berbew | 4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8e

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Size

71KB
MD5

d9a91a8e618128cf0c8836e6ecc5c050
SHA1

cbef06fdf55f88fc86d7633bd737a1f1ee859267
SHA256

4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8e
SHA512

10352e9cf307e5c276d2acaa5f24f9ee98b9c3eb0b431d7c9774cb15e9b1d686d42380164b9d731e11db646da061366c1f07f2353f6069367958e08d129c0d97
SSDEEP

1536:nNId/gtuI5q7LTWyqLLNr3haaNgERe7cVO8a2eM/RQwRK1P+ATT:Sd/gtuKq7eyqPNr3hdKcg8ahM/edP+A3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
2268	Qcogbdkg.exe
1700	Qndkpmkm.exe
868	Apedah32.exe
2936	Apgagg32.exe
2780	Alnalh32.exe
2792	Ahebaiac.exe
2696	Abmgjo32.exe
1872	Aqbdkk32.exe
2608	Bkhhhd32.exe
800	Bceibfgj.exe
1932	Bqijljfd.exe
2476	Bkegah32.exe
840	Cmedlk32.exe
2056	Cgoelh32.exe
1352	Cebeem32.exe
2392	Clojhf32.exe
1612	Cgfkmgnj.exe
2420	Dpapaj32.exe

Loads dropped DLL 36 IoCs

pid	Process
2316	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
2316	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
2268	Qcogbdkg.exe
2268	Qcogbdkg.exe
1700	Qndkpmkm.exe
1700	Qndkpmkm.exe
868	Apedah32.exe
868	Apedah32.exe
2936	Apgagg32.exe
2936	Apgagg32.exe
2780	Alnalh32.exe
2780	Alnalh32.exe
2792	Ahebaiac.exe
2792	Ahebaiac.exe
2696	Abmgjo32.exe
2696	Abmgjo32.exe
1872	Aqbdkk32.exe
1872	Aqbdkk32.exe
2608	Bkhhhd32.exe
2608	Bkhhhd32.exe
800	Bceibfgj.exe
800	Bceibfgj.exe
1932	Bqijljfd.exe
1932	Bqijljfd.exe
2476	Bkegah32.exe
2476	Bkegah32.exe
840	Cmedlk32.exe
840	Cmedlk32.exe
2056	Cgoelh32.exe
2056	Cgoelh32.exe
1352	Cebeem32.exe
1352	Cebeem32.exe
2392	Clojhf32.exe
2392	Clojhf32.exe
1612	Cgfkmgnj.exe
1612	Cgfkmgnj.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Incjbkig.dll	Apedah32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
File created	C:\Windows\SysWOW64\Cpqmndme.dll	Qndkpmkm.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Pfqgfg32.dll	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Apgagg32.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cgfkmgnj.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Hhjofm32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Hhjofm32.¾ll"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cmedlk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2268	2316	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe	30
PID 2316 wrote to memory of 2268	2316	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe	30
PID 2316 wrote to memory of 2268	2316	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe	30
PID 2316 wrote to memory of 2268	2316	4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe	30
PID 2268 wrote to memory of 1700	2268	Qcogbdkg.exe	31
PID 2268 wrote to memory of 1700	2268	Qcogbdkg.exe	31
PID 2268 wrote to memory of 1700	2268	Qcogbdkg.exe	31
PID 2268 wrote to memory of 1700	2268	Qcogbdkg.exe	31
PID 1700 wrote to memory of 868	1700	Qndkpmkm.exe	32
PID 1700 wrote to memory of 868	1700	Qndkpmkm.exe	32
PID 1700 wrote to memory of 868	1700	Qndkpmkm.exe	32
PID 1700 wrote to memory of 868	1700	Qndkpmkm.exe	32
PID 868 wrote to memory of 2936	868	Apedah32.exe	33
PID 868 wrote to memory of 2936	868	Apedah32.exe	33
PID 868 wrote to memory of 2936	868	Apedah32.exe	33
PID 868 wrote to memory of 2936	868	Apedah32.exe	33
PID 2936 wrote to memory of 2780	2936	Apgagg32.exe	35
PID 2936 wrote to memory of 2780	2936	Apgagg32.exe	35
PID 2936 wrote to memory of 2780	2936	Apgagg32.exe	35
PID 2936 wrote to memory of 2780	2936	Apgagg32.exe	35
PID 2780 wrote to memory of 2792	2780	Alnalh32.exe	36
PID 2780 wrote to memory of 2792	2780	Alnalh32.exe	36
PID 2780 wrote to memory of 2792	2780	Alnalh32.exe	36
PID 2780 wrote to memory of 2792	2780	Alnalh32.exe	36
PID 2792 wrote to memory of 2696	2792	Ahebaiac.exe	37
PID 2792 wrote to memory of 2696	2792	Ahebaiac.exe	37
PID 2792 wrote to memory of 2696	2792	Ahebaiac.exe	37
PID 2792 wrote to memory of 2696	2792	Ahebaiac.exe	37
PID 2696 wrote to memory of 1872	2696	Abmgjo32.exe	38
PID 2696 wrote to memory of 1872	2696	Abmgjo32.exe	38
PID 2696 wrote to memory of 1872	2696	Abmgjo32.exe	38
PID 2696 wrote to memory of 1872	2696	Abmgjo32.exe	38
PID 1872 wrote to memory of 2608	1872	Aqbdkk32.exe	39
PID 1872 wrote to memory of 2608	1872	Aqbdkk32.exe	39
PID 1872 wrote to memory of 2608	1872	Aqbdkk32.exe	39
PID 1872 wrote to memory of 2608	1872	Aqbdkk32.exe	39
PID 2608 wrote to memory of 800	2608	Bkhhhd32.exe	40
PID 2608 wrote to memory of 800	2608	Bkhhhd32.exe	40
PID 2608 wrote to memory of 800	2608	Bkhhhd32.exe	40
PID 2608 wrote to memory of 800	2608	Bkhhhd32.exe	40
PID 800 wrote to memory of 1932	800	Bceibfgj.exe	41
PID 800 wrote to memory of 1932	800	Bceibfgj.exe	41
PID 800 wrote to memory of 1932	800	Bceibfgj.exe	41
PID 800 wrote to memory of 1932	800	Bceibfgj.exe	41
PID 1932 wrote to memory of 2476	1932	Bqijljfd.exe	42
PID 1932 wrote to memory of 2476	1932	Bqijljfd.exe	42
PID 1932 wrote to memory of 2476	1932	Bqijljfd.exe	42
PID 1932 wrote to memory of 2476	1932	Bqijljfd.exe	42
PID 2476 wrote to memory of 840	2476	Bkegah32.exe	43
PID 2476 wrote to memory of 840	2476	Bkegah32.exe	43
PID 2476 wrote to memory of 840	2476	Bkegah32.exe	43
PID 2476 wrote to memory of 840	2476	Bkegah32.exe	43
PID 840 wrote to memory of 2056	840	Cmedlk32.exe	44
PID 840 wrote to memory of 2056	840	Cmedlk32.exe	44
PID 840 wrote to memory of 2056	840	Cmedlk32.exe	44
PID 840 wrote to memory of 2056	840	Cmedlk32.exe	44
PID 2056 wrote to memory of 1352	2056	Cgoelh32.exe	45
PID 2056 wrote to memory of 1352	2056	Cgoelh32.exe	45
PID 2056 wrote to memory of 1352	2056	Cgoelh32.exe	45
PID 2056 wrote to memory of 1352	2056	Cgoelh32.exe	45
PID 1352 wrote to memory of 2392	1352	Cebeem32.exe	46
PID 1352 wrote to memory of 2392	1352	Cebeem32.exe	46
PID 1352 wrote to memory of 2392	1352	Cebeem32.exe	46
PID 1352 wrote to memory of 2392	1352	Cebeem32.exe	46

C:\Users\Admin\AppData\Local\Temp\4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe
"C:\Users\Admin\AppData\Local\Temp\4ab9cf0cc36822401ebd114c9cfdc35d16357490e86e21decac38dc28ee6ff8eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Qcogbdkg.exe
  C:\Windows\system32\Qcogbdkg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\Qndkpmkm.exe
    C:\Windows\system32\Qndkpmkm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\Apedah32.exe
      C:\Windows\system32\Apedah32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
71KB

MD5
013d6a3d75d47da852fc0acb117d65fb

SHA1
bff6217d5931ba9475081e01c167b9a30c24fadf

SHA256
e2388a4fe0bbaa57221e8efa7b3783d70aca8051ff6176f6e6d025a96f1acfb0

SHA512
d7f897826f6d13f20ce2d6e556bfeb61d6fba88dc090ef24adb25be180d06fa8685235f05712fda543a4594d2b0faf6919c76d38c5532f5c4e382535796185ad

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
71KB

MD5
e5f59a7104888a017e5431785974807c

SHA1
9f5fd9d2db6bf50347245bb354901451863f2328

SHA256
d3bf04aee005a78a7824e5a1fafb5d22c0f5ff66dd011b0bb3375df01338df6c

SHA512
70aa5efbaaabbd91855b2477a319e2a068f8f2d1bb65b4a528481f9979229587686567b7566a2724a62f2a1c5961ed4208e8e7f3b8f872b89d4d090c4aedf2bb

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
71KB

MD5
6a53133c94dfe5df3b753835bf8088b0

SHA1
58734893c244a6360801deac696dcab237216b85

SHA256
cf1d2b54188e0330fecac2ddc3304d6e5261bc20ff09613606d99346c258fe29

SHA512
0e72b50d8a60988e40d1aabd402201e2a751c17063c7da888570acf00eee4ffc69f842010a415b0a65fc872875952f79e42115806dd306e8321adc43c117ad02

Download Submit
C:\Windows\SysWOW64\Lgpgbj32.dll

Filesize
7KB

MD5
428437c80f33ae206e7e9cd2056278fd

SHA1
3f05b07959f944531ee926e0306b7d781bdde826

SHA256
d4033f891a1e629aed7b11dad1b6faa6d8099bcc5b7a0886c3852d18ab268ec6

SHA512
330412db39c21cfdf05e9c75a112596d1cd349d12d8a86fc80c03d3547cfd676cad4905b81d7373dd59d072685b99c1d7f1779d63390ed42c3f9af846a8fdf1d

Download Submit
C:\Windows\SysWOW64\Qcogbdkg.exe

Filesize
71KB

MD5
bb29a08f45aab7faf3d204441fadba1a

SHA1
bfa03175aa0797d1a95d6a0da1e6c21f333a8e24

SHA256
6d544bad560f6c1638a5e9540e607bc5c75d783ab13ba547c9a81203148bf8b9

SHA512
50ff5cf7608581f10dba0b1109a5e0427ce2364cd71c2e42a43bc8322f2b9d88e5f8ed80e41a43fef77cb69acddf92563ff635ac9082b063fea1921ed85aa7ab

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
71KB

MD5
afe10e3e083d26e5970f926da0c71b1f

SHA1
db0f8909dfaa57e9cf3b0b0cd0a66ca2c7e515ed

SHA256
4c8ae7d2c5989e584a534dda20704e8a6cc5c14002b9f5ba320e3a27c7273918

SHA512
5c2a361cffbdd56362a70cdc23c80a08f6b2460283a21c85403f2407c13eaae5b437abe16a95b0c851bd6f2bbae28783b63c836ece9081dc60fecc8a932d6652

Download Submit
\Windows\SysWOW64\Ahebaiac.exe

Filesize
71KB

MD5
ee1b694ab07189a40335851723814814

SHA1
4c62f2baabafb393a40c53ca30a76298c8845d22

SHA256
1faa8589cc90391e75604c7a0238f4302241464bd5d00a26793879c42c083af2

SHA512
c6b969871a91c740f5466bbb645e9a0b665144d64a27d0c332f08956dfd0d225fb3305a9ffe961d207a5bca7fb3ed3a16e19972d891387094e572df0d7848648

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
71KB

MD5
9ae11864430d15f280ebd5059d1941c4

SHA1
b52f376fe84c8fa83be5288d9785628af8963479

SHA256
2c3ffacfa160ed553f506d5ecd6f3699b565f28f904cc93575ede6641a2eb4da

SHA512
7da14fa6d341bd05013a7c575f1e4f3e9e5d0d34825c5698a7dd72ccfd9f7527c782c761f3b244c8a3bb86e46851942b48ebba1e4103e66ee66f009f9c859d6c

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
71KB

MD5
096684826bf14d910ff03d4c82e4887c

SHA1
238d7f705897182b62a2179bad81a44b65f07a25

SHA256
df5897dfcc12fb1881245a175cf779b7dd94141a343505dc2b623cd654b7ed0a

SHA512
b4b126afadbe50643cc8a51af6021c1f43902b88fdfa27cc09c2337167e622df3a5b40bc48643fb2420604cf4e01e5c975b48e97d3496b46b51e2dc3cb698f5d

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
71KB

MD5
6d3727ae94342000a457248fe1805cdd

SHA1
10e45480bb1e716006df747a3c174c54a0bdc8c8

SHA256
8400b3d10eff98d47de2549c45e751d436f3d5c1b2c1ab47c16d1732f934e87a

SHA512
0780dae1932f6f43236afe9bd5815e7cfc963f013814377206cb111ae70d222a4819d4bd74597c6ea1f3f254d6735ec882ed5894d22ec998bd1b4d7ef58ff46e

Download Submit
\Windows\SysWOW64\Aqbdkk32.exe

Filesize
71KB

MD5
df6eb56c6fcee813e025e25f8818f51a

SHA1
c18ed11a8f045e4547b6b0317894ba090948bb94

SHA256
be70c9c48b860814a4e52a559755dc0dc219a79e39793c7eb877cbd5e8ba2c0f

SHA512
9cbd8b03a93504c7e3a9631a0dbe9e76e88cb44ad2f1b5a45153aaa55926805bbae0f398852c1dd99c2d169e886c3b168542e0bed51bdc8ca9ea453b36c4c832

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
71KB

MD5
47e9b6881ee46859bd38d12f8eedc9cd

SHA1
091322eec42d00cb55a341f2c68a26b1b39c6e1c

SHA256
06462751aced5d7a59a269f31702b2e0adf6d16f3adf8f6f9040d2e58a55ff67

SHA512
5a49dfae487bec6c989ce3e9d960e73935064b02e27e1ceff1989c2a1404992c8e56d44606e69979321f91553bb765c15e171c02f4a1bf1894f262503b55ea16

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
71KB

MD5
e83aa0f3cb716d6de0f55b6f346da533

SHA1
b50675bc25cbab5f84c32e2cd823e16691398011

SHA256
b4a438f0300f8e6d11eb85f92126815bf29ebbfb11a16d03f69e5111d2a0b54b

SHA512
8a20e10b7914801b05592d7b497173a7f47f05f0e2a26d9acabc4d036bcf001349daa1428cfefc157eb33343bd7d50bc932c7d389de677555dbc18e28bcc82be

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
71KB

MD5
1c1e550ae5f1e868741e0dd3ce25f51d

SHA1
315c545c248ba0950eeb8c61bab3c8ee3b9814e2

SHA256
6b4347d780fb618d9ac863a99abd333b67b6a80abe8bb219b5786f5ec8cb66ce

SHA512
e52120d5d7d1c1cf3f8fd59de9f0d1fa6369a8f3028f4d614e7c108945aa0ada183528966741255ebed04198a6c5778a736853f51dd75bd2cb522257f92040d2

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
71KB

MD5
3170a279f68765071e46a676a4e9ccf2

SHA1
d556b430d28e9263c28e88344f3e533fc9d4ac05

SHA256
c09300272b41119b26fe16a0a7b8c762aa2b7292f88435405fcef6a6fea87acd

SHA512
54986850ddc48f162d0b97d5d99529b82c0de5fedc22e14f4591fe0f408f44831298ba40d1fd2dfc2af79185a09c194046fe1d07fd6320d3a4df1008c957af6c

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
71KB

MD5
19702742017f852eed2f2effe716b49e

SHA1
a0954a810a13352b6dc352cbd98703d314500a53

SHA256
6eb3c4b1a79226083b8a2165cc49b9696802354d06173c75dfc55952e3242852

SHA512
c252033009aeb297df2db6ea483a5bcc3507a5b3f691c126b181cdf01bf5fee7e7bb3c1565c728b67eee3c55ce75542f9f82addfb7d5d5028fd0871d03513a6b

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
71KB

MD5
2874d296f16969505421ecc33d92811f

SHA1
4ccf6e4673142151038e56f605ba442be7a7be28

SHA256
c0be51e86346af45e5ef02512331be5a80da7b33203accbafdac45dce7fab9fe

SHA512
96d4a12889a8265ecd8981de0851f23677379956d2f90a8d24f24ccf31b7bd263c4b7d69dca5baccf83298edf1c307ad92447be05d1e4d4992f04ba996eea2bc

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
71KB

MD5
52484aa3640266969542272e468028f4

SHA1
0bb4244f1c825796f1103f78b45c19090a253589

SHA256
d3e78b10da215345c347689c3ba09593cadeb08712cf3fb0906440fce898df17

SHA512
349e7941abea34944746444ef672f0f448411d05592cc564b748624c344bdfefb7fc0c24f7fbc1b494cf471cd3051627588462eb673bb54ea43decd3476d02c5

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
71KB

MD5
6c112e09deb4294f31a6363b93a6c9a9

SHA1
510dfc0e41e79072100b9828ef8911a0d0570d91

SHA256
986a11cd5abd74862a733d77658dbe3b1d8007aedea826ee0cbb45eabdde4893

SHA512
e54e91ef18d444b1c80568f3407523cde1addb82bfb444536b653e746e572b3056c67d77a8a2b68ef952b3614471350a47bcd40074cbffc9f55057d5ab525245

Download Submit
memory/800-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-189-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/840-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-54-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/868-48-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/868-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-215-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1612-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-235-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1700-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-36-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1872-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-122-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1932-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-26-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2268-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-12-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2316-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-16-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2392-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-227-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2392-228-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2392-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-172-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2608-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-136-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2608-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-102-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2696-108-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2780-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-76-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2792-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-68-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads