berbew | c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18

Analysis

max time kernel
25s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Size

320KB
MD5

be2a83391a8f06dbd508c6cb974c2ec0
SHA1

2896af3279ea1633e34eb9688a9c2dc49046f028
SHA256

c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18
SHA512

67952d0185d1316fc8ea957d4b449da6be273fdf3997b6ec31c4fa9d2991eb2c805d5d8ee9a5dbb2a4ad320d567238a48de83a0ac1b3242486509315eccf6e2d
SSDEEP

6144:kWBNZLAYCtE07kli0KoCYtw2B0Ddu9szWfx09UBIUbPLwH/lLOUaR/N1I0lO170A:kWmYJ07kE0KoFtw2gu9RxrBIUbPLwH9J

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmhideol.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2908	Pomfkndo.exe
2780	Piekcd32.exe
2648	Pkdgpo32.exe
2456	Pfikmh32.exe
896	Pkfceo32.exe
548	Qeohnd32.exe
2088	Qodlkm32.exe
2596	Qiladcdh.exe
2932	Abeemhkh.exe
1324	Akmjfn32.exe
2232	Aeenochi.exe
2380	Annbhi32.exe
1524	Agfgqo32.exe
2340	Amcpie32.exe
2208	Abphal32.exe
2120	Amelne32.exe
1436	Abbeflpf.exe
1768	Bmhideol.exe
1052	Bfpnmj32.exe
2524	Cgpjlnhh.exe
1744	Cphndc32.exe
1100	Ceegmj32.exe

Loads dropped DLL 48 IoCs

pid	Process
2624	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
2624	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
2908	Pomfkndo.exe
2908	Pomfkndo.exe
2780	Piekcd32.exe
2780	Piekcd32.exe
2648	Pkdgpo32.exe
2648	Pkdgpo32.exe
2456	Pfikmh32.exe
2456	Pfikmh32.exe
896	Pkfceo32.exe
896	Pkfceo32.exe
548	Qeohnd32.exe
548	Qeohnd32.exe
2088	Qodlkm32.exe
2088	Qodlkm32.exe
2596	Qiladcdh.exe
2596	Qiladcdh.exe
2932	Abeemhkh.exe
2932	Abeemhkh.exe
1324	Akmjfn32.exe
1324	Akmjfn32.exe
2232	Aeenochi.exe
2232	Aeenochi.exe
2380	Annbhi32.exe
2380	Annbhi32.exe
1524	Agfgqo32.exe
1524	Agfgqo32.exe
2340	Amcpie32.exe
2340	Amcpie32.exe
2208	Abphal32.exe
2208	Abphal32.exe
2120	Amelne32.exe
2120	Amelne32.exe
1436	Abbeflpf.exe
1436	Abbeflpf.exe
1768	Bmhideol.exe
1768	Bmhideol.exe
1052	Bfpnmj32.exe
1052	Bfpnmj32.exe
2524	Cgpjlnhh.exe
2524	Cgpjlnhh.exe
1744	Cphndc32.exe
1744	Cphndc32.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Pfikmh32.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Pkfceo32.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Jhgkeald.dll	Bmhideol.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cphndc32.exe
File created	C:\Windows\SysWOW64\Jgafgmqa.dll	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Agfgqo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
916	1100	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgpjlnhh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2908	2624	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe	30
PID 2624 wrote to memory of 2908	2624	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe	30
PID 2624 wrote to memory of 2908	2624	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe	30
PID 2624 wrote to memory of 2908	2624	c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe	30
PID 2908 wrote to memory of 2780	2908	Pomfkndo.exe	31
PID 2908 wrote to memory of 2780	2908	Pomfkndo.exe	31
PID 2908 wrote to memory of 2780	2908	Pomfkndo.exe	31
PID 2908 wrote to memory of 2780	2908	Pomfkndo.exe	31
PID 2780 wrote to memory of 2648	2780	Piekcd32.exe	32
PID 2780 wrote to memory of 2648	2780	Piekcd32.exe	32
PID 2780 wrote to memory of 2648	2780	Piekcd32.exe	32
PID 2780 wrote to memory of 2648	2780	Piekcd32.exe	32
PID 2648 wrote to memory of 2456	2648	Pkdgpo32.exe	33
PID 2648 wrote to memory of 2456	2648	Pkdgpo32.exe	33
PID 2648 wrote to memory of 2456	2648	Pkdgpo32.exe	33
PID 2648 wrote to memory of 2456	2648	Pkdgpo32.exe	33
PID 2456 wrote to memory of 896	2456	Pfikmh32.exe	34
PID 2456 wrote to memory of 896	2456	Pfikmh32.exe	34
PID 2456 wrote to memory of 896	2456	Pfikmh32.exe	34
PID 2456 wrote to memory of 896	2456	Pfikmh32.exe	34
PID 896 wrote to memory of 548	896	Pkfceo32.exe	35
PID 896 wrote to memory of 548	896	Pkfceo32.exe	35
PID 896 wrote to memory of 548	896	Pkfceo32.exe	35
PID 896 wrote to memory of 548	896	Pkfceo32.exe	35
PID 548 wrote to memory of 2088	548	Qeohnd32.exe	36
PID 548 wrote to memory of 2088	548	Qeohnd32.exe	36
PID 548 wrote to memory of 2088	548	Qeohnd32.exe	36
PID 548 wrote to memory of 2088	548	Qeohnd32.exe	36
PID 2088 wrote to memory of 2596	2088	Qodlkm32.exe	37
PID 2088 wrote to memory of 2596	2088	Qodlkm32.exe	37
PID 2088 wrote to memory of 2596	2088	Qodlkm32.exe	37
PID 2088 wrote to memory of 2596	2088	Qodlkm32.exe	37
PID 2596 wrote to memory of 2932	2596	Qiladcdh.exe	38
PID 2596 wrote to memory of 2932	2596	Qiladcdh.exe	38
PID 2596 wrote to memory of 2932	2596	Qiladcdh.exe	38
PID 2596 wrote to memory of 2932	2596	Qiladcdh.exe	38
PID 2932 wrote to memory of 1324	2932	Abeemhkh.exe	39
PID 2932 wrote to memory of 1324	2932	Abeemhkh.exe	39
PID 2932 wrote to memory of 1324	2932	Abeemhkh.exe	39
PID 2932 wrote to memory of 1324	2932	Abeemhkh.exe	39
PID 1324 wrote to memory of 2232	1324	Akmjfn32.exe	40
PID 1324 wrote to memory of 2232	1324	Akmjfn32.exe	40
PID 1324 wrote to memory of 2232	1324	Akmjfn32.exe	40
PID 1324 wrote to memory of 2232	1324	Akmjfn32.exe	40
PID 2232 wrote to memory of 2380	2232	Aeenochi.exe	41
PID 2232 wrote to memory of 2380	2232	Aeenochi.exe	41
PID 2232 wrote to memory of 2380	2232	Aeenochi.exe	41
PID 2232 wrote to memory of 2380	2232	Aeenochi.exe	41
PID 2380 wrote to memory of 1524	2380	Annbhi32.exe	42
PID 2380 wrote to memory of 1524	2380	Annbhi32.exe	42
PID 2380 wrote to memory of 1524	2380	Annbhi32.exe	42
PID 2380 wrote to memory of 1524	2380	Annbhi32.exe	42
PID 1524 wrote to memory of 2340	1524	Agfgqo32.exe	43
PID 1524 wrote to memory of 2340	1524	Agfgqo32.exe	43
PID 1524 wrote to memory of 2340	1524	Agfgqo32.exe	43
PID 1524 wrote to memory of 2340	1524	Agfgqo32.exe	43
PID 2340 wrote to memory of 2208	2340	Amcpie32.exe	44
PID 2340 wrote to memory of 2208	2340	Amcpie32.exe	44
PID 2340 wrote to memory of 2208	2340	Amcpie32.exe	44
PID 2340 wrote to memory of 2208	2340	Amcpie32.exe	44
PID 2208 wrote to memory of 2120	2208	Abphal32.exe	45
PID 2208 wrote to memory of 2120	2208	Abphal32.exe	45
PID 2208 wrote to memory of 2120	2208	Abphal32.exe	45
PID 2208 wrote to memory of 2120	2208	Abphal32.exe	45

C:\Users\Admin\AppData\Local\Temp\c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe
"C:\Users\Admin\AppData\Local\Temp\c0ff4b406e71f1fdf7f7dd0a6070fb9911db2a5db34c1e1781cf4dbdfb4a8a18N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\Pomfkndo.exe
  C:\Windows\system32\Pomfkndo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\Piekcd32.exe
    C:\Windows\system32\Piekcd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Pkdgpo32.exe
      C:\Windows\system32\Pkdgpo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
320KB

MD5
bfbf44aedff96c4f7576ca4f6019ca64

SHA1
3a2debbb04efb79862c20d221fd3bf1a92919f72

SHA256
4e8e6f29ddfbfd0391a9ac1f85c980660cac654da012156f458bc34f3f031891

SHA512
db5310253b894e9dc62b4c836a6e3542b77e1f49de1ca592a213ec4c775af0e0e5d029ee154bb6a1724fa7ff21612381de4208f41e1426c8ba0dfb57165e3d75

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
320KB

MD5
75ddbf27a510470270e8ea16b556b186

SHA1
b654896521e782c3b2f062b17057d83189558550

SHA256
1066c5a1416e20aba17621d017f78b63f90af1e20bc077853406644d2047f061

SHA512
f31eca118743ebcbb072e0f220ff61d66dad9fb0294c6f9e38c27761f643b29be7cab9e24f9876c4d255f60d6e1f444511f69bbd8ffc85faa3b26bc7c0f26412

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
320KB

MD5
01f59bedd58905b34696385eaf5d1f10

SHA1
fec587bcc818732e42577f9cfec1b497644ddf04

SHA256
f3ccec5091825ac85c513d3ca1f10ef0664459298336606a8befc2fa339c7731

SHA512
f790a78ce92b5ffceb0f75c86fba366c89e039116c517d3b662432ac31541c261e85d84e2be9d41c89a6131712f3f985ecf823ef729b5a8856effc8eff1c1e17

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
320KB

MD5
b4f152d5ceb02a64e4480b2420f8b37f

SHA1
f38106db53ea3fd059fdcda860ee999b7a09c045

SHA256
8434f1257ab10792dfb322af4138b8b7e1083f6036b039b01f372b071f9678cf

SHA512
a4ce0df6cd631b5687c749d727e51004f64a5b309112d01556cee36f6ea517c467d5f91fb19103e78ace34517ab509a00ec97effaa15d8c2999b93cf6b6a3660

Download Submit
C:\Windows\SysWOW64\Aipheffp.dll

Filesize
7KB

MD5
f0fb50cf7d3bf19ddb330594231a1f33

SHA1
9e541e71fdb5d306bbcfab3dd135c5f9d0261381

SHA256
fd68abcaedd1e4491a21117d1e34c49f66f686add7e2850bfce677468331d55d

SHA512
7d30e73743dfb07d5bf6f96b69041eab9bec44d83dbf595d0004894b28789d005079a81455050d1d5ecd27da66335e3d5ec42ea0095011a8c1664171b5844685

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
320KB

MD5
18ac28d45436a82721677f8669fadfbf

SHA1
4cf69c38e38493b0429c673fc14713c613d0dc7f

SHA256
1d67691262c630bc1c92f712436b3070eeb29d16e7e5a2971186d2f44cd29883

SHA512
c4e4541e24ff38a45dbcdc98cdfe39619f8bbffa3dbc8481f94dcc30ef82ec27b42f6621d39d53beb4af137af5ed8e2080b065f9b3ae2440c1b431275f178337

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
320KB

MD5
b431f03a44b7114590d6b940c80c2b30

SHA1
97238c72d09796fcf6014dc3a5858c47d04e3808

SHA256
3eea6a32ce27a5fa5f92fcdfdbf6cc05d0ff85bafcef776a39c4997479c727fa

SHA512
8115990371177b8f76a5e7b4e68bc7e406d27fd1a765533523657b21b2d523d9520177e5fcb3cbba48c6355e3526d647b16be1b0d4deb03ed89de57cb6f2d54d

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
320KB

MD5
e8301465492d793af840ce99cef9a5b4

SHA1
412331fa97d1897fd40e7fd1ef4bea10c040b49b

SHA256
6296ac3ecf72e0e614d1f2ea1084c1c9ef8ddc86c243f3e1799df5927881b322

SHA512
e435103f8d78e35c904369fe090b10413cc440fcd5670cfb1c97939b127ef0f85846324f06bf3c3c995f1ccdfdbd9bfbd22ff831a85b0a4c192ed25d0fbd38ff

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
320KB

MD5
dd9ab539f3d92a2e57b9115173c88c73

SHA1
1c66769dce1d4a4e34b79a28260695a02185f9cc

SHA256
14456963ee91ae0e3fd398ed04b88cf75bc4ea103b222a035dcc3e048edd6e2a

SHA512
381c9b93ba96788dbc2357a6d3963b683954237f068366eeae62a3b7fc90aec6cdba66e7d85289d7e5b8cf6aacc1f3ad18cffe712cb31b00e97b1171d2ad27ed

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
320KB

MD5
3130007941a50cd528cc0f8e20d93140

SHA1
94e27372c55ac1a8ba8a08d004f159378b5094df

SHA256
02baeff7651bdfc9e93afafee63a95ad68ff83692d68bf8eef1fb0bd3907e60c

SHA512
1d18aa0a47132424b99e86d6609dcb4034421227ddd2f65719ef92cef195ad51e73df069595bdae5fd5cb5d27fc071827ee5bdde48f65f3a578f2aef08f89af3

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
320KB

MD5
b4c61b964c8c88c4e98b2f1a53a63ebc

SHA1
40ddea76af262ed0dd42e612584292f3b1d8e619

SHA256
a8c1cc50f572be3dabb9fa1f3ab960b4a06d8a5eb2af04e29d34ae124584bfa7

SHA512
9a0d33c92e1628871a447c161c6b418ac8266a099dee0878460a40668a11468f1041d6facfd3918931552a819d6f9feb4cc7c74b7c305fa373cef82806fc5dea

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
320KB

MD5
09cd6bea9e2190e3a447184165b495bb

SHA1
d935ee5b1f1915513c540fcd3ea3594b1b1bad59

SHA256
57a31831bd0022cc89ea1a9f1791c582aaad11826165fb69d42fdad0f5dd6778

SHA512
e18dc54addc0b19dd0f7b0e523a42239e93f72e2ba4526b1fed63f82b26dbef9c7e473168921a8fcb679af06454c64360891e156b97f6e55a09219cc7bbfef43

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
320KB

MD5
2e582b1ac7eebf760896555970e2ee9e

SHA1
23aa8065cce8324867230ec7dbe31c8da3b36581

SHA256
f63150dd0d397c09cda0906217a1e0249ce053fd3b2d48da7ca806613c86604d

SHA512
592ee145143bc2751f318e502e062844f3e2b8bf42fd0dae71a0eb69c553ad64bfd25da4803ff9556f18312ee2afc5b85b8f79dd4ad557bf29a709012568e697

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
320KB

MD5
9487b9ebb89de450cccd803b177f38af

SHA1
24f1278fe141d838a354ae2c301db465ce557112

SHA256
8052ec5773b0548f0bceb9e99e182943d502cba64a428e71123bf2e9bf8d8f49

SHA512
b323875a82ca2bae0f0489ac8eb985f3d6815d163e4fca9136d9a365cb4efb2a6907bbfd6e351d7ceec8cbab3b013842265cdf2881bbf40374a9465a200108dc

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
320KB

MD5
722b29b60c47f8a8c1dd8339f99b7c3c

SHA1
c171d387ec7681359217f768af9a74644a5447b7

SHA256
41f697474d7508205733cd57c721ec265065344edee06202a77127cd21189bc4

SHA512
f17e7cc03696418a560ddc31845c0f440d8c62ad6f0fdc5c0ddd6b520edab2051e02d8fe81f8e7e1d5446e9943bc1c0d55062ec9bdd6c0fab14625aeae328515

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
320KB

MD5
d06231bb42d192713faf2a74dc1d6ea6

SHA1
7283de88f2668fe0d0f0ae3bb691fab8a44e1248

SHA256
42da3576838e66b6ea8597250590c30b04543760efcc6f67e547b764133beae9

SHA512
bd832073357878ca3d3083c3bb77c49f604f58e17f18b6f50002c203f77702072da9184560ae03084654b3fce1be246508a286e81932ef7df3d2f8f8cbd34676

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
320KB

MD5
5d7f6ed568eb12f6e2c5db182cf2f91c

SHA1
a5079c6d51331f3e254288ff7f0d64db81891f29

SHA256
99ff579b24dec8c282598eea32354f345181f9f774c49b6c240b52d8d25e24fc

SHA512
ce781c663678688032242fe93b6a5efc6ca5a6b4ab3059e7c0340c5557186dcea9887fb67d9d8e072b8ff533df2e7e931d7f268ae373a5f1ff4f36b8baf238e1

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
320KB

MD5
f81545ad4fd3ee57724700d29823adf7

SHA1
9b548e45d60605729b7e3d66326cbd89271014ee

SHA256
8588d520cbb563cf6783414aac12a5fb000207c0cedb973f3680cde12b88ca5a

SHA512
09fcada0b60f70745f997c0c0c80a8211aceb59f43c3de6e333668ca76440d727d8877cbbf7d837945cd36fbe69454e8371e74996ff2ad6c5bda9ac2fdf9ba52

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
320KB

MD5
e73757cc0b8568aafb6e5df77dbcb0d4

SHA1
3c5d542ea1df9ce19a7b7aa2affea298612acc46

SHA256
55c73918a376336247ed9183777bcd6ac20f5320b2c7c15915098da3d2a1ff6e

SHA512
ed6077e66c6c7337e9d544f8e385e90846917e919097406194e0a85b4c3dee79f2d2b3c8af54adab959dd9f057e248cd863fa16c02c670840f4cd27e4b422dfa

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
320KB

MD5
b3589fbc921aa0e70a1dc1085eb57607

SHA1
a588cfa3b4e6cb21fd840360491861db3126d1d8

SHA256
5352528a66bba2f9653487a8ad5e5afd2930783d7d51dcb0f2d792e9299c02f4

SHA512
eb73d04487bfce1d0acc79e1597b11f114c3842f6d1662db4f02beeacaff0bbaa5e377e7a3c6951421c8e1785d6d782c2b9b15a9e6c5a1d30719010c905423e7

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
320KB

MD5
9f09a6fe9d5e8968f921bf0ed534d214

SHA1
8ab269fa2f476a528566388bf81865fac118a90a

SHA256
cbe38ec734f1e6b0c379a355eef0f3c5d12fe2f50210d5a257d22b36fcbd4f07

SHA512
ce2bdb47f3aa602fa5dc44ced1b9d41dc90ef08e7e93f5fd7452c76447bf794a8cec3e9a95e23e45d23da4c96a19e8eca63355717523bd9ebffab5044fcacb3c

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
320KB

MD5
9102d9d55ecc831920dccfb039e1d2f8

SHA1
d122306d0f96e01a41d51ebd8d5be2f8ed3bf4c3

SHA256
dcb7adaa01b9b6cd8812a2b095e227118f5977dfb1e02da70d156299c3ce45a5

SHA512
b6df0fadf46da3edf67f82b1e1a03681d147dda82fd7c9130125d45d99c3204fb5f0627c7b941b577606daf584a93bc06082ef5be0003ebd64a68744e010283d

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
320KB

MD5
3fbc4d618c24d0ec1c12964da43805f0

SHA1
1a542eb621e55611160b062937e975e8fec016cd

SHA256
711a9c09a29539532b70e511477942f1d5724ea1daa8cd5b774f944d6e147696

SHA512
f8e58dc0c97432c21a0a5c450ab4c7e149d3457dba72c2bb3ab4d5664f5e5a82b6dededa44416c9029dca418be8a2c7c010455e435fbf0c3f846e6a74a791d03

Download Submit
memory/548-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/896-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-270-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1744-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-267-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1744-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-237-0x0000000001F50000-0x0000000001F85000-memory.dmp

Filesize
212KB

Download
memory/1768-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2232-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-259-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2524-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-7-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2624-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2624-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-218-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2908-216-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2908-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-235-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2932-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads