berbew | 6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/11/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Size

163KB
MD5

895591b9b84a73d8a97d394910262dc2
SHA1

aa2e289ac160d3eb4b246afa1bfeee42dfd0e1ba
SHA256

6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc
SHA512

659857ec2c1ac73bbffa671fff4aad0299d4659bf09938d8183a22cd79e64b50301939ba665f09faf5fc4562985fe264c5d132d227efa3e97434c22302ec8e3e
SSDEEP

3072:cZlq3RN4Ie+qPxkXJMIRltOrWKDBr+yJbA:/3L4Ie+qP2X5RLOfA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 19 IoCs

pid	Process
2680	Pfdabino.exe
2844	Pomfkndo.exe
1396	Pfikmh32.exe
796	Poapfn32.exe
264	Qflhbhgg.exe
588	Qeaedd32.exe
2968	Abeemhkh.exe
1840	Anlfbi32.exe
1368	Achojp32.exe
2300	Aaloddnn.exe
524	Afiglkle.exe
2024	Acpdko32.exe
2512	Aeqabgoj.exe
2244	Becnhgmg.exe
764	Bhfcpb32.exe
444	Bobhal32.exe
2020	Cpceidcn.exe
1776	Cddjebgb.exe
1956	Ceegmj32.exe

Loads dropped DLL 42 IoCs

pid	Process
2732	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
2732	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
2680	Pfdabino.exe
2680	Pfdabino.exe
2844	Pomfkndo.exe
2844	Pomfkndo.exe
1396	Pfikmh32.exe
1396	Pfikmh32.exe
796	Poapfn32.exe
796	Poapfn32.exe
264	Qflhbhgg.exe
264	Qflhbhgg.exe
588	Qeaedd32.exe
588	Qeaedd32.exe
2968	Abeemhkh.exe
2968	Abeemhkh.exe
1840	Anlfbi32.exe
1840	Anlfbi32.exe
1368	Achojp32.exe
1368	Achojp32.exe
2300	Aaloddnn.exe
2300	Aaloddnn.exe
524	Afiglkle.exe
524	Afiglkle.exe
2024	Acpdko32.exe
2024	Acpdko32.exe
2512	Aeqabgoj.exe
2512	Aeqabgoj.exe
2244	Becnhgmg.exe
2244	Becnhgmg.exe
764	Bhfcpb32.exe
764	Bhfcpb32.exe
444	Bobhal32.exe
444	Bobhal32.exe
2020	Cpceidcn.exe
2020	Cpceidcn.exe
1776	Cddjebgb.exe
1776	Cddjebgb.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Poapfn32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Pfikmh32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Acpdko32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Poapfn32.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Pfdabino.exe	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Afiglkle.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Poapfn32.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Aeqabgoj.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Dhbkakib.dll	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Jgafgmqa.dll	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Aaloddnn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
912	1956	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgifc32.dll"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll"	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2680	2732	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe	30
PID 2732 wrote to memory of 2680	2732	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe	30
PID 2732 wrote to memory of 2680	2732	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe	30
PID 2732 wrote to memory of 2680	2732	6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe	30
PID 2680 wrote to memory of 2844	2680	Pfdabino.exe	31
PID 2680 wrote to memory of 2844	2680	Pfdabino.exe	31
PID 2680 wrote to memory of 2844	2680	Pfdabino.exe	31
PID 2680 wrote to memory of 2844	2680	Pfdabino.exe	31
PID 2844 wrote to memory of 1396	2844	Pomfkndo.exe	32
PID 2844 wrote to memory of 1396	2844	Pomfkndo.exe	32
PID 2844 wrote to memory of 1396	2844	Pomfkndo.exe	32
PID 2844 wrote to memory of 1396	2844	Pomfkndo.exe	32
PID 1396 wrote to memory of 796	1396	Pfikmh32.exe	33
PID 1396 wrote to memory of 796	1396	Pfikmh32.exe	33
PID 1396 wrote to memory of 796	1396	Pfikmh32.exe	33
PID 1396 wrote to memory of 796	1396	Pfikmh32.exe	33
PID 796 wrote to memory of 264	796	Poapfn32.exe	34
PID 796 wrote to memory of 264	796	Poapfn32.exe	34
PID 796 wrote to memory of 264	796	Poapfn32.exe	34
PID 796 wrote to memory of 264	796	Poapfn32.exe	34
PID 264 wrote to memory of 588	264	Qflhbhgg.exe	35
PID 264 wrote to memory of 588	264	Qflhbhgg.exe	35
PID 264 wrote to memory of 588	264	Qflhbhgg.exe	35
PID 264 wrote to memory of 588	264	Qflhbhgg.exe	35
PID 588 wrote to memory of 2968	588	Qeaedd32.exe	36
PID 588 wrote to memory of 2968	588	Qeaedd32.exe	36
PID 588 wrote to memory of 2968	588	Qeaedd32.exe	36
PID 588 wrote to memory of 2968	588	Qeaedd32.exe	36
PID 2968 wrote to memory of 1840	2968	Abeemhkh.exe	37
PID 2968 wrote to memory of 1840	2968	Abeemhkh.exe	37
PID 2968 wrote to memory of 1840	2968	Abeemhkh.exe	37
PID 2968 wrote to memory of 1840	2968	Abeemhkh.exe	37
PID 1840 wrote to memory of 1368	1840	Anlfbi32.exe	38
PID 1840 wrote to memory of 1368	1840	Anlfbi32.exe	38
PID 1840 wrote to memory of 1368	1840	Anlfbi32.exe	38
PID 1840 wrote to memory of 1368	1840	Anlfbi32.exe	38
PID 1368 wrote to memory of 2300	1368	Achojp32.exe	39
PID 1368 wrote to memory of 2300	1368	Achojp32.exe	39
PID 1368 wrote to memory of 2300	1368	Achojp32.exe	39
PID 1368 wrote to memory of 2300	1368	Achojp32.exe	39
PID 2300 wrote to memory of 524	2300	Aaloddnn.exe	40
PID 2300 wrote to memory of 524	2300	Aaloddnn.exe	40
PID 2300 wrote to memory of 524	2300	Aaloddnn.exe	40
PID 2300 wrote to memory of 524	2300	Aaloddnn.exe	40
PID 524 wrote to memory of 2024	524	Afiglkle.exe	41
PID 524 wrote to memory of 2024	524	Afiglkle.exe	41
PID 524 wrote to memory of 2024	524	Afiglkle.exe	41
PID 524 wrote to memory of 2024	524	Afiglkle.exe	41
PID 2024 wrote to memory of 2512	2024	Acpdko32.exe	42
PID 2024 wrote to memory of 2512	2024	Acpdko32.exe	42
PID 2024 wrote to memory of 2512	2024	Acpdko32.exe	42
PID 2024 wrote to memory of 2512	2024	Acpdko32.exe	42
PID 2512 wrote to memory of 2244	2512	Aeqabgoj.exe	43
PID 2512 wrote to memory of 2244	2512	Aeqabgoj.exe	43
PID 2512 wrote to memory of 2244	2512	Aeqabgoj.exe	43
PID 2512 wrote to memory of 2244	2512	Aeqabgoj.exe	43
PID 2244 wrote to memory of 764	2244	Becnhgmg.exe	44
PID 2244 wrote to memory of 764	2244	Becnhgmg.exe	44
PID 2244 wrote to memory of 764	2244	Becnhgmg.exe	44
PID 2244 wrote to memory of 764	2244	Becnhgmg.exe	44
PID 764 wrote to memory of 444	764	Bhfcpb32.exe	45
PID 764 wrote to memory of 444	764	Bhfcpb32.exe	45
PID 764 wrote to memory of 444	764	Bhfcpb32.exe	45
PID 764 wrote to memory of 444	764	Bhfcpb32.exe	45

C:\Users\Admin\AppData\Local\Temp\6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe
"C:\Users\Admin\AppData\Local\Temp\6a948260b452f5e5088a865471e9ee5e84d7f724e76e410a7353e2761a7c29fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\Pfdabino.exe
  C:\Windows\system32\Pfdabino.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\Pomfkndo.exe
    C:\Windows\system32\Pomfkndo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Pfikmh32.exe
      C:\Windows\system32\Pfikmh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
      - C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
163KB

MD5
570496d4fd2115f74cbf8617c13a9a5c

SHA1
64a7522896e00815c9f35e96a2a2a43c016514fc

SHA256
ddd47224098917598ef9ad17261a736af3dd43d8fe9d5fcb87a2b6d010259133

SHA512
2e5bf34e18ea7aaa50da2fdf16abf3560cebe0c2f52219f85f8d3dc57f52e84d913dc223e6df8a243f2313509c9e9bff7b96cd993f0475934d0e084febe758f4

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
163KB

MD5
ecc973e94588fbe1c16f2734cedeb123

SHA1
be7849133db11b13c6e64b39ba7017b65ee1d538

SHA256
fd3438e62678598233150200632ca67aadb76e1741da2c7185980c7e2450846b

SHA512
20cee3c9d5dd4df6adc5dcdc857ea7a28a275b1c11189459dc97d59fe4d77ccf59e45d3487e04699fc7a095405e334dabd225c28e5dae3f2c303e19c697ff0a5

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
163KB

MD5
1986246f6b702f6e33a26147726e4e88

SHA1
7cd7d45ff53461686be81c501d0706df36b7cae9

SHA256
82fa3452630296e472a74c4d55f6a2b163cfdc07152abb01e46b07d160fcb9b1

SHA512
30f9b63d0a3800eb51058e83112a6615a09cfa18fc5f8d5ac245cfe6563d91061f2ad0ec73228d84bdf45fc441531aa2f4d84cfde39956030469af7ed13b3673

Download Submit
C:\Windows\SysWOW64\Pomfkndo.exe

Filesize
163KB

MD5
d4c8552765691b5311f72f2d9db77f9b

SHA1
6fbb07f1e6a80298248fe1485efdd40f5fa989f9

SHA256
5a2da786db34de399e7c8fb67df91f7d9bb67094a6886326b8de248cfa5b9fdd

SHA512
c3f42f3c3f4a216452bccd346079f0c994554c6cff7eff4081f1551ef2f434936342306cedf5e7c9bc6f4161a8f5fab39d0049457526f4df75d4dba4fb4803a8

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
163KB

MD5
dedfa52fc4f82285813a40b5bc1badd7

SHA1
1a6690a88446d7d1098a8f2056076501944925c7

SHA256
2dd4195c9c2692aa18402ef108faa7cef69e775a108367bad7453527f0e82c50

SHA512
14b2d161f378f81d4cae2ef97439b47220f367115f4307fef6c9c76f9628e230d53360399c47669b09cc430d3787ab381577940fbf220487b5d1793787dee644

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
163KB

MD5
c3adfeefcd41f3da61a84463af8b9caa

SHA1
1216900bcb53fff23905b7eb0c0d7c7f6fc94b66

SHA256
f710dea31453a7a5b46e9be214097594aa4862b3983f884db9e586add4a69f2a

SHA512
b9c91b083f28f41eee45f2bc65856f248c66de49a268430f037c9fd5f7562034895ae89c8d147cda982cb9d492644aad5712688fe1b3eb4579af783fdfc14610

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
163KB

MD5
6ece9f8bf0d7447049c843783dac7611

SHA1
fea21fa76d3dd535df1f41627ec57bf2edc62b2d

SHA256
810c3e0003e07d31be60e94a2fa5c7482ed4f402696aedddbbb17c76d1407bcc

SHA512
f1fdc1a980f49bd3b3a2237763d317643fc8a8d6c35a1a7e2cc159abdc00e67e25001e44d854758886a4a38f20e8f59084126b18319bceec055b8269eb5fe918

Download Submit
\Windows\SysWOW64\Achojp32.exe

Filesize
163KB

MD5
9ef89649f483f33b7d14055b6989a29a

SHA1
563275a1172a6e3133c0041e5a06aa9f7962e803

SHA256
431e7c94a57ae2bc3b0e4bebd78baf13fe211b0c3a53648420d296901a924af0

SHA512
bbe91565414a9805c67cd00611548a975e8092517c3e9ef59682d75faaba87474332b6da182fd926611025639c231a49cba0ae062c1f006e948263865447a9d1

Download Submit
\Windows\SysWOW64\Acpdko32.exe

Filesize
163KB

MD5
06ee883c7939ea6619ced0e31c2d4df0

SHA1
faa8b1b08c01d81d84ab6c61259d49d28586ce74

SHA256
753f11228ecce556de008ed81eedcbd387ba36e9f49592f8c7092c91e639fa8f

SHA512
9df6807accab6db82bb30b3821235ff3602d4966b83ff42006965450c4db2e4fa80619332ec58115127f4468cea9f24c4d1c6e3c89f9117157d3bc34e56ead8c

Download Submit
\Windows\SysWOW64\Aeqabgoj.exe

Filesize
163KB

MD5
5e231f3aaeadfda33ebf2087ff9c4d04

SHA1
8d63db06f8c3a9ff2859d547b734bd95ef28b383

SHA256
af0be4d085ca4cdd52131cb7c0f2c9d0f537d3270126a599bfff5fc23aeadacd

SHA512
43b6b0a2ba56f3569beda7a474a2f26efc1fa6aed876900468bc994c2cf1d451d9d08a32ecc5bed3e5397e72aa9e45f302da99397535d09a977753443c98574c

Download Submit
\Windows\SysWOW64\Afiglkle.exe

Filesize
163KB

MD5
169810d7955ad190a1a4fc6d79ca7f2f

SHA1
4232acec08d0095fe3b14c89ac4f1acb3e765072

SHA256
6472d6cdac2486d3b1ace3f1a8105295400c42580aee9a207a62712ef17685c0

SHA512
b3c191cfc3808a471b0284ff735384f1e343672f84e57812e3909c8c69f6e51b3b7fff418f8d87e10f35acd1fbccc4907b2945c9784318b805742849af9c1e99

Download Submit
\Windows\SysWOW64\Anlfbi32.exe

Filesize
163KB

MD5
5cf7c860926036f304afb766f618549e

SHA1
e6eddd4396fbcca439408450a6ef8f5071c14c5b

SHA256
c82f2b1fc2abf2cf15a6948034a6149ed2a7f3ef30dcc18e72361a586d381766

SHA512
1b22dea2a0814366a454120b9abe7391e85fdd29739d4dea681d007f2b6bbd654c9e104664462e39391fc2a7129fb56856c380068c5d6c6c025f546835a266ee

Download Submit
\Windows\SysWOW64\Becnhgmg.exe

Filesize
163KB

MD5
6ec734efcc26e79765a22f1fa9935c78

SHA1
3b7d8a585706b8fdc0fdd46e1afe5af3b8497a00

SHA256
5e939fce97f8d3300e7d17f20a32a50643a012d9c51d19351782b2e16abc6bff

SHA512
788df7c9c5f8409abd297704f779ef70d36c49a854018ed68cd3fc46b0bc928d629a92fae2b3d00317c15fc93012f8bcf845980825a297a7fb80d613d7eb7b3d

Download Submit
\Windows\SysWOW64\Bhfcpb32.exe

Filesize
163KB

MD5
472ef4f4295327557dd439683cd8f143

SHA1
782f175fd8e3fbe340052795f719756df7db52cc

SHA256
41d2d1750dde151d8a68fafce67b6e268a2a089f882935b5e1e162238fc491cd

SHA512
da71d8b2aa477f3cc23d72009fa6b8feb25c88f1ae34d4052c64f1743025f442057af93285e99a040ed1b37efff08fb695fd89719f9317da7be90c29ab5847cd

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
163KB

MD5
6bd1f605eec8cb4a7d932109276321ee

SHA1
2876a6a107cbdc46d0aba973e50248bc4d4a304a

SHA256
815cade8b50c03dff0010292564a049b9877e9feae492739cae653e4f629cfa0

SHA512
a24f8d2ddba84f7ad65c14996051df5395d8b6290ea2ad8ed1d77cc6e18bc02c5fac5ac6da311b0f5161be00958447da60acd20d7758e374f7f5c9214becefcb

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
163KB

MD5
1a45957d535b7a483b6b9a12efc962f0

SHA1
0680702f5c72950e75a3e6772f3adab825d9508d

SHA256
1a96893ec42e28c93d61300e6184320174bbab148fd37cc73ce5d26abcb82dab

SHA512
02aa254564ea94fc463a27fa10a48bc46cbf39e47c11488537dc8e0474b0a627e892c6556aff7dad7c996273a5cfc379e2c69e9253087ee2638654451c8ef21e

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
163KB

MD5
070eaa04a59133fe0b6040723ffba34a

SHA1
cfe0f096b5b69fe9e294cec15a2dec93e6f19ba8

SHA256
a4434fe5026cddbe9998a6d80a3ab8ff83064927ee9e6b374740db65cff13a30

SHA512
b447a47307f28806b1fa7d176b14d26bee5287890c4ac74a05a38e278b194ddd3015e9e8b8e3dc8e2954e7ac6702619904bdd77175d882a6494b35a6a60930cb

Download Submit
\Windows\SysWOW64\Poapfn32.exe

Filesize
163KB

MD5
18497d780becb2c2ea927cdd8880aa8d

SHA1
03663044d25d3ae99d391c757ffacf3f8ddec34f

SHA256
3df7e365b22012f3f32d44677b04d7de418929e0f06be306436a0805abe966bc

SHA512
e95b6f394543495c1fc9e7f332d96e82e6ceab290cefb4ac5e4c95214424c4a0af3cbea0b4c1d5bb71cce9c93c0f10d95d97ed719e225e600934d2ee87343cac

Download Submit
\Windows\SysWOW64\Qeaedd32.exe

Filesize
163KB

MD5
6b36c295ce08805226543406bdb9e39c

SHA1
04d26a3cc9025cd2331dc256a0fbf9ac84349554

SHA256
bd08abfd718d4e09200605483845e160dd82ab42598da2df74af10bccb8280f9

SHA512
c16238a63a53a85cc9b33870ed1760699b792d164a2d0fe93ac27e4747bc1a62df23a0e03bf4ac66864762ba5ab3b16a629d170a2b4bc05dca98a43e20de29b7

Download Submit
memory/264-74-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/264-66-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/264-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/444-226-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/444-230-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/444-219-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/444-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/444-254-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/524-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/524-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/524-158-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/588-85-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/588-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-216-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/764-218-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/764-204-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/796-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/796-58-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1368-131-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1368-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1776-242-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1776-252-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1776-251-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1776-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1840-107-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1840-277-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1956-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1956-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1956-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-241-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2020-237-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2020-284-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-174-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2024-175-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2024-261-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2244-197-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2244-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2244-203-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2244-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2300-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2300-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2512-181-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2512-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2512-260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2512-188-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2680-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-11-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2844-38-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/2844-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2844-289-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-101-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2968-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads