berbew | 862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Size

96KB
MD5

f90864360c3fffc00d89bb3e6f0d4410
SHA1

3f8d4d8d6fc194f0fa88094cf7fe0ab46cd4af53
SHA256

862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30
SHA512

2afcc93cef188861b684520fa4c81d5867857cd4215c9df165b0ddcc3eb081776bf41c806d45a65fda37c943ce314edb107e6dbcb1517f8d87d7f74fd14c2d0e
SSDEEP

1536:qSI0Wv67fAI/ElfUWctVTrSOzzG4PEMdbqSf/BOm+jCMy0QiLiizHNQNdq:qh6VEenuOz/PEOnf5Om+jCMyELiAHONM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 23 IoCs

pid	Process
3780	Ekngemhd.exe
3088	Enlcahgh.exe
3440	Edfknb32.exe
4800	Ekqckmfb.exe
1968	Eqmlccdi.exe
1244	Fkcpql32.exe
1032	Famhmfkl.exe
3236	Fgiaemic.exe
2408	Fboecfii.exe
3032	Fglnkm32.exe
4956	Fkgillpj.exe
844	Fnffhgon.exe
1108	Fqdbdbna.exe
3776	Fgnjqm32.exe
1252	Fjmfmh32.exe
1332	Fbdnne32.exe
4412	Fqfojblo.exe
4424	Fdbkja32.exe
2972	Fgqgfl32.exe
4816	Fjocbhbo.exe
2684	Fnjocf32.exe
2288	Fbfkceca.exe
3572	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Enlcahgh.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Fglnkm32.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Mfikmmob.dll	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Ekqckmfb.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fglnkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Fbdnne32.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Famhmfkl.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Edfknb32.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Fnffhgon.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Fhgmqghl.dll	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fgnjqm32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdnne32.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fboecfii.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Fboecfii.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Adbofa32.dll	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Fglnkm32.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fqdbdbna.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8	3572	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqghl.dll"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfdpdo.dll"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Famhmfkl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 3780	872	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe	89
PID 872 wrote to memory of 3780	872	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe	89
PID 872 wrote to memory of 3780	872	862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe	89
PID 3780 wrote to memory of 3088	3780	Ekngemhd.exe	90
PID 3780 wrote to memory of 3088	3780	Ekngemhd.exe	90
PID 3780 wrote to memory of 3088	3780	Ekngemhd.exe	90
PID 3088 wrote to memory of 3440	3088	Enlcahgh.exe	91
PID 3088 wrote to memory of 3440	3088	Enlcahgh.exe	91
PID 3088 wrote to memory of 3440	3088	Enlcahgh.exe	91
PID 3440 wrote to memory of 4800	3440	Edfknb32.exe	92
PID 3440 wrote to memory of 4800	3440	Edfknb32.exe	92
PID 3440 wrote to memory of 4800	3440	Edfknb32.exe	92
PID 4800 wrote to memory of 1968	4800	Ekqckmfb.exe	93
PID 4800 wrote to memory of 1968	4800	Ekqckmfb.exe	93
PID 4800 wrote to memory of 1968	4800	Ekqckmfb.exe	93
PID 1968 wrote to memory of 1244	1968	Eqmlccdi.exe	94
PID 1968 wrote to memory of 1244	1968	Eqmlccdi.exe	94
PID 1968 wrote to memory of 1244	1968	Eqmlccdi.exe	94
PID 1244 wrote to memory of 1032	1244	Fkcpql32.exe	95
PID 1244 wrote to memory of 1032	1244	Fkcpql32.exe	95
PID 1244 wrote to memory of 1032	1244	Fkcpql32.exe	95
PID 1032 wrote to memory of 3236	1032	Famhmfkl.exe	96
PID 1032 wrote to memory of 3236	1032	Famhmfkl.exe	96
PID 1032 wrote to memory of 3236	1032	Famhmfkl.exe	96
PID 3236 wrote to memory of 2408	3236	Fgiaemic.exe	97
PID 3236 wrote to memory of 2408	3236	Fgiaemic.exe	97
PID 3236 wrote to memory of 2408	3236	Fgiaemic.exe	97
PID 2408 wrote to memory of 3032	2408	Fboecfii.exe	98
PID 2408 wrote to memory of 3032	2408	Fboecfii.exe	98
PID 2408 wrote to memory of 3032	2408	Fboecfii.exe	98
PID 3032 wrote to memory of 4956	3032	Fglnkm32.exe	99
PID 3032 wrote to memory of 4956	3032	Fglnkm32.exe	99
PID 3032 wrote to memory of 4956	3032	Fglnkm32.exe	99
PID 4956 wrote to memory of 844	4956	Fkgillpj.exe	100
PID 4956 wrote to memory of 844	4956	Fkgillpj.exe	100
PID 4956 wrote to memory of 844	4956	Fkgillpj.exe	100
PID 844 wrote to memory of 1108	844	Fnffhgon.exe	101
PID 844 wrote to memory of 1108	844	Fnffhgon.exe	101
PID 844 wrote to memory of 1108	844	Fnffhgon.exe	101
PID 1108 wrote to memory of 3776	1108	Fqdbdbna.exe	102
PID 1108 wrote to memory of 3776	1108	Fqdbdbna.exe	102
PID 1108 wrote to memory of 3776	1108	Fqdbdbna.exe	102
PID 3776 wrote to memory of 1252	3776	Fgnjqm32.exe	103
PID 3776 wrote to memory of 1252	3776	Fgnjqm32.exe	103
PID 3776 wrote to memory of 1252	3776	Fgnjqm32.exe	103
PID 1252 wrote to memory of 1332	1252	Fjmfmh32.exe	104
PID 1252 wrote to memory of 1332	1252	Fjmfmh32.exe	104
PID 1252 wrote to memory of 1332	1252	Fjmfmh32.exe	104
PID 1332 wrote to memory of 4412	1332	Fbdnne32.exe	105
PID 1332 wrote to memory of 4412	1332	Fbdnne32.exe	105
PID 1332 wrote to memory of 4412	1332	Fbdnne32.exe	105
PID 4412 wrote to memory of 4424	4412	Fqfojblo.exe	106
PID 4412 wrote to memory of 4424	4412	Fqfojblo.exe	106
PID 4412 wrote to memory of 4424	4412	Fqfojblo.exe	106
PID 4424 wrote to memory of 2972	4424	Fdbkja32.exe	107
PID 4424 wrote to memory of 2972	4424	Fdbkja32.exe	107
PID 4424 wrote to memory of 2972	4424	Fdbkja32.exe	107
PID 2972 wrote to memory of 4816	2972	Fgqgfl32.exe	108
PID 2972 wrote to memory of 4816	2972	Fgqgfl32.exe	108
PID 2972 wrote to memory of 4816	2972	Fgqgfl32.exe	108
PID 4816 wrote to memory of 2684	4816	Fjocbhbo.exe	109
PID 4816 wrote to memory of 2684	4816	Fjocbhbo.exe	109
PID 4816 wrote to memory of 2684	4816	Fjocbhbo.exe	109
PID 2684 wrote to memory of 2288	2684	Fnjocf32.exe	110

C:\Users\Admin\AppData\Local\Temp\862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe
"C:\Users\Admin\AppData\Local\Temp\862d3e6fcbe924b993f42ad7b073379b456b2da8487ceace28561d93d75edb30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\Ekngemhd.exe
  C:\Windows\system32\Ekngemhd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\Enlcahgh.exe
    C:\Windows\system32\Enlcahgh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\Edfknb32.exe
      C:\Windows\system32\Edfknb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 412
        25⤵
        Program crash
        
        PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3572 -ip 3572
1⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Edfknb32.exe

Filesize
96KB

MD5
305fa6b1ad61f38b1c1017c3633c84e4

SHA1
dc9d4c3a3a8bf36945ce645718dc8c42968275c5

SHA256
1a6ce36d1b5a7603e75d8e432f5d7449abecb8a56f692338b7d7eb45f0f8d68f

SHA512
7c8532fbffa543ce4a6bf488b75d1796990aec10b6dd35d694371bb19f6109ea266d0f82697fe62eb3802f36e49d5555cd26eb0d721e18ba0673cad0e28ba1b7

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
96KB

MD5
a55036527834a56aecb7798c65863c6a

SHA1
542cd06136b93922bce87ad8026d661e039abfdc

SHA256
69968d0c9e524a9ce04a82f4232249e2a1babead6495e713c4e83c4156bb27c3

SHA512
2530322286f9699c9bac63334989598ff7ff2ec0dc6496ca2346b03c714cc9f6bf7e2809aefe067dddef8bb7714080b18d7df9154045185cfe031cf6c00b95c8

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
96KB

MD5
6d4bcb8ec0152a790eb31aae83982c5d

SHA1
303da5f16f2997fa6bfe8381e87e09ae7d6f2370

SHA256
062c4982eb5d474a8f3e47c879d653d5d2d3fb9ae665ab48a1ff10dbedc01e80

SHA512
54407d7d27e368545f46c1f99e7e77fca9ba38f82a424cd3216b6e1bdb8cd0d35e38948d86968fc4f8c198c645b23c52fcd26e432a83cddc8368993863a76ff4

Download Submit
C:\Windows\SysWOW64\Enlcahgh.exe

Filesize
96KB

MD5
46a634a56ad0048f159488cfe554fd6c

SHA1
b6597d70eeedd89b05be80e362805c785302670f

SHA256
a4c19b9b0dece177c26113684ec0be4e5b77ba1b157bd7e33daadac6c092f879

SHA512
bfad32fb0af8f9418b4a8f6f2c19759b63aca7ddd2fcf0d5a5e13e5f294aac66d700d48ebd7ba833894ef0c18d50fdd342fd7b47b5dbd6f9d74273b0b44a5c32

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
96KB

MD5
b8e53d2f68288aef7d99b93c452a0ead

SHA1
a386c16abcf47e8437373d65630a1d1c57d367fc

SHA256
72e3bae5fc08ff543c1bb43da8cc81f022c9f6e51e4fedeec508fbb3328af00f

SHA512
990f445f3b9f5dd45c6f2f6ef182e33bb4226a475ea5acc450c05d123e6ba99892d2cd6109be1de8bd647b1d47e16c386d0013f09f608116199d6bb321b04961

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
96KB

MD5
f3756f25894bac7cab9529ef3ed61e63

SHA1
dedd5d408217c01e34b9b6ab431d1166d920ac29

SHA256
facc74174c7be403c547bb0f19007c9469d5af7c942833f98d0895e09d45fa5d

SHA512
ae6c924b1087f6a8c24233708473ecff22ab8e9d670a750efd136c687924678c6d8889ae3f31846ccaacc1aa75a0f374116dfa7e9a33f4aa5cf8d2ff311ba014

Download Submit
C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
96KB

MD5
e8a5cd404ece1bbb0f1592bfd1ec3488

SHA1
92a54ac2fa9d17d70a10ffcf14ccd2fda7f5d59f

SHA256
7f1bea611786a630d3d23e6702b3774eaceb2070985bdb7338ee5823df1ed828

SHA512
c485f195ce7c4e1ac7c3606bec520ff3a2652913d86a0111436ffeba4e70d21407248ac34f2e59f442cf83393db958addcb94669cde2f98f459d4193c594597b

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
96KB

MD5
59f2743f790390134f0d7bb4a764f180

SHA1
3b8c5108286113c163c119b254da6f59503c818d

SHA256
0645fb0eaf7328d905438be2c6eb6096c4bb5a37e9cd0a427fd4ffac2b9bde47

SHA512
77d739b2b7bd0352cee4770493ccbdf4c6658a33200de94370b6d5162bfd90087aeef17a623b33659ac7210a03951238d544bc0a6e0bd1cf75d109272f3485a0

Download Submit
C:\Windows\SysWOW64\Fboecfii.exe

Filesize
96KB

MD5
454f94c774f4d18046c6c1101e34f13f

SHA1
458fbe4ae918f67ea373c891f27ec5a5c66cc777

SHA256
a5f167a18ce38f1af655271082c14196260082b1da61666d343a5713cc28075e

SHA512
76b42e9a32862833a69100486d18e269672066d0481c47fae108dccb1d5ff5fbe04fbfed5b36e0ab7f349d4a8be3d56b9fc19df230f3316974310c9ead87181b

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
96KB

MD5
9ecf9bf591753a96db3c12141588d8fa

SHA1
8af5fd8ab4b9c09a59851de5038ee23a6200cf7b

SHA256
4b25f2985bb9017fb8524efbc3ee466a144c0cc91f7c6ccf92e13e4b5bc1fa52

SHA512
ffb437d257e45488090eb12f33bd875d5011dd5c4712f4bdf7a441406ca17c3a02cf3174afb7c8fe1bccd74a473dda53c696843f80c67eacff4277f1de565a2b

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
96KB

MD5
771d2105f8209994540e4ad439a6b683

SHA1
e7bac7e41b81a35da6a062db2b2ddfcf86e637ec

SHA256
7517ed0f7755e0385f96cb29cfad918ae2235ea8ee1ffcf0482deec32deea7d6

SHA512
033ce22ad2aa89f496321fd5235ab1a20757c357762849a8e799c250dffd75c306ac7b89e30640b2d3b6216b00f71abc2f5da744152508ec2f5081d53a33b29b

Download Submit
C:\Windows\SysWOW64\Fglnkm32.exe

Filesize
96KB

MD5
0a2c9bfa70f6cf7f240069d897656c92

SHA1
08c6122998dcb106532d48db6e58726d064d6aae

SHA256
ba75757373eae20f3800b94cce919ac4905686b88f6c727995b76a4795496267

SHA512
b7b17c19921ca3bb9af22a04ec5c9bbea641cfed8133837849e17e3ba4fd1853e8a19a02912fe040964120d1a188baf6f8eb448d87e913878bb9c3186f16a44f

Download Submit
C:\Windows\SysWOW64\Fgnjqm32.exe

Filesize
96KB

MD5
266b4cfff616daebd3625d86a3a71b03

SHA1
9cbbff0eb669f3d1686bf1cf82a3c84ce9ad1442

SHA256
0fd629336d18c59b166e6e4743e567a8c645d39e116a772a4a2c27a11d5f0f1c

SHA512
bcc87df8e9421bf717ea83b9c0f93eb6ca91871504557ee1e7fcb1825d973b10a3e2626ad1414c73319113e77380b52517d40353478b80e75aaeaf21cbf47cfe

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
96KB

MD5
a18555eb07673b6a8507ec76c3c485b8

SHA1
9c71f13015d26029b376e5bbf9e7b1a7cac66580

SHA256
d81beed0d34e37e95224b7796c233ad9a4b172749cafa3200841eceb7644018b

SHA512
7663187374773eca158cdf2b787ab59ef8669f97ca73a00217d3be698a78c289006573ce48129036fb61f581b434aa46f42b7d291aa47051d121534452afcf83

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
96KB

MD5
7d77edac4c6cfa6401dadf350ba0daf1

SHA1
a2a13ee859edfcb7f3f26ff1f5bc4e3c93672f48

SHA256
85f462666aed5fa7464000cc51bfdc910e6e595b11c65b2de18e1144155f5b2f

SHA512
3dcaee5dc9a6780d210c2b161aa047858b3d6425a96be48f887d843b6edda09ea1f61bf3c3c28fda5b5f8db15e28e04953d3c534e414de5bfdc350d4c4abb66c

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
96KB

MD5
ed8fa52b57420b9daafeecc303e07303

SHA1
2e91a9d048a669b1c707d088bb9dfea07c1c548f

SHA256
3d016717a18337db77924a324b890978ad0933160b8927f69f60702cc2c46da7

SHA512
2ad899f7f040b446c19f1f2b800b360a77e45898df3288e34b73d26bbedc2f4ff742e94b9a4491f0b34111cd3fa0a9682ff80b1c987ac7f9c82a7d52cf1513aa

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
96KB

MD5
437757ad3442f47bb1044fb92e160467

SHA1
9a63a35ad2348354ad6a70a9e03201303289d4c5

SHA256
d98d4bac7ef9a98889f79252f36bfaabd7586571d9fe400d52335dac3acc4172

SHA512
ea3ea218f5f9105edd0f5f6d19911fff9cf9f74237466b92455b2703bdcd67fd5c176585bf92418c4267c60f41ad924e3b58ae888cb283310d8831ace817d94b

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
96KB

MD5
81400aca74359d5b55f99d76a0b2169a

SHA1
49b87bf9775913accbfa72a33cd03b5fb421987e

SHA256
62fdf292526d178927fdda04dcadd02baf25abd9fc6e1cd44e847253556bb3dd

SHA512
28b25199f1605392517b87c1f44009c73261d551a5ae10eeeb26b691e30ff532558861a195f656329eb568f72bd17b5ff36d6760ede2a47564a9c41d2aaee018

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
96KB

MD5
fb3db1a2656fabc477dbc3fe0705f7d1

SHA1
e3e427918004cefde1d3729c2b5f94789bea6e0d

SHA256
6f059b9f5cf1d4ccda974c1c73306bfa02932ce740ef3551a38de492c56a1fae

SHA512
b24a8ea25d342ab707e2bcf1137e2090191519300898541c2c6d3fd085f3b5433a31d0ecafb5ccb6c603599d64371af7e2b310c3c14fa31b97f3dca6b9785111

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
96KB

MD5
9de18703c93fe230e9bb5deaebd34805

SHA1
3d0c5caf07b1a0392230fc81ebfae21daff85c8f

SHA256
1e116a9299537d3441cb2d16b3c47e13120535cd0c59020774e748605b6a4ec7

SHA512
ded7551bb6e8bda658586a9fbceb8739d85a2f4e359cbabcef1cf0587185d1df40ee53de702358a85b85a3a114b7fe04a0d8a07d86defac46783c3a7f9a0de0c

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
96KB

MD5
787b3a86480669bf0ed19edde141e668

SHA1
890ef4095013a2ddf92c2b0f916f4bfb62c3c377

SHA256
b5405eafbe656bbc726c627612974beab93c6c03f312ec3b74a561b4dc2f677a

SHA512
132dd207456d4e5aa1fd473ed54e57d106cccb85e010124e9c0eca303c5d080b835df87b3333fe7d8fecfefb875af061fdfb929eb7c3a4d45f949f9fd2694774

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
96KB

MD5
c158529d30eae0dfa0d8a59a12962df2

SHA1
72745f1ae0e12f635fb016de8b2f3f8ed90257c5

SHA256
2d50a788ccc5aec99cce08fb7403fcf587a80fba8052d15b57f2fcf0783c90ca

SHA512
cb786e0cdf2fb312fbc391b1ef3d5b5e8ae169dbf0d25d1bee3901abce62835d14aad52fbf6d57e9609ae66b2801e8244328bf02d4bd1ebc2011ec23f5479fb8

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
96KB

MD5
abc9f2248f954b21ef96832c8c0f3b97

SHA1
e592d96311e46e18f4c0ce3b4b7f560bd7c540bf

SHA256
70a330ed2cdcc87a9a07341a9f642190c9dafe405a6baba4c509e1f390e10351

SHA512
3e887512102ed1e3335c27956da2938f207a1cb89a1efdb84439717712bf97f11c3429102d1f64a09e8a97b75af7e58e3815f675fca2a32c64da2d464d9208f0

Download Submit
C:\Windows\SysWOW64\Ojimfh32.dll

Filesize
7KB

MD5
1909df775b4cafbc71ca1702bcdd2cda

SHA1
e0f06518529885261762c2734d0968fa4bb3faf1

SHA256
567d6d5f9253ec435970283e6072012e8d38d8186772369cd7e280c12d227587

SHA512
c94dd324bce8d0dc2720385d75629167cde362ddf7a6fd4d9e94b2ba7cde84e40b3e78413a81b2fde1ce1d12b88e876ff836dc8ca1211d669a8d2d1044a76891

Download Submit
memory/844-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1108-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1108-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1244-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1244-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2408-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2408-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3032-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3032-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3440-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3440-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3572-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3776-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads