berbew | a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cb

Analysis

max time kernel
83s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Size

790KB
MD5

bed08e50e7e1920a89f38ca85fb14f90
SHA1

19108bd16afacc4f6bae141c922d75195cb62079
SHA256

a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cb
SHA512

a579856cc13cb58d193bef50ee1feea958119764e54e40a8ac9b3d8b289303eaa594d2c47952c383ca2d639c5628820d19027185eac29ab50376dc754cf976c7
SSDEEP

12288:o0G2Aq/FB24lwR4P87g7/VycgE81lgxaa79y:7LAq/PqoIlg17o

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 19 IoCs

pid	Process
1440	Phlclgfc.exe
2836	Pofkha32.exe
2740	Pkaehb32.exe
2664	Pghfnc32.exe
2560	Qeppdo32.exe
2588	Accqnc32.exe
2988	Afffenbp.exe
576	Alqnah32.exe
1920	Bccmmf32.exe
2336	Bmlael32.exe
1628	Bmbgfkje.exe
2416	Cfkloq32.exe
2220	Cgoelh32.exe
2088	Cgaaah32.exe
2376	Cegoqlof.exe
1344	Cgfkmgnj.exe
1292	Djdgic32.exe
2492	Dmbcen32.exe
1304	Dpapaj32.exe

Loads dropped DLL 38 IoCs

pid	Process
2016	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
2016	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
1440	Phlclgfc.exe
1440	Phlclgfc.exe
2836	Pofkha32.exe
2836	Pofkha32.exe
2740	Pkaehb32.exe
2740	Pkaehb32.exe
2664	Pghfnc32.exe
2664	Pghfnc32.exe
2560	Qeppdo32.exe
2560	Qeppdo32.exe
2588	Accqnc32.exe
2588	Accqnc32.exe
2988	Afffenbp.exe
2988	Afffenbp.exe
576	Alqnah32.exe
576	Alqnah32.exe
1920	Bccmmf32.exe
1920	Bccmmf32.exe
2336	Bmlael32.exe
2336	Bmlael32.exe
1628	Bmbgfkje.exe
1628	Bmbgfkje.exe
2416	Cfkloq32.exe
2416	Cfkloq32.exe
2220	Cgoelh32.exe
2220	Cgoelh32.exe
2088	Cgaaah32.exe
2088	Cgaaah32.exe
2376	Cegoqlof.exe
2376	Cegoqlof.exe
1344	Cgfkmgnj.exe
1344	Cgfkmgnj.exe
1292	Djdgic32.exe
1292	Djdgic32.exe
2492	Dmbcen32.exe
2492	Dmbcen32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ljamki32.dll	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Afffenbp.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pkaehb32.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Phlclgfc.exe	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
File opened for modification	C:\Windows\SysWOW64\Pkaehb32.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Obecdjcn.dll	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Accqnc32.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Pghfnc32.exe	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Pghfnc32.exe	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Alqnah32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Oqlecd32.dll	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Phlclgfc.exe	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
File created	C:\Windows\SysWOW64\Pofkha32.exe	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Pofkha32.exe	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Fdakoaln.dll	Pofkha32.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Leblqb32.dll	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Edggmg32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Edggmg32.¾ll"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll"	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pghfnc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1440	2016	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe	31
PID 2016 wrote to memory of 1440	2016	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe	31
PID 2016 wrote to memory of 1440	2016	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe	31
PID 2016 wrote to memory of 1440	2016	a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe	31
PID 1440 wrote to memory of 2836	1440	Phlclgfc.exe	32
PID 1440 wrote to memory of 2836	1440	Phlclgfc.exe	32
PID 1440 wrote to memory of 2836	1440	Phlclgfc.exe	32
PID 1440 wrote to memory of 2836	1440	Phlclgfc.exe	32
PID 2836 wrote to memory of 2740	2836	Pofkha32.exe	33
PID 2836 wrote to memory of 2740	2836	Pofkha32.exe	33
PID 2836 wrote to memory of 2740	2836	Pofkha32.exe	33
PID 2836 wrote to memory of 2740	2836	Pofkha32.exe	33
PID 2740 wrote to memory of 2664	2740	Pkaehb32.exe	34
PID 2740 wrote to memory of 2664	2740	Pkaehb32.exe	34
PID 2740 wrote to memory of 2664	2740	Pkaehb32.exe	34
PID 2740 wrote to memory of 2664	2740	Pkaehb32.exe	34
PID 2664 wrote to memory of 2560	2664	Pghfnc32.exe	35
PID 2664 wrote to memory of 2560	2664	Pghfnc32.exe	35
PID 2664 wrote to memory of 2560	2664	Pghfnc32.exe	35
PID 2664 wrote to memory of 2560	2664	Pghfnc32.exe	35
PID 2560 wrote to memory of 2588	2560	Qeppdo32.exe	36
PID 2560 wrote to memory of 2588	2560	Qeppdo32.exe	36
PID 2560 wrote to memory of 2588	2560	Qeppdo32.exe	36
PID 2560 wrote to memory of 2588	2560	Qeppdo32.exe	36
PID 2588 wrote to memory of 2988	2588	Accqnc32.exe	37
PID 2588 wrote to memory of 2988	2588	Accqnc32.exe	37
PID 2588 wrote to memory of 2988	2588	Accqnc32.exe	37
PID 2588 wrote to memory of 2988	2588	Accqnc32.exe	37
PID 2988 wrote to memory of 576	2988	Afffenbp.exe	38
PID 2988 wrote to memory of 576	2988	Afffenbp.exe	38
PID 2988 wrote to memory of 576	2988	Afffenbp.exe	38
PID 2988 wrote to memory of 576	2988	Afffenbp.exe	38
PID 576 wrote to memory of 1920	576	Alqnah32.exe	39
PID 576 wrote to memory of 1920	576	Alqnah32.exe	39
PID 576 wrote to memory of 1920	576	Alqnah32.exe	39
PID 576 wrote to memory of 1920	576	Alqnah32.exe	39
PID 1920 wrote to memory of 2336	1920	Bccmmf32.exe	40
PID 1920 wrote to memory of 2336	1920	Bccmmf32.exe	40
PID 1920 wrote to memory of 2336	1920	Bccmmf32.exe	40
PID 1920 wrote to memory of 2336	1920	Bccmmf32.exe	40
PID 2336 wrote to memory of 1628	2336	Bmlael32.exe	41
PID 2336 wrote to memory of 1628	2336	Bmlael32.exe	41
PID 2336 wrote to memory of 1628	2336	Bmlael32.exe	41
PID 2336 wrote to memory of 1628	2336	Bmlael32.exe	41
PID 1628 wrote to memory of 2416	1628	Bmbgfkje.exe	42
PID 1628 wrote to memory of 2416	1628	Bmbgfkje.exe	42
PID 1628 wrote to memory of 2416	1628	Bmbgfkje.exe	42
PID 1628 wrote to memory of 2416	1628	Bmbgfkje.exe	42
PID 2416 wrote to memory of 2220	2416	Cfkloq32.exe	43
PID 2416 wrote to memory of 2220	2416	Cfkloq32.exe	43
PID 2416 wrote to memory of 2220	2416	Cfkloq32.exe	43
PID 2416 wrote to memory of 2220	2416	Cfkloq32.exe	43
PID 2220 wrote to memory of 2088	2220	Cgoelh32.exe	44
PID 2220 wrote to memory of 2088	2220	Cgoelh32.exe	44
PID 2220 wrote to memory of 2088	2220	Cgoelh32.exe	44
PID 2220 wrote to memory of 2088	2220	Cgoelh32.exe	44
PID 2088 wrote to memory of 2376	2088	Cgaaah32.exe	45
PID 2088 wrote to memory of 2376	2088	Cgaaah32.exe	45
PID 2088 wrote to memory of 2376	2088	Cgaaah32.exe	45
PID 2088 wrote to memory of 2376	2088	Cgaaah32.exe	45
PID 2376 wrote to memory of 1344	2376	Cegoqlof.exe	46
PID 2376 wrote to memory of 1344	2376	Cegoqlof.exe	46
PID 2376 wrote to memory of 1344	2376	Cegoqlof.exe	46
PID 2376 wrote to memory of 1344	2376	Cegoqlof.exe	46

C:\Users\Admin\AppData\Local\Temp\a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe
"C:\Users\Admin\AppData\Local\Temp\a35ff313187c380ac87e130c578b2b525334b8b2000cfb51e2d347e5175457cbN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\Phlclgfc.exe
  C:\Windows\system32\Phlclgfc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\Pofkha32.exe
    C:\Windows\system32\Pofkha32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Pkaehb32.exe
      C:\Windows\system32\Pkaehb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alqnah32.exe

Filesize
790KB

MD5
0761e8d9a8ae5a3ff14d68191232f695

SHA1
ac2eebc3280924ef22ab0cb47c9d93206873b8f0

SHA256
d7f96a8374f4ce19f78062e9ea54af7feb1a8ec1a5a2f3877de9c738cdc8a6eb

SHA512
5ee79be75b1722e54e499804d817730fc8c7293f88e74d922c96072da18a553e9d1e919fcbfbf03da2952e0baeddfdbfd2033bae626899a27cbdebb92c585fc7

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
790KB

MD5
961532d3e21d2f14e743c62e83fcdffd

SHA1
50bfd61b386613bd552baaa7a97e343e3ab1543d

SHA256
5162845dd2c3df141543b0c48944bc03fa150ea3f72e71ac87fd89d6039ece49

SHA512
a06af2dc7aa9c80619cd7de8f7653a6e4c7889502c3b160391b716d00cfc979f79cdf046488fcffd63571c00e7846ebd384c4cc0ec5f5c57fdcdbfd8e2431622

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
790KB

MD5
4106d5735c67b1834d13e8c94dc860ee

SHA1
a3522d2a848e470ea3cd9aa8171a1d713df04ed3

SHA256
b8aa7f044d1866afa53ac8d4221426acb2ef4e9c8ff388ed9de6850355cb775d

SHA512
e579d459c309db407c756e314b6b1b35c03068476bc1ef51ffc2bd171f7453d33c94873a0281de78ea770754b96d6641a8fd4c35fae0e969f97a6aec522ba1bc

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
790KB

MD5
c2c1afe50bcea63d19857d9bed137b86

SHA1
db9e9ba2d847ef0458a7d92d0585899d415b2c5f

SHA256
4ed8768b69988757533e91e7c52c1dd343825b1c085ef377205e3e5f301db778

SHA512
d355cd279e1e0458a28b40891afbeb6a1c4ea042b6e3a56786603b0b40ab7b7aaabc5e0b1c84e957e61b40c68b70374408a489bebc5ef5a8ee7603424ba97cd0

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
790KB

MD5
585b211409599a71a0664bf60d3e455d

SHA1
4d5e35ab629212c20e652e5915a7679593dd129b

SHA256
68c8f148b7d6dd9d52af69de04bc17b352b2788b26f91f6bcfc773003f483240

SHA512
0d333ac44a86b4150616818ffac1c1a43dc14b9a5da9901f783f3e4dfa850c47b7ad124c52deea352a581136b38af805149e2f6090c841862a26651507c05679

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
790KB

MD5
3f985c796f966a9c7e80e6a0feebd008

SHA1
cb540b74d435c82cddf8c01f73275e86eb2bb91f

SHA256
c967767a9c5ce932b96d3cd76a97fc0d1463329b674de65ebdd0af8c32d1abe3

SHA512
762f08637a3e55b7ed143ba47a762ef58a9d640146f11234085414061aff6cb6781caf440de9296b66371830859773c8b9fd89c377c0cd4f10fc8ce66cc6cdea

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
790KB

MD5
3a3d5af4958be2dc7f089695b237b099

SHA1
f638db1f8fd85d75a26328cb68fd01e21c259162

SHA256
8bfc3bb79fb03eee978e4f98865c1ed7d992cbbfa5158b70ed05190c3cf580a0

SHA512
8857dfe55f6464ebd3cccc28daeb1aaa519b973676f1d3a76394f6d6e07e184bd0bdfdbefc617080e5f55c734479d59b4c2148e226db7f64d56b06ee2bc3680f

Download Submit
C:\Windows\SysWOW64\Ljamki32.dll

Filesize
7KB

MD5
8c77d8423d50a7eaf7012ab7c89380bf

SHA1
9ce89e814c32b6a18e7712fe0778e59b56df6725

SHA256
652e8f3b1828e04fccfab7bf49fb525987100bfbf22a0fdd60a9fa1849039023

SHA512
bb167d3e4fe97aac3dd2a1336b452c84cd2235022cd34387d4bb021d1d14ccdc9ede3b773a3f3088753080a8b9e21d347cea9f78f80b6b8f3ede191413a8b278

Download Submit
C:\Windows\SysWOW64\Pghfnc32.exe

Filesize
790KB

MD5
fccbbb785b805f194f563158bd823b87

SHA1
4ed805f1d1b9be9a9cc7f6aadda6c98b94f1088a

SHA256
abc84bf6c0675bd49a66bab19001012eb8528c1f7ba12c0958847ec34ace3694

SHA512
b293e132f43e983176f87a37f45195e9aa8be1864aa8ce5b6c1397938ab53d0da407888672fe0a826718897c47bbbcad27e40e4b5ff903b8746111dcebb8a817

Download Submit
C:\Windows\SysWOW64\Phlclgfc.exe

Filesize
790KB

MD5
a13d3d3f335f7a035513827e60214900

SHA1
515b3b7e1cca5ca7c300af158793856669442f1f

SHA256
551c67818687d14e1b04eeb513681877586b53be637b07fa6e27f919a735ba74

SHA512
f413d28a46f430d3ae3b82d11c53ddba819a67b6bd5eeee358f766eb7412ea6350740784e651a648989867211de9f7f9c421af1e9113d1ca7044e48fbd9d8b34

Download Submit
C:\Windows\SysWOW64\Pofkha32.exe

Filesize
790KB

MD5
25106e6e20988e69f1b5f7b31a612a3c

SHA1
9f0429a872c2a06abc16e91f9b27ce2cb0239e15

SHA256
6201cababdf0a62b6c364b390ba6aafaae23a188f970a590ce44ee9ee5036601

SHA512
c9d2adb1b45966cd868dfc48ffe02cbd4da6374556548af97c3611fbdeabe57f600e53b81d6f6389a2aee5447f663e7001a30853595242ecd76abdc48a536f98

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
790KB

MD5
468b6564b4a6664c2f7180cd67dd218c

SHA1
8824813cc8733506c3b10c3fd96dbc03db59d1ba

SHA256
304c919e7c5b69982d17f32a08553e66b370180b991174675a34dc7ccc95634d

SHA512
986213244cb15ad13235166ff522b3f6ea6d3cf0c83a81cf9c6d9f070bdbf63f46f2e55089f1759e58dde28e6741ad02d49d33201cb00932e39b876decb16dab

Download Submit
\Windows\SysWOW64\Afffenbp.exe

Filesize
790KB

MD5
c01b2175f37061e08b84a1798fb102db

SHA1
f98235580ee4843c819b43e478d460b9afa55a3e

SHA256
582b47e8f70e8a118ba16b18d53e4f1e89ed5428c7ee13d606f73f80b247e18f

SHA512
5146bab4e725eb0e893709f901d1356d5cef61d7cf2a1befa24d4744544d74d9a953eb14945d6ecec2e0e6dc232f1cea9d75f8ffc21ddbf476f942f6b4326ae5

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
790KB

MD5
8d0eb3303b49527ca689e5e189c7e511

SHA1
1e9a03cf50d9112936ce232d85b2d57666677508

SHA256
8ed27f0dac0fd5e235dab263106fd5496d34dfa684a8b188ea03558c6af37ac8

SHA512
d3f8eb373044b63edde80b238847becb37e1eb82c04b4006dc5d4d6e3e032d5d58044498162ff5e4a6bce7ad9abb6d34fc1b79e3f91d0de832b51bb5b368cf8e

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
790KB

MD5
3d87660e525e5b9d81acb0726f5a0e84

SHA1
1bb3b7c18c2e7efe8ffcd7696e75f88cd04ad713

SHA256
e83aaf2162668b99ddd2cda006ce6738ef4d82c1075c3f76291556d29f62f6da

SHA512
f7946369311b604c760e490d739ad553fafc89967b93b2bb57d7c209d19447fd98908ddb868a998784c48f330e9ab182a8853cb312b7a690fde2762660c59752

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
790KB

MD5
2d79d6c29302441cb4cff5443a38fce1

SHA1
94368812f4899dfe0b3e85176747ecc6e61264ca

SHA256
198ee52bedcfaba0481b56cb0fb767b4b34c90ffb5ae2cecb41ccd20f21b4e36

SHA512
df78faf698f9dfcd89ee0854d036f112bad04dd84cd7a913221c3d084712ea9b34840600c7cfb1197cef0e8f08cb54b58b18f7d5fc10c9bc0038b3c4cf59891e

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
790KB

MD5
ffce05f170b3d891def22432aadf924b

SHA1
9e184dd59030b6b8e5a0d53089b5de686dd217c1

SHA256
a36e1e1198c41ad7312b90e4e3ac6637f0aac6898edf06041b4469c267557fcf

SHA512
2c019f776b29710baf75887c7e77f31936061b77d3ccfb515404b2595f53ea64915d2643e45bde0a2e043f64c1766aab8cc4f8315b6a87439e32083243b19944

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
790KB

MD5
39f38c51da0524a6a96b3a5ea253694c

SHA1
891b9d417b2ee0e9f66e8b271619a8319347cf64

SHA256
0f05937bcebe9a064e320ad88f76dd74eeb86e7049274ecd055f27b6c72b8326

SHA512
b02139b43577c3409c2b33556759e7afa19dee227cb752ed6b55c5a48e6d6c39b803d323cd7b5a2a9d6a66860adff3ba91fcaa2d4ae4248fcd3b05bb9edde684

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
790KB

MD5
74c8f05a3b09baa786a7679850922fc1

SHA1
67a254b4da0a3be18ee2e7e61fafc2d999caa0b9

SHA256
05ae68ac2e993e5fd88c0beb70894e1ab67fd3bc529de419fd7a57813f690573

SHA512
316df0a9c578f48d2efb3b7d00702d7947df27a16b5bbc501a0649d629c8a0c908f6524e90f66e5577e2784239d59715e7c0757c77fbc95b38e81f492ff6f867

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
790KB

MD5
18594ab061cad96bfcd7936d4068e169

SHA1
6a2ae45efbe354a06ffd4496eacadf7db73462f0

SHA256
39d7b9d019fb1c07086997edc1c3fb39da831a7ea0f8a7851ab4186d1caead0a

SHA512
73b06717375d86f52d7356adab83fc874603aad9eab5e357cfb75ac7eeb33c3562b68934389aa0954d381986faceb6fca6d214074f1edf9f3158233d83b2c641

Download Submit
memory/576-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-123-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1292-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-26-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1628-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-161-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1920-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-137-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1920-138-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2016-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2016-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2088-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-148-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2376-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-175-0x0000000000490000-0x00000000004C3000-memory.dmp

Filesize
204KB

Download
memory/2492-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-77-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2560-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-95-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2588-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-96-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2664-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-65-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2664-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-54-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/2836-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-35-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2836-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads