berbew | f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Size

2.3MB
MD5

f7ccae0349b0393380967a7ec625adf0
SHA1

fd3a7cfce87440669a5e52761b0a0d323e630bfc
SHA256

f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437
SHA512

6b50a6a82695d70d53a70920f1334963d4b8b06fecde26b3e70f30ef041e8a0a4b36673ef602f5fa346d91fddb9f634f9b7f24d712fd70eff292ce4cf2c5806e
SSDEEP

3072:+k7EvmJvlVZ0I/I0Q5OPIN+/cuTQ2TgRX7Jg3A9z:+tuJvlVZVgp54tRo7KA9z

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofdklgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
2704	Nofdklgl.exe
2472	Nilhhdga.exe
2872	Pcibkm32.exe
2620	Pkdgpo32.exe
3024	Pndpajgd.exe
860	Bnielm32.exe
764	Bfpnmj32.exe
2176	Bhajdblk.exe
1776	Bbgnak32.exe
2112	Biafnecn.exe
2884	Blobjaba.exe
2888	Bbikgk32.exe
1940	Bdkgocpm.exe
2424	Blaopqpo.exe
2288	Baohhgnf.exe
1000	Bkglameg.exe
1628	Bmeimhdj.exe
448	Cpceidcn.exe
780	Cfnmfn32.exe
1876	Cacacg32.exe

Loads dropped DLL 44 IoCs

pid	Process
1508	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
1508	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
2704	Nofdklgl.exe
2704	Nofdklgl.exe
2472	Nilhhdga.exe
2472	Nilhhdga.exe
2872	Pcibkm32.exe
2872	Pcibkm32.exe
2620	Pkdgpo32.exe
2620	Pkdgpo32.exe
3024	Pndpajgd.exe
3024	Pndpajgd.exe
860	Bnielm32.exe
860	Bnielm32.exe
764	Bfpnmj32.exe
764	Bfpnmj32.exe
2176	Bhajdblk.exe
2176	Bhajdblk.exe
1776	Bbgnak32.exe
1776	Bbgnak32.exe
2112	Biafnecn.exe
2112	Biafnecn.exe
2884	Blobjaba.exe
2884	Blobjaba.exe
2888	Bbikgk32.exe
2888	Bbikgk32.exe
1940	Bdkgocpm.exe
1940	Bdkgocpm.exe
2424	Blaopqpo.exe
2424	Blaopqpo.exe
2288	Baohhgnf.exe
2288	Baohhgnf.exe
1000	Bkglameg.exe
1000	Bkglameg.exe
1628	Bmeimhdj.exe
1628	Bmeimhdj.exe
448	Cpceidcn.exe
448	Cpceidcn.exe
780	Cfnmfn32.exe
780	Cfnmfn32.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ennlme32.dll	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	Nofdklgl.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Nilhhdga.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Jhgkeald.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Nofdklgl.exe	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Pndpajgd.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Aobcmana.dll	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Docdkd32.dll	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Nofdklgl.exe	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe

Program crash 1 IoCs

pid	pid_target	Process
1808	1876	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofdklgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docdkd32.dll"	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofdklgl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2704	1508	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe	30
PID 1508 wrote to memory of 2704	1508	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe	30
PID 1508 wrote to memory of 2704	1508	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe	30
PID 1508 wrote to memory of 2704	1508	f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe	30
PID 2704 wrote to memory of 2472	2704	Nofdklgl.exe	31
PID 2704 wrote to memory of 2472	2704	Nofdklgl.exe	31
PID 2704 wrote to memory of 2472	2704	Nofdklgl.exe	31
PID 2704 wrote to memory of 2472	2704	Nofdklgl.exe	31
PID 2472 wrote to memory of 2872	2472	Nilhhdga.exe	32
PID 2472 wrote to memory of 2872	2472	Nilhhdga.exe	32
PID 2472 wrote to memory of 2872	2472	Nilhhdga.exe	32
PID 2472 wrote to memory of 2872	2472	Nilhhdga.exe	32
PID 2872 wrote to memory of 2620	2872	Pcibkm32.exe	33
PID 2872 wrote to memory of 2620	2872	Pcibkm32.exe	33
PID 2872 wrote to memory of 2620	2872	Pcibkm32.exe	33
PID 2872 wrote to memory of 2620	2872	Pcibkm32.exe	33
PID 2620 wrote to memory of 3024	2620	Pkdgpo32.exe	34
PID 2620 wrote to memory of 3024	2620	Pkdgpo32.exe	34
PID 2620 wrote to memory of 3024	2620	Pkdgpo32.exe	34
PID 2620 wrote to memory of 3024	2620	Pkdgpo32.exe	34
PID 3024 wrote to memory of 860	3024	Pndpajgd.exe	35
PID 3024 wrote to memory of 860	3024	Pndpajgd.exe	35
PID 3024 wrote to memory of 860	3024	Pndpajgd.exe	35
PID 3024 wrote to memory of 860	3024	Pndpajgd.exe	35
PID 860 wrote to memory of 764	860	Bnielm32.exe	36
PID 860 wrote to memory of 764	860	Bnielm32.exe	36
PID 860 wrote to memory of 764	860	Bnielm32.exe	36
PID 860 wrote to memory of 764	860	Bnielm32.exe	36
PID 764 wrote to memory of 2176	764	Bfpnmj32.exe	37
PID 764 wrote to memory of 2176	764	Bfpnmj32.exe	37
PID 764 wrote to memory of 2176	764	Bfpnmj32.exe	37
PID 764 wrote to memory of 2176	764	Bfpnmj32.exe	37
PID 2176 wrote to memory of 1776	2176	Bhajdblk.exe	38
PID 2176 wrote to memory of 1776	2176	Bhajdblk.exe	38
PID 2176 wrote to memory of 1776	2176	Bhajdblk.exe	38
PID 2176 wrote to memory of 1776	2176	Bhajdblk.exe	38
PID 1776 wrote to memory of 2112	1776	Bbgnak32.exe	39
PID 1776 wrote to memory of 2112	1776	Bbgnak32.exe	39
PID 1776 wrote to memory of 2112	1776	Bbgnak32.exe	39
PID 1776 wrote to memory of 2112	1776	Bbgnak32.exe	39
PID 2112 wrote to memory of 2884	2112	Biafnecn.exe	40
PID 2112 wrote to memory of 2884	2112	Biafnecn.exe	40
PID 2112 wrote to memory of 2884	2112	Biafnecn.exe	40
PID 2112 wrote to memory of 2884	2112	Biafnecn.exe	40
PID 2884 wrote to memory of 2888	2884	Blobjaba.exe	41
PID 2884 wrote to memory of 2888	2884	Blobjaba.exe	41
PID 2884 wrote to memory of 2888	2884	Blobjaba.exe	41
PID 2884 wrote to memory of 2888	2884	Blobjaba.exe	41
PID 2888 wrote to memory of 1940	2888	Bbikgk32.exe	42
PID 2888 wrote to memory of 1940	2888	Bbikgk32.exe	42
PID 2888 wrote to memory of 1940	2888	Bbikgk32.exe	42
PID 2888 wrote to memory of 1940	2888	Bbikgk32.exe	42
PID 1940 wrote to memory of 2424	1940	Bdkgocpm.exe	43
PID 1940 wrote to memory of 2424	1940	Bdkgocpm.exe	43
PID 1940 wrote to memory of 2424	1940	Bdkgocpm.exe	43
PID 1940 wrote to memory of 2424	1940	Bdkgocpm.exe	43
PID 2424 wrote to memory of 2288	2424	Blaopqpo.exe	44
PID 2424 wrote to memory of 2288	2424	Blaopqpo.exe	44
PID 2424 wrote to memory of 2288	2424	Blaopqpo.exe	44
PID 2424 wrote to memory of 2288	2424	Blaopqpo.exe	44
PID 2288 wrote to memory of 1000	2288	Baohhgnf.exe	45
PID 2288 wrote to memory of 1000	2288	Baohhgnf.exe	45
PID 2288 wrote to memory of 1000	2288	Baohhgnf.exe	45
PID 2288 wrote to memory of 1000	2288	Baohhgnf.exe	45

C:\Users\Admin\AppData\Local\Temp\f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe
"C:\Users\Admin\AppData\Local\Temp\f226feee023b142743136ba1d90faa45aec63290c3a1bc33c9278bf2cc902437.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\Nofdklgl.exe
  C:\Windows\system32\Nofdklgl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\Nilhhdga.exe
    C:\Windows\system32\Nilhhdga.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\Pcibkm32.exe
      C:\Windows\system32\Pcibkm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
2.3MB

MD5
0bb413bb5af41d317059fffe4e16b0ed

SHA1
b912c740360ef08c477d5ff1d19cbc4ef6062f43

SHA256
5465aef3c980e4d67de089e06549b5ead0214ef0953355ce4cd1cc81ffd8a26a

SHA512
1b1e02e8b54dd251d51824e1e864fb984182f4f43f137b62ce6ccd613b352bbd28e268bc44f91798a27173ad65b38739490ac852c910611b6b89dc4c0f4b6dd5

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
2.3MB

MD5
90ed537fe2f8b956b3b0997490e09e86

SHA1
4102f6bfa0cfc69babe5cc1dd486c29e56308c50

SHA256
c035e78800843b673f7d1245762fb7a68fba9367f68b1075fcd3c32dbea6c3e5

SHA512
c60bda237d35af342a28fbb95e5a46423b52eb22b6b2bb42b74945376e777172eceb98ac7365a375b8e6f7c19d65ad5336e902f288dd96b8faa74aafc4612cd2

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
2.3MB

MD5
dfd25aa6e5f0d207bdc6ecd616f9637c

SHA1
ded8717ece6695421e47052d16df667f3c9b3acb

SHA256
fe5bdb15d1e2138cdf16ecd895fa9d56c8f1dabf704a15affc5d86d7039432c2

SHA512
f20b87487fd580dec773ea70fdd225db2044b2f5d50c90f006954bf5cf9c7d26e41e77cbc207a0444726c75ba6e25db2cc5bc9e82cebff710998d213269fb550

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
2.3MB

MD5
e3a62140093697b2a48c25ac58da4048

SHA1
33df670f9c343edbfe4cb490d4b90622d278795d

SHA256
9b22129c519822fa0ae4c6e5fe889d25ace6561b3585e90ee18ba7c41b7fb4fc

SHA512
31b631b3a30bfd0a9b3a4766ed77d3a9bd9f209af9979f9d3d9d1658165ada309968263a24c26fa8240d427d4de9140f70a960834718ad2606bcb44972e15248

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
2.3MB

MD5
5eed2de6eb019f3312943131c3c63560

SHA1
69aab0189f064a63b684bf930fe463db84c67ab0

SHA256
8ddc638bd84b272fbc1b1006f09d4035c2cdf3846acbe40860aeae92ad048b64

SHA512
7bcd8e347af19de019d57f73ec511880a73f8a60f7a17da30a572f89f767b98cb953de22966ca12986e098dd27ffb36a4d3dc2f02594e40f229a411ae4a68186

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
2.3MB

MD5
a11d19ec199e6ca812cf18671f355a43

SHA1
f9d02caa0ecb578aed4cb8880c178807ae0c73fc

SHA256
80a4950edadce651ab88ffd3554efadbdd22c7c520d66eab50328c84f2a91055

SHA512
0003c8691ff45aed4501748f0824ef934189c691537690697e0c8d2152b88e46043f24ade3592a657be3a7c20b8ddb142f3272c74bed49d77be50d10f786a5cd

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
2.3MB

MD5
92ecae7f86771b817225639036c65cd3

SHA1
5ab634a623bddea992cd954d1d8084f33a9ba770

SHA256
f8a3558ad16c73bef8924bfb84ad90a36be1a016e12c587240fae6f1691f0c0a

SHA512
841d252c6c9567f1f4847dc651080bc5c90eaa807ec8ee7a0429644717eb112aaefdf7544775937f70c8076ccff28ca0c57af849eee42e1f87ca41676654eabb

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
2.3MB

MD5
a1cc511544b7e63ae0d9304c30e11660

SHA1
0a26f3e7595d53cb4153491d6b0aff29f9560dbf

SHA256
22509cfb35fb6e235d7c8506787815fc3ee5652c49d744129651e7b6483533fc

SHA512
fdaaebd24013ecd9c8a5e3688e6dda8ac0086864df6d50c4cf0c77f8f56cd6935160f26fb748f82b581b0052faf043de3a697e3a72b0677c90f53990e3ad7d4f

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
2.3MB

MD5
439b92e9e5c0e5e49e6db095848be1e6

SHA1
a038925507f7c9fdaba269fe3e2b06d3c083644b

SHA256
11d1123146f2e5172d31d829a84fd84d9b59b02a93bd43fdd94cbd83d87bcfcf

SHA512
8fd770e69e9449463376400ce90e0525bd91beecd9b035f76f83ce4f9968983c6095a674bb50ff1f475beb4f4e63e42881430433bb406f0e589438fd2e88d346

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
2.3MB

MD5
a27a1a0d91091c5f78598749e9b7f956

SHA1
422f4f861fd2831508a896686a2002103b7d68ae

SHA256
ea76e8d85fd37259a931bffd2cac3f95dc5e7b829687a41dcefba3172d4d336f

SHA512
f7a049b15e585d2529fe03004154680879aad324da471d37f2392213a5cce271e5bc854b6c863523426f606d150bb1b7202f4b2f3a2a2316285fe5f268e7c7f7

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
2.3MB

MD5
a1ddebafdc7f89cdcfaea87174a60325

SHA1
3792ef6da2aaef680d6df638c6684d1cc8ba7cb8

SHA256
ab7972dc435598d757d446c78ba6b50fd9c2e02d4d7df79edafe8c0512b0ac9f

SHA512
dafc3496351209ff8c91281f71b20dbe57c0e53946c20f05936f6e41a0902038ad780494ccdf836ab78533ee09ca0847e57146f75a36ba0c2cb92805725bd4f0

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
2.3MB

MD5
fe33b26b0d261797599a5195dd68046c

SHA1
1fdb30c9e480fa06ba11c51f3fdce2b1bd334b70

SHA256
85372bc3727b9983bfd6f4d8f1fc46fa72ff13f34b62d94b8432cd9c21379db2

SHA512
9dcf1004e4041a91c8dad4dfdec1edaa465daf836fc1adc3f2c4ef619cd1f330d0f54eea8b49bfeee1cf187801075e28409ebc8c382e2864f155a15cc178c79a

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
2.3MB

MD5
4a578746d7fe1388127239ef6bc0a551

SHA1
e9c221fc29c719890ecf4ba52e6f15e641d19b36

SHA256
3750b561c86fd1e97513505c145d8b190760d430ae4cb811374ce07ff35fa33d

SHA512
7205a69d26d4cfdd8c1bf5e73c052b098c5ff3753fb69636b9eed560fe89ea0e12b10303c2b0dc680b6016f2badbc3e66145611450462528b6f26e271db946b0

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
2.3MB

MD5
911ad35c5791eae52d4b8ac2678e51fc

SHA1
e16b5ffc6c5c8209151bf84e472056d49f23e40c

SHA256
27d0dcaa4934c532258ced7e51b06ffafd8406d63956247bb7b0ae404ec167d3

SHA512
de0c619731323b359821c82d63f57a1061e7fddced13c11a9f9ea45e7f9b0301ef966edc07a229a41ad7885a8cf2bda580f7d8f169eeeadbea7a3f01191e6609

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
2.3MB

MD5
7d83524c669484ac54b246927e851e94

SHA1
186e05fb9bdfb54159f7655eaa22fd999839f14d

SHA256
3eb32ff74edced8c5b883e47dde2fccd7f50cab1b410e4be09c12f32c569bd91

SHA512
d7426e743e119dfb23c080b1d67d92d580673a354210c83a081fbe4fed7f8e5243a7a2d377aa801850a39d99b6ad965d155e2b657f7ef78d08b88156753feac7

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
2.3MB

MD5
f0200c1651f53487e9ddc440f68ffb90

SHA1
042946d1f7f3ae15d4c6af9ca700077f6af96ee2

SHA256
2b741317cddaf76e29a623abd961b4b27d95f47b1c4b8fc4085acd4800d91f99

SHA512
384d73122540b16a86db5a2476231d61d74e1f5aaacbedeec4640e65a4683d170b721d4505e61813753e5269d2a761f890e64ed894c88bebb4cb04381b405ce9

Download Submit
\Windows\SysWOW64\Bnielm32.exe

Filesize
2.3MB

MD5
dbf96280d7a51d1d27d16cc68c6caf0a

SHA1
3326dd81de1481b93a0f53e45f58583825442924

SHA256
fb74c5460d4eccf2f35de293b4519a03d47576e2e300cd70b20cf8512b69ca8e

SHA512
d5ad77433daf88488745ee15af1759a4bc202916928e5b95ad81a391a189e34456a7df8dc6c7932740fb92f87ae4e2915f70981033b3a679e74e07cdbefcda2b

Download Submit
\Windows\SysWOW64\Nilhhdga.exe

Filesize
2.3MB

MD5
3e817a241f0f2252c8d819453d8c1dc0

SHA1
eb8120eeb247cea94fc39ac6ceff78371a9279c7

SHA256
c129cb09643ceecf48513e5c7a6020a7c74e8d585528ecf9fae1e56a1690b901

SHA512
e57dcd24fe5fefef2bbe5e7e653fca891390438c8f07dd4e0b9b484dde07a42fdc9efbf1420bb22d6245e641812cea78551bf6fdc93deb17fb65910c1ae7bebb

Download Submit
\Windows\SysWOW64\Nofdklgl.exe

Filesize
2.3MB

MD5
ad97784a52b7b58b5ec687c7860ebf2c

SHA1
87191723aa15c0d195c4f98e380611dd87109842

SHA256
9c847cd1f3fa5008dab3bd541ac7825f5facd16d6b57722f38fa16343d073fcf

SHA512
2e8a45fe5920aed2a83fe986b4dca2a9bcf741983684946b96bab2d7eb7c37afd88ee137393818e6438cc64334892f6d6dc60089c540ef5e8c29e7e067fa2e6c

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
2.3MB

MD5
c2076e4f65e23b252f5ca171a3e1bda6

SHA1
471fe8506cfc859a276923b63fee5ce039f11aa2

SHA256
b9ec6790a2a06e4b0180de5b7dcbc8c78f6923dfa8c90421dbdaf4c36d8bed00

SHA512
2b830b16a0d61087b2f136b1d3004420d00a2ed7b73ac34b063d8ee2dab0501090bcf1d53b36b826d8cbe252fa77550604eab91adaceb427bfa1eb8b8e9f973e

Download Submit
memory/448-253-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/448-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-264-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/780-263-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/860-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-232-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1000-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-231-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1508-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1508-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1628-242-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1628-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-243-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1776-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-190-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1940-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-191-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2112-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-220-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2288-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-221-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2424-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-209-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2424-210-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2472-41-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2472-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2620-71-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-26-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2872-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2872-60-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2872-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads