berbew | f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Size

96KB
MD5

49f9a82a2fd7bb0f3b7538856c27b970
SHA1

c02f91ce8b69eff32468958c717ccd9ad6e8ed84
SHA256

f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3
SHA512

630a9ea9fe2981a6368b96956df68d3f582469406b3078aa987e9b4e393ad3fa2843b3bbf260e636a3163a0399198d382b359f953f0a725d1bc8c1d7131ade19
SSDEEP

1536:MQZRjLblrObr3wxxNQOeY3+29SYARYF2L4y7RZObZUUWaegPYA:MeOb8xxNQjY3+29SYIY24yClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efcfga32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
2736	Cjfccn32.exe
2940	Cldooj32.exe
468	Ccngld32.exe
2704	Dgjclbdi.exe
2664	Dfmdho32.exe
1588	Dfoqmo32.exe
1608	Djmicm32.exe
2544	Dcenlceh.exe
3036	Dlnbeh32.exe
2652	Dbkknojp.exe
2924	Dhdcji32.exe
2144	Ehgppi32.exe
2320	Endhhp32.exe
2804	Eqbddk32.exe
2440	Enfenplo.exe
1228	Edpmjj32.exe
1052	Efcfga32.exe
1736	Eibbcm32.exe
1592	Ebjglbml.exe
2012	Fkckeh32.exe

Loads dropped DLL 44 IoCs

pid	Process
1692	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
1692	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
2736	Cjfccn32.exe
2736	Cjfccn32.exe
2940	Cldooj32.exe
2940	Cldooj32.exe
468	Ccngld32.exe
468	Ccngld32.exe
2704	Dgjclbdi.exe
2704	Dgjclbdi.exe
2664	Dfmdho32.exe
2664	Dfmdho32.exe
1588	Dfoqmo32.exe
1588	Dfoqmo32.exe
1608	Djmicm32.exe
1608	Djmicm32.exe
2544	Dcenlceh.exe
2544	Dcenlceh.exe
3036	Dlnbeh32.exe
3036	Dlnbeh32.exe
2652	Dbkknojp.exe
2652	Dbkknojp.exe
2924	Dhdcji32.exe
2924	Dhdcji32.exe
2144	Ehgppi32.exe
2144	Ehgppi32.exe
2320	Endhhp32.exe
2320	Endhhp32.exe
2804	Eqbddk32.exe
2804	Eqbddk32.exe
2440	Enfenplo.exe
2440	Enfenplo.exe
1228	Edpmjj32.exe
1228	Edpmjj32.exe
1052	Efcfga32.exe
1052	Efcfga32.exe
1736	Eibbcm32.exe
1736	Eibbcm32.exe
1592	Ebjglbml.exe
1592	Ebjglbml.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Eibbcm32.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ebjglbml.exe	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dfmdho32.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dfmdho32.exe
File opened for modification	C:\Windows\SysWOW64\Cldooj32.exe	Cjfccn32.exe
File created	C:\Windows\SysWOW64\Oehfcmhd.dll	Cjfccn32.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Enfenplo.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Djmicm32.exe
File opened for modification	C:\Windows\SysWOW64\Eqbddk32.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Dfoqmo32.exe
File opened for modification	C:\Windows\SysWOW64\Dlnbeh32.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Dbkknojp.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Cjfccn32.exe	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
File created	C:\Windows\SysWOW64\Fahgfoih.dll	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	Cjfccn32.exe
File created	C:\Windows\SysWOW64\Lfnjef32.dll	Endhhp32.exe
File created	C:\Windows\SysWOW64\Kncphpjl.dll	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Endhhp32.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Odifab32.dll	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Dlnbeh32.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Fogilika.dll	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Djmicm32.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Aabagnfc.dll	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Jhgnia32.dll	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Ccngld32.exe	Cldooj32.exe
File opened for modification	C:\Windows\SysWOW64\Dfmdho32.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Edpmjj32.exe
File opened for modification	C:\Windows\SysWOW64\Eibbcm32.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Dhdcji32.exe
File created	C:\Windows\SysWOW64\Eqbddk32.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Dhdcji32.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Cldooj32.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Djmicm32.exe
File created	C:\Windows\SysWOW64\Dhdcji32.exe	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Dmkmmi32.dll	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Akigbbni.dll	Cldooj32.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Dfmdho32.exe	Dgjclbdi.exe
File opened for modification	C:\Windows\SysWOW64\Dbkknojp.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Dgjclbdi.exe	Ccngld32.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Ccngld32.exe
File opened for modification	C:\Windows\SysWOW64\Cjfccn32.exe	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Ccngld32.exe
File opened for modification	C:\Windows\SysWOW64\Endhhp32.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Enfenplo.exe	Eqbddk32.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Eqbddk32.exe
File opened for modification	C:\Windows\SysWOW64\Edpmjj32.exe	Enfenplo.exe
File opened for modification	C:\Windows\SysWOW64\Efcfga32.exe	Edpmjj32.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Dfmdho32.exe
File created	C:\Windows\SysWOW64\Dcenlceh.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Ebjglbml.exe	Eibbcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdcji32.exe	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Dhdcji32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
952	2012	WerFault.exe	49

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cldooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpmjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfmdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcenlceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgppi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqbddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cldooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Dfmdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll"	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll"	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccngld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2736	1692	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe	30
PID 1692 wrote to memory of 2736	1692	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe	30
PID 1692 wrote to memory of 2736	1692	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe	30
PID 1692 wrote to memory of 2736	1692	f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe	30
PID 2736 wrote to memory of 2940	2736	Cjfccn32.exe	31
PID 2736 wrote to memory of 2940	2736	Cjfccn32.exe	31
PID 2736 wrote to memory of 2940	2736	Cjfccn32.exe	31
PID 2736 wrote to memory of 2940	2736	Cjfccn32.exe	31
PID 2940 wrote to memory of 468	2940	Cldooj32.exe	32
PID 2940 wrote to memory of 468	2940	Cldooj32.exe	32
PID 2940 wrote to memory of 468	2940	Cldooj32.exe	32
PID 2940 wrote to memory of 468	2940	Cldooj32.exe	32
PID 468 wrote to memory of 2704	468	Ccngld32.exe	33
PID 468 wrote to memory of 2704	468	Ccngld32.exe	33
PID 468 wrote to memory of 2704	468	Ccngld32.exe	33
PID 468 wrote to memory of 2704	468	Ccngld32.exe	33
PID 2704 wrote to memory of 2664	2704	Dgjclbdi.exe	34
PID 2704 wrote to memory of 2664	2704	Dgjclbdi.exe	34
PID 2704 wrote to memory of 2664	2704	Dgjclbdi.exe	34
PID 2704 wrote to memory of 2664	2704	Dgjclbdi.exe	34
PID 2664 wrote to memory of 1588	2664	Dfmdho32.exe	35
PID 2664 wrote to memory of 1588	2664	Dfmdho32.exe	35
PID 2664 wrote to memory of 1588	2664	Dfmdho32.exe	35
PID 2664 wrote to memory of 1588	2664	Dfmdho32.exe	35
PID 1588 wrote to memory of 1608	1588	Dfoqmo32.exe	36
PID 1588 wrote to memory of 1608	1588	Dfoqmo32.exe	36
PID 1588 wrote to memory of 1608	1588	Dfoqmo32.exe	36
PID 1588 wrote to memory of 1608	1588	Dfoqmo32.exe	36
PID 1608 wrote to memory of 2544	1608	Djmicm32.exe	37
PID 1608 wrote to memory of 2544	1608	Djmicm32.exe	37
PID 1608 wrote to memory of 2544	1608	Djmicm32.exe	37
PID 1608 wrote to memory of 2544	1608	Djmicm32.exe	37
PID 2544 wrote to memory of 3036	2544	Dcenlceh.exe	38
PID 2544 wrote to memory of 3036	2544	Dcenlceh.exe	38
PID 2544 wrote to memory of 3036	2544	Dcenlceh.exe	38
PID 2544 wrote to memory of 3036	2544	Dcenlceh.exe	38
PID 3036 wrote to memory of 2652	3036	Dlnbeh32.exe	39
PID 3036 wrote to memory of 2652	3036	Dlnbeh32.exe	39
PID 3036 wrote to memory of 2652	3036	Dlnbeh32.exe	39
PID 3036 wrote to memory of 2652	3036	Dlnbeh32.exe	39
PID 2652 wrote to memory of 2924	2652	Dbkknojp.exe	40
PID 2652 wrote to memory of 2924	2652	Dbkknojp.exe	40
PID 2652 wrote to memory of 2924	2652	Dbkknojp.exe	40
PID 2652 wrote to memory of 2924	2652	Dbkknojp.exe	40
PID 2924 wrote to memory of 2144	2924	Dhdcji32.exe	41
PID 2924 wrote to memory of 2144	2924	Dhdcji32.exe	41
PID 2924 wrote to memory of 2144	2924	Dhdcji32.exe	41
PID 2924 wrote to memory of 2144	2924	Dhdcji32.exe	41
PID 2144 wrote to memory of 2320	2144	Ehgppi32.exe	42
PID 2144 wrote to memory of 2320	2144	Ehgppi32.exe	42
PID 2144 wrote to memory of 2320	2144	Ehgppi32.exe	42
PID 2144 wrote to memory of 2320	2144	Ehgppi32.exe	42
PID 2320 wrote to memory of 2804	2320	Endhhp32.exe	43
PID 2320 wrote to memory of 2804	2320	Endhhp32.exe	43
PID 2320 wrote to memory of 2804	2320	Endhhp32.exe	43
PID 2320 wrote to memory of 2804	2320	Endhhp32.exe	43
PID 2804 wrote to memory of 2440	2804	Eqbddk32.exe	44
PID 2804 wrote to memory of 2440	2804	Eqbddk32.exe	44
PID 2804 wrote to memory of 2440	2804	Eqbddk32.exe	44
PID 2804 wrote to memory of 2440	2804	Eqbddk32.exe	44
PID 2440 wrote to memory of 1228	2440	Enfenplo.exe	45
PID 2440 wrote to memory of 1228	2440	Enfenplo.exe	45
PID 2440 wrote to memory of 1228	2440	Enfenplo.exe	45
PID 2440 wrote to memory of 1228	2440	Enfenplo.exe	45

C:\Users\Admin\AppData\Local\Temp\f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe
"C:\Users\Admin\AppData\Local\Temp\f1b3de2995f4ea4d391ad63f18a36c8d5588ddbacc34b779fc31697066f6b2b3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\Cjfccn32.exe
  C:\Windows\system32\Cjfccn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Cldooj32.exe
    C:\Windows\system32\Cldooj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\Ccngld32.exe
      C:\Windows\system32\Ccngld32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Dfmdho32.exe
        
        C:\Windows\system32\Dfmdho32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Eqbddk32.exe
        
        C:\Windows\system32\Eqbddk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccngld32.exe

Filesize
96KB

MD5
2ccc75d6ed872a66496195f1422ca3b8

SHA1
6ce656227d6495914efaaae5adaeb6cc00c5bec0

SHA256
2b46ddf8544303668775cbf4ac08fbfd3fbd6864bafb9f26e6332db8a40f6e78

SHA512
430cc22f94b167b0cdbf4755c0146103a3d513914608b94396b48b49703e4f2aa4b9bdc59cf0cd3c1547277e5ccc885bb313da1dd098e63f4ff352cd49261774

Download Submit
C:\Windows\SysWOW64\Cjfccn32.exe

Filesize
96KB

MD5
fa4515b18f1bce5f3bb59b5a8728b664

SHA1
045269daeb81890c9a86cc4116f0cc4d2af5eeb8

SHA256
734b205d9b818554cd491377f4aaba0eb20e755ae09ff99715b155471329d255

SHA512
1566c513ca3d1852210beac402e94b104157aa79fde2e51bf2b30c6eed4157a7a84305ab4275346426c8ee2fd49155b06cc0e072cbb010e7760483263005d41a

Download Submit
C:\Windows\SysWOW64\Cldooj32.exe

Filesize
96KB

MD5
d33c38b52a20e56254853955ee623d0a

SHA1
c0d606f973824fad3c07cdcaf7a02b64e3dc4d31

SHA256
d47be4ed3cbbfbdc3fed517e79fc871015f2db73521c9b5deb4cadbdd52ad8ba

SHA512
04d0e8c114f4d7c921a6ed96c6a559c37846502dd0f3b094d35b3cc007cac66f32bbed2c188030f6d82c7ccb1e8583b7c04e2c094b52b91fed80958c911ea68a

Download Submit
C:\Windows\SysWOW64\Dfmdho32.exe

Filesize
96KB

MD5
13888170e215532b7401661d718796bb

SHA1
de5824398a60412a6bb03304834f83e8c02a4d32

SHA256
4d89763143be808d335de607dfb2275ba8a3181f7d56eba128f070f6c720498a

SHA512
6e28998b695fe57d208daeb3fe8686a3264f223bf81c426bba3d6dbd5a228e2ec0ba1d1f9fb63c07ec4b207c8731157446d10cf8ab3d080cff01bfb3f129b0ff

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
96KB

MD5
2bc417ec200243f0bb5b51e22428bb8b

SHA1
77b4c4a53531053b948ecf9598bd253dc9a28886

SHA256
214ca05f59a07139f73a5ac482b50048a75cc62e304bda9bc45a598605cdc50e

SHA512
bdf27ea3cd1e1a0d4e8c0cca112e4cf40434f7a746af4bcffdedafba7e50422b61bb20c6cf3c3050d5a662b36ec34ce42b8aeeffdb35407c2746377bdef660f2

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
96KB

MD5
2a0c8f6640152ca582232a821c6c057e

SHA1
7e2639e7fb5960796d08cf62980f6b0c70b2cae8

SHA256
1efcdbf5ffcb6b74f614f8523d0937ea40fbfe335dafa607939dbb29b9171e42

SHA512
801ec4531d684a97c2aae32a339006cb4d6dfdee0398d66907c440c7bd5173bc1679fb500e8336abbd8a5c1301a6d84aa6b56d5aa79a59a618fbf29064363b09

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
96KB

MD5
8a45cac3f4ab416175167dbc1160a9e0

SHA1
92a16b36e8be12a776f334b727f38b2b22af8793

SHA256
6f6b5b43f67b9245048df3052b8bd0e0e959c667668ad9ff87e2f8ba29e574e2

SHA512
662f4c32e60e9e212a837479983e9254448ac63f8ce9cdf6e44a963cdca4c059cd1e24d3d3ed002017f04e6c581b681d509d84706c5072a2304d028eaa1418b8

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
96KB

MD5
8a5ba74676707e1cf1a2133122ef99e4

SHA1
4332a88449a222eaee4bfa9d97623476d14616d7

SHA256
39b2fcc6cf9173f1f52e852241a58f7bb04fa6c9cc8f877eae6f4db915c32fca

SHA512
26612ec7ec015c4bc22757431e9f149885bc8a043a5384f22bbd8e802a496d75ba7d57587f9f2d49ee26ba09649431c1d010e76787c96a9adbf3cbc32af0c97c

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
96KB

MD5
843152d5397aedd9d9ffe147072ad66e

SHA1
88af3c0e28c61e750ca78bff3bb5620292c028c4

SHA256
79e2db406c19cc107712ec958b6a4305768e8c47252681a14a2a99b949af1ec2

SHA512
d9c281f8a18ad2c27fc2a048be9105f49ddb6346d21da624a456092592d0323d8ec153e8a32cb0c18b680e5a48ba8e8262a7c5a31878343b1ec2aad1509c0c37

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
96KB

MD5
9420e07eeda869a9128ee14ca470d7bc

SHA1
ffffe355f4b544a61c082337dcd6bf276c5d7764

SHA256
0eb3a4ddc3eea43eef9e6e1638a18b0fbbbd31a785a9a969ff29ad91f23764b8

SHA512
bb21ca6120c72853329acd5488001427eeb83758dd01aaba0d6bfc70ad1998db27438fdea42146e6eea9c8cf1df9ccb691b29398169ef1804d15e3cbc9b29366

Download Submit
\Windows\SysWOW64\Dbkknojp.exe

Filesize
96KB

MD5
2aed5e0afceefe258802653bb3722e94

SHA1
146fa707e0172fabf731ab6e0bf67d80a5b6dfb8

SHA256
44ecfb63c255fdd5497bd3ad589b2d3cbc209caa9392456b0e65676731750914

SHA512
125e389cbb9fc658b3c15716fa9b3d0d55a2a1ee0a502d740b0ef9c4c59aebe63e04fbeb3accbcd59ee0a3807da6be94436c790ebe2cd94bb06297e70615dd3f

Download Submit
\Windows\SysWOW64\Dcenlceh.exe

Filesize
96KB

MD5
2a47d80f3ae38d8b023bb65fa0cf6bfc

SHA1
0530adad2b26534d553ef811c105d01156357a03

SHA256
4fbf78f67541db7de9722e79d79fb012b83397e5a3d199d933a649069c84fbc3

SHA512
ba505d9f43e9c7d65e0ddeb31a265088bb2d63cd7bdf47216549a389890f942cb70df2d3caedf4c55fa95428d67ea5470eb5ae6fec67febd542deef858a6318c

Download Submit
\Windows\SysWOW64\Dfoqmo32.exe

Filesize
96KB

MD5
487420c855ffa08122c6901c1c25f9cc

SHA1
499700ab4eaf7f2e17377998c15fb7f5ac101ac9

SHA256
29c62a3974c679d0817343459d59f66055b0de187d54ea86055fa4fb4af07cbd

SHA512
000b4b334bf4c7b43491aa0c4fbc112a289b789f09d96e16f60859bc22542f0950fd091b7d72a128cf32b38de35fcc0acc3fb499cd8b010890cdaa4a71d74b7a

Download Submit
\Windows\SysWOW64\Dhdcji32.exe

Filesize
96KB

MD5
5382f642ed43737dcf48041af0d3da21

SHA1
2610d36cdf044622c419ba4bf292b817114c0860

SHA256
86e9e5f69dde63cf3936342ac917ea6c61b55784a7756af635417f52898d2169

SHA512
83eeee04d15168dc0140c8f7c0bef99d9d92f336e9183cd6fee86c36f1f009c004afc941b9710202db896a708757258fcc1f192bc953203705e9ef7c18abec92

Download Submit
\Windows\SysWOW64\Djmicm32.exe

Filesize
96KB

MD5
345c1e3f20125142aeb9e59af42a8e9b

SHA1
f633196c88f8275d6fca3660d7d92e153fd81b74

SHA256
f1a205078443738a67fc156b5efe06fe9fe42450fd38f4706aa0b3e43e14a822

SHA512
03961e5e803cad08dec4bf5224ce8e2598f9918a70d84c08f7dfc18c38ae4b90c0c116c8f3b31efef0402c29af0f09c1c5a06b1474006d042db4c4f1934e762f

Download Submit
\Windows\SysWOW64\Dlnbeh32.exe

Filesize
96KB

MD5
e30cdcbf5aaf66aac606905d52bdb5fb

SHA1
8f2950d57235121c6c0c2e4a0870bf4203ddcd2e

SHA256
005e83f2981bf75534031e2d620b7a1a9a6c3b355d73c462b913de872a7a70cd

SHA512
4e20ccc331a03ccb3c8e09c6c50242366a2f47969b5d61a374daf9cebb6e9a7772c4f6ce494bc789a8f2769087e44b06aa99a1a531b394059db78fa4f778408f

Download Submit
\Windows\SysWOW64\Edpmjj32.exe

Filesize
96KB

MD5
6e814b1515ac03023776733a3497e012

SHA1
97a4e80b0ffe8a2f284f0a06e818592fe5fc4dd1

SHA256
ccd2240a97de70ccbcfe7743ac7ad6b1c77aa19003c1ada4b72584a60d98ab95

SHA512
84949c589bf1023b85520969629a5e731ee2fed9b4896a848b9b977c1dcb7ddb616b537af66108a095a480d096cc87196450b66dafd44336f7230a8ba78f3da1

Download Submit
\Windows\SysWOW64\Endhhp32.exe

Filesize
96KB

MD5
69b6fbda6a6f9a57b8f25d1e263b1afd

SHA1
7ab8e9ff779c51d3dccd32955f208f32d30f6f85

SHA256
1b9a3a9c87516fb40f006e63479441b9cbce120e190b1e7fd44dca6dfedbe4af

SHA512
96aad53bad2a19f49a2e1ec3fcbedcd4626b41c1ecf1884377a4bf3b6978b0ec10bcea4c02e476174281bd1cfa418ea90c820bdfdf0d5872a19d1232110574ff

Download Submit
\Windows\SysWOW64\Enfenplo.exe

Filesize
96KB

MD5
163da08d31bec784ec7a3c27ad16cb8c

SHA1
f21a41012f94564fc3cb1e9a48b049d19224b3a0

SHA256
42c831f88c6c633b4d8a92881c053a34b2696963f863c8a2331e02b42f3dec9c

SHA512
149954ca5dda45a4366359f7a5c94ce584bd3f300634a71bce73e3ce691431d23058d6d3335650a1db5e5b72b72f39973aaac752bdbb11483d21b1efdbf6e73c

Download Submit
\Windows\SysWOW64\Eqbddk32.exe

Filesize
96KB

MD5
5fabdce9c05fe1c6da2e328c9bfc3539

SHA1
e3555c89c6caab2b1f7f313229f457d1c7f8a706

SHA256
355d0b8b5550d5b62bab70a8e7bb040764a8a04fd2274c93de19eb719a7cdac4

SHA512
fc17315f257791d1a64cf127b3b8089d83a0dd6cb8e5fcb8dc9093b529746e5c8a34e10c6b1061ebb4abaf914941fc6b978e82c366d231ec7278a8552485ec4d

Download Submit
memory/468-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-242-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1052-234-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1228-227-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1228-226-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1228-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-254-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1592-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1692-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-187-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2320-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-210-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2440-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-75-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2664-81-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2664-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-55-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2736-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-206-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2804-205-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2804-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-156-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2924-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-63-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/3036-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-129-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3036-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads