exe PID 2796 wrote to memory of 2756 2796 Blkioa32.exe Bnielm32.exe PID 2796 wrote to memory of 2756 2796 Blkioa32.exe Bnielm32.exe PID 2756 wrote to memory of 2940 2756 Bnielm32.exe Bfpnmj32.exe PID 2756 wrote to memory of 2940 2756 Bnielm32.exe Bfpnmj32.exe PID 2756 wrote to memory of 2940 2756 Bnielm32.exe Bfpnmj32.exe PID 2756 wrote to memory of 2940 2756 Bnielm32.exe Bfpnmj32.exe PID 2940 wrote to memory of 2192 2940 Bfpnmj32.exe Beejng32.exe PID 2940 wrote to memory of 2192 2940 Bfpnmj32.exe Beejng32.exe PID 2940 wrote to memory of 2192 2940 Bfpnmj32.exe Beejng32.exe PID 2940 wrote to memory of 2192 2940 Bfpnmj32.exe Beejng32.exe PID 2192 wrote to memory of 768 2192 Beejng32.exe Bonoflae.exe PID 2192 wrote to memory of 768 2192 Beejng32.exe Bonoflae.exe PID 2192 wrote to memory of 768 2192 Beejng32.exe Bonoflae.exe PID 2192 wrote to memory of 768 2192 Beejng32.exe Bonoflae.exe PID 768 wrote to memory of 808 768 Bonoflae.exe Behgcf32.exe PID 768 wrote to memory of 808 768 Bonoflae.exe Behgcf32.exe PID 768 wrote to memory of 808 768 Bonoflae.exe Behgcf32.exe PID 768 wrote to memory of 808 768 Bonoflae.exe Behgcf32.exe PID 808 wrote to memory of 2880 808 Behgcf32.exe Bmclhi32.exe PID 808 wrote to memory of 2880 808 Behgcf32.exe Bmclhi32.exe PID 808 wrote to memory of 2880 808 Behgcf32.exe Bmclhi32.exe PID 808 wrote to memory of 2880 808 Behgcf32.exe Bmclhi32.exe PID 2880 wrote to memory of 2116 2880 Bmclhi32.exe Bhhpeafc.exe PID 2880 wrote to memory of 2116 2880 Bmclhi32.exe Bhhpeafc.exe PID 2880 wrote to memory of 2116 2880 Bmclhi32.exe Bhhpeafc.exe PID 2880 wrote to memory of 2116 2880 Bmclhi32.exe Bhhpeafc.exe PID 2116 wrote to memory of 2060 2116 Bhhpeafc.exe Baadng32.exe PID 2116 wrote to memory of 2060 2116 Bhhpeafc.exe Baadng32.exe PID 2116 wrote to memory of 2060 2116 Bhhpeafc.exe Baadng32.exe PID 2116 wrote to memory of 2060 2116 Bhhpeafc.exe Baadng32.exe PID 2060 wrote to memory of 1936 2060 Baadng32.exe Cdoajb32.exe PID 2060 wrote to memory of 1936 2060 Baadng32.exe Cdoajb32.exe PID 2060 wrote to memory of 1936 2060 Baadng32.exe Cdoajb32.exe PID 2060 wrote to memory of 1936 2060 Baadng32.exe Cdoajb32.exe PID 1936 wrote to memory of 1800 1936 Cdoajb32.exe Cacacg32.exe PID 1936 wrote to memory of 1800 1936 Cdoajb32.exe Cacacg32.exe PID 1936 wrote to memory of 1800 1936 Cdoajb32.exe Cacacg32.exe PID 1936 wrote to memory of 1800 1936 Cdoajb32.exe Cacacg32.exe PID 1800 wrote to memory of 1304 1800 Cacacg32.exe WerFault.exe PID 1800 wrote to memory of 1304 1800 Cacacg32.exe WerFault.exe PID 1800 wrote to memory of 1304 1800 Cacacg32.exe WerFault.exe PID 1800 wrote to memory of 1304 1800 Cacacg32.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe"C:\Users\Admin\AppData\Local\Temp\a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Cacacg32.exeC:\Windows\system32\Cacacg32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 14013⤵
- Loads dropped DLL
- Program crash
PID:1304
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD57edf56ca4ad461142e7c314df7ec699e
SHA1bb57fff289b676a3eb0c8bc27be38ae92a1273a4
SHA256f02809ac5b93439648693c79a6fbcb899d6bff8ec844842d98006dd9d2962e72
SHA512bf344e31b8dd3b1daa437d1917a79a40eda41625327004934fc2b6e9384f39ba1c2765a2673d45ad72018141d90578fbf85040590755a6637c21c3428648d94c
-
Filesize
7KB
MD5ec70bedb1e94f252022fb2e87cafd6a7
SHA1c67e199f433c70d6409251e4e260336dbd4d6e8f
SHA256ca19ed02adc19186a4e99a21d3db08a8c43d174f00f4a6e55c116a8a15c0ec78
SHA51251b7dc617e985185c4b52ddb90e1a09dc5a061b22332650e16eceffd31c2315ae64e346bb7273acb11a0a9d64f8c9ebcfbabb78b28732843e271a80d29b106fb
-
Filesize
71KB
MD5ac9a0ea0efe241e7da70050e84a832a8
SHA1ab779ca3934ce0a9af8d829b9e40ba2157a582ca
SHA256edb3127baef2b17e218c037842a1c2c877d09f71313c41776cea532a72daaaf6
SHA5124648a65b4bad282995cc87cf49e35e4f4d319f52d1bc90b2abc3bd5c763b649071ebd2bf3e4ab93bf89dc0dfc5c892617ad7e4b3deeb76ce81babef524d8e487
-
Filesize
71KB
MD578031ee231bfd04a715e540938ba622e
SHA1eb368cf0cc5b4020205243ea6ee036e13897cf7c
SHA256b8433317c677d8080dd8af5a20a18eca5eb78fd823cc9cf8e8653fd08799eeb5
SHA51224cb1532df4c83676554655efad1a551413044fa4974134581a22d61341cb9438d5e755e228a3f512d84cd5298d3c38489bc6365b9aa89da7a3b6b3d8f3c4bff
-
Filesize
71KB
MD5a5934df593fbcbb243b5faf79f8a1aa6
SHA101c4d371c6feee5783725b32568ed829a0df6474
SHA2567e30b09781fd6ff504805cc85f4d42e6e5663d18ee40ffc6825e35278ade759f
SHA512ee649c9aa2ad3142d6e206b5fbe8165c4fd441baeffbf03d7695098cf2c8426bb37aacad5eded27d93b032ecd4296846d67c4b805bee52246f8b6a6c8d30d2e8
-
Filesize
71KB
MD52d7d8569670f1bf22396f683c8e365c5
SHA1aa8099a08bb948b978020c47bf73e0908ecf34c7
SHA2564f9358be755798eb7ae9936f9cdc51b9a6497a2f45b3b8a3c439866a541b6379
SHA512cea2389260e1f9a291f3869009126a86be4602f5792182f1dc70f80822d235438bb227fe556fb657fea8c8f22ad0fc02f158ce91c4633578b0b4570fffd4ee0b
-
Filesize
71KB
MD50dda337dca3d491f325957272407f32f
SHA11de01e9d4483d5ed0cf23c4f9df3cfecf27c332b
SHA256ed24b2950d59b0b30663449aa71caf45c0c28cf9c56a8cb9f6cba37260313fdd
SHA5120e3e24b272f56bb3a57ef6611ce93acf3bc2666a256d47dabb9384db758997598216df64e6159c58a046f7268fa7e9ed4bc6a18e70ad18c84557d9784fb38078
-
Filesize
71KB
MD50874aba12045d5f828b3aee3992661b2
SHA17e1ad4022efb337d8e29e0931c158507193c88d1
SHA2562d0c5e0129d5d1831f83f3eab943b575e012ef862d8dee2ed3d1769a59e6638f
SHA512e64c9bfe22f571104dbf87281b0157208adb34af3012630771cf30c00e55080241f6660eb9a637748e7036e84bd0d7d63b9b9f31dd8796ff5befe541c9cab244
-
Filesize
71KB
MD59e9a8ce5f8f64eccc2c5746a96245094
SHA1a45beaf750b7d8d1a964bd297e45e7e346787cac
SHA2560853dad48ae48c4814a36cde09b5664b1cc340bed99f53f0fb32ae361b63c9df
SHA512bf38ff0fefbcbaac18b245738c06c0602549edfa6addef5723b6169bf2eab4760b188629727a5dbfa9ceec7f3952ed7e68040b1dfc64c47065cf4d86ac6a3435
-
Filesize
71KB
MD583d78211142e5a3bf5f0eb8516959b35
SHA1451f5fb13013d3e84643bf6913ba6b60a480dd39
SHA256ea7aebdf47cb2eca909eae4b438727ee5c1e763472028f5056dfd254f1a97d15
SHA512f0bae2330c5ee579fbb7da10e82609fada5528e739c8b7ecd6a068f8360341f26d1ab288aea1fc56a16cc4efc294639e9052a20bf3ff2186975fecb413fa0bdb
-
Filesize
71KB
MD5e40e0d10e287c5dcb58e3b7c3b8488fc
SHA1a73e597ccfdbae10d6b12d47f1e8d97f4b745dde
SHA2562b2a281bd4d0e0ded73803e95fa7b7ba4ed2258d03f347823e589d27e730124a
SHA51274812da74296b33af8a878fedbca1a30ff93c47621e5afe7f757208e16c7405815f72df623364cf3492f7b204ba31c5109389ed46aa8e5b6ea7cfcf6f6e5e849
-
Filesize
71KB
MD55b908f7f62e84d96250c40b30e84a7fd
SHA1f160547f85dd6b66bdb31d7f462c872583daeac0
SHA25658969d3134d2f366a9452dc761935bbb09180adae4acb60f5d00a29a730ae436
SHA51214849322f69d220c1977a2e9baf8fb3c1625577e6e63dd67fa8d311f89a748f8761ec7660b6fce7dd3f27b1230198d2a97fda68aa15d03fbbf76e2989891452f