berbew | 1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Size

406KB
MD5

5cd18808d9e7822d7243c621b3669470
SHA1

540cd00c41ffaa83abb0f0f631d02fe8ad167b66
SHA256

1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4
SHA512

941128253db4ff315b589ac549bca0f37dd1ca2e5dcf7f643648a46715f70ef49d071e341b3c9accff55f19ab63791c9f3d72ea740490d9dce4845b1d0a65584
SSDEEP

6144:RlPoxdU5U5Xj1XH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:RNo8Mp3Ma3M3MvD3Mq3B3Mo3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egoife32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfmdho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dliijipn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dliijipn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egoife32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cclkfdnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emieil32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 19 IoCs

pid	Process
2552	Cdgneh32.exe
2716	Ckafbbph.exe
2464	Cclkfdnc.exe
2664	Cnaocmmi.exe
2632	Ccngld32.exe
2628	Dfmdho32.exe
264	Dfoqmo32.exe
1408	Dhnmij32.exe
2892	Dliijipn.exe
1568	Dlnbeh32.exe
1728	Dolnad32.exe
1844	Dookgcij.exe
540	Ebmgcohn.exe
380	Ekhhadmk.exe
2336	Emieil32.exe
2900	Egoife32.exe
2792	Eojnkg32.exe
1288	Effcma32.exe
1600	Fkckeh32.exe

Loads dropped DLL 42 IoCs

pid	Process
2080	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
2080	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
2552	Cdgneh32.exe
2552	Cdgneh32.exe
2716	Ckafbbph.exe
2716	Ckafbbph.exe
2464	Cclkfdnc.exe
2464	Cclkfdnc.exe
2664	Cnaocmmi.exe
2664	Cnaocmmi.exe
2632	Ccngld32.exe
2632	Ccngld32.exe
2628	Dfmdho32.exe
2628	Dfmdho32.exe
264	Dfoqmo32.exe
264	Dfoqmo32.exe
1408	Dhnmij32.exe
1408	Dhnmij32.exe
2892	Dliijipn.exe
2892	Dliijipn.exe
1568	Dlnbeh32.exe
1568	Dlnbeh32.exe
1728	Dolnad32.exe
1728	Dolnad32.exe
1844	Dookgcij.exe
1844	Dookgcij.exe
540	Ebmgcohn.exe
540	Ebmgcohn.exe
380	Ekhhadmk.exe
380	Ekhhadmk.exe
2336	Emieil32.exe
2336	Emieil32.exe
2900	Egoife32.exe
2900	Egoife32.exe
2792	Eojnkg32.exe
2792	Eojnkg32.exe
1288	Effcma32.exe
1288	Effcma32.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Egoife32.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Eojnkg32.exe	Egoife32.exe
File created	C:\Windows\SysWOW64\Hadfjo32.dll	Ckafbbph.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dfmdho32.exe
File opened for modification	C:\Windows\SysWOW64\Cclkfdnc.exe	Ckafbbph.exe
File opened for modification	C:\Windows\SysWOW64\Dookgcij.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Ccngld32.exe	Cnaocmmi.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Epjomppp.dll	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Ekhhadmk.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Aphdelhp.dll	Ekhhadmk.exe
File opened for modification	C:\Windows\SysWOW64\Eojnkg32.exe	Egoife32.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
File created	C:\Windows\SysWOW64\Ckafbbph.exe	Cdgneh32.exe
File opened for modification	C:\Windows\SysWOW64\Dliijipn.exe	Dhnmij32.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Ekhhadmk.exe
File opened for modification	C:\Windows\SysWOW64\Cnaocmmi.exe	Cclkfdnc.exe
File created	C:\Windows\SysWOW64\Akigbbni.dll	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Dliijipn.exe	Dhnmij32.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Eojnkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdgneh32.exe	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
File created	C:\Windows\SysWOW64\Cnaocmmi.exe	Cclkfdnc.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Effcma32.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dliijipn.exe
File created	C:\Windows\SysWOW64\Ffpncj32.dll	Emieil32.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Amfidj32.dll	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
File created	C:\Windows\SysWOW64\Fileil32.dll	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dfmdho32.exe
File created	C:\Windows\SysWOW64\Ekhhadmk.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Fogilika.dll	Ccngld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Dfmdho32.exe
File created	C:\Windows\SysWOW64\Dfmdho32.exe	Ccngld32.exe
File opened for modification	C:\Windows\SysWOW64\Egoife32.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Cclkfdnc.exe	Ckafbbph.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Clialdph.dll	Dookgcij.exe
File created	C:\Windows\SysWOW64\Gjhfbach.dll	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Dlnbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ckafbbph.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Dlnbeh32.exe	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dhnmij32.exe	Dfoqmo32.exe
File opened for modification	C:\Windows\SysWOW64\Dlnbeh32.exe	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dfmdho32.exe	Ccngld32.exe
File created	C:\Windows\SysWOW64\Dhnmij32.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Lkmkpl32.dll	Egoife32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Lklohbmo.dll	Cclkfdnc.exe
File created	C:\Windows\SysWOW64\Emieil32.exe	Ekhhadmk.exe

Program crash 1 IoCs

pid	pid_target	Process
1852	1600	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekhhadmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egoife32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgneh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckafbbph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaocmmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhnmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojnkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolnad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dookgcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emieil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cclkfdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfmdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dliijipn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cclkfdnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfmdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egoife32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll"	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Egoife32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll"	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cclkfdnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolnad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egoife32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2552	2080	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe	28
PID 2080 wrote to memory of 2552	2080	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe	28
PID 2080 wrote to memory of 2552	2080	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe	28
PID 2080 wrote to memory of 2552	2080	1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe	28
PID 2552 wrote to memory of 2716	2552	Cdgneh32.exe	29
PID 2552 wrote to memory of 2716	2552	Cdgneh32.exe	29
PID 2552 wrote to memory of 2716	2552	Cdgneh32.exe	29
PID 2552 wrote to memory of 2716	2552	Cdgneh32.exe	29
PID 2716 wrote to memory of 2464	2716	Ckafbbph.exe	30
PID 2716 wrote to memory of 2464	2716	Ckafbbph.exe	30
PID 2716 wrote to memory of 2464	2716	Ckafbbph.exe	30
PID 2716 wrote to memory of 2464	2716	Ckafbbph.exe	30
PID 2464 wrote to memory of 2664	2464	Cclkfdnc.exe	31
PID 2464 wrote to memory of 2664	2464	Cclkfdnc.exe	31
PID 2464 wrote to memory of 2664	2464	Cclkfdnc.exe	31
PID 2464 wrote to memory of 2664	2464	Cclkfdnc.exe	31
PID 2664 wrote to memory of 2632	2664	Cnaocmmi.exe	32
PID 2664 wrote to memory of 2632	2664	Cnaocmmi.exe	32
PID 2664 wrote to memory of 2632	2664	Cnaocmmi.exe	32
PID 2664 wrote to memory of 2632	2664	Cnaocmmi.exe	32
PID 2632 wrote to memory of 2628	2632	Ccngld32.exe	33
PID 2632 wrote to memory of 2628	2632	Ccngld32.exe	33
PID 2632 wrote to memory of 2628	2632	Ccngld32.exe	33
PID 2632 wrote to memory of 2628	2632	Ccngld32.exe	33
PID 2628 wrote to memory of 264	2628	Dfmdho32.exe	34
PID 2628 wrote to memory of 264	2628	Dfmdho32.exe	34
PID 2628 wrote to memory of 264	2628	Dfmdho32.exe	34
PID 2628 wrote to memory of 264	2628	Dfmdho32.exe	34
PID 264 wrote to memory of 1408	264	Dfoqmo32.exe	35
PID 264 wrote to memory of 1408	264	Dfoqmo32.exe	35
PID 264 wrote to memory of 1408	264	Dfoqmo32.exe	35
PID 264 wrote to memory of 1408	264	Dfoqmo32.exe	35
PID 1408 wrote to memory of 2892	1408	Dhnmij32.exe	36
PID 1408 wrote to memory of 2892	1408	Dhnmij32.exe	36
PID 1408 wrote to memory of 2892	1408	Dhnmij32.exe	36
PID 1408 wrote to memory of 2892	1408	Dhnmij32.exe	36
PID 2892 wrote to memory of 1568	2892	Dliijipn.exe	37
PID 2892 wrote to memory of 1568	2892	Dliijipn.exe	37
PID 2892 wrote to memory of 1568	2892	Dliijipn.exe	37
PID 2892 wrote to memory of 1568	2892	Dliijipn.exe	37
PID 1568 wrote to memory of 1728	1568	Dlnbeh32.exe	38
PID 1568 wrote to memory of 1728	1568	Dlnbeh32.exe	38
PID 1568 wrote to memory of 1728	1568	Dlnbeh32.exe	38
PID 1568 wrote to memory of 1728	1568	Dlnbeh32.exe	38
PID 1728 wrote to memory of 1844	1728	Dolnad32.exe	39
PID 1728 wrote to memory of 1844	1728	Dolnad32.exe	39
PID 1728 wrote to memory of 1844	1728	Dolnad32.exe	39
PID 1728 wrote to memory of 1844	1728	Dolnad32.exe	39
PID 1844 wrote to memory of 540	1844	Dookgcij.exe	40
PID 1844 wrote to memory of 540	1844	Dookgcij.exe	40
PID 1844 wrote to memory of 540	1844	Dookgcij.exe	40
PID 1844 wrote to memory of 540	1844	Dookgcij.exe	40
PID 540 wrote to memory of 380	540	Ebmgcohn.exe	41
PID 540 wrote to memory of 380	540	Ebmgcohn.exe	41
PID 540 wrote to memory of 380	540	Ebmgcohn.exe	41
PID 540 wrote to memory of 380	540	Ebmgcohn.exe	41
PID 380 wrote to memory of 2336	380	Ekhhadmk.exe	42
PID 380 wrote to memory of 2336	380	Ekhhadmk.exe	42
PID 380 wrote to memory of 2336	380	Ekhhadmk.exe	42
PID 380 wrote to memory of 2336	380	Ekhhadmk.exe	42
PID 2336 wrote to memory of 2900	2336	Emieil32.exe	43
PID 2336 wrote to memory of 2900	2336	Emieil32.exe	43
PID 2336 wrote to memory of 2900	2336	Emieil32.exe	43
PID 2336 wrote to memory of 2900	2336	Emieil32.exe	43

C:\Users\Admin\AppData\Local\Temp\1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe
"C:\Users\Admin\AppData\Local\Temp\1075ad8caab21ae410a1a2162e5e1347821e23c20dab50d1f85cb5d0d006e4b4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Cdgneh32.exe
  C:\Windows\system32\Cdgneh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\Ckafbbph.exe
    C:\Windows\system32\Ckafbbph.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Cclkfdnc.exe
      C:\Windows\system32\Cclkfdnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\Cnaocmmi.exe
        
        C:\Windows\system32\Cnaocmmi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Dfmdho32.exe
        
        C:\Windows\system32\Dfmdho32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Dliijipn.exe
        
        C:\Windows\system32\Dliijipn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Egoife32.exe
        
        C:\Windows\system32\Egoife32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccngld32.exe

Filesize
406KB

MD5
975554d8f6650c7cd48ed7e4479d2a27

SHA1
5f2ff56b7b24b3a55782af57f4e5de3402bd9001

SHA256
fcac616d181174cced887890aaa0a011325583ec38910cd65425b5d353a4a912

SHA512
e4c3d4b06346816fe4096d68c4b1ed9ec030555702c4062fe02a8cfba9407019c97d3e38514733a1172d5964968d0de76e28df0f9cbe60179bb2d81221a50257

Download Submit
C:\Windows\SysWOW64\Cdgneh32.exe

Filesize
406KB

MD5
b992e5a49bbe3ad7be72665d22530b4d

SHA1
fc1b2a0dabbb5c4ef946a360b7f8de39e63ed163

SHA256
030d797d5cb118f5e10ffed6824f73a603917768da7556a428c93688de829e00

SHA512
123fb865b7558d0010cca50a0a92284e5181c1d697a5cbe7858892d3156490d32596860dde53b3c581542cbd2d88e97e04f209a73a3f3960d21f30c64456e924

Download Submit
C:\Windows\SysWOW64\Ckafbbph.exe

Filesize
406KB

MD5
8dc6f9178daee99d56a427e16b3f4b89

SHA1
def66324de5e42ac9366b9b5f371277340caf6b2

SHA256
6b7f11c1e32aed60e2dfdd672c7a20268b98c4b077b8b7b3798a6fabaa4b73a6

SHA512
16d0467b228529e0b3589ab6db2b272f0a81db85b95c906e1cc7e88f236cff56ee3870109e52976fca8ba14a9fdf8216595dd42660fcc9c87c1f80ba812fa704

Download Submit
C:\Windows\SysWOW64\Dfoqmo32.exe

Filesize
406KB

MD5
284f8ef60be1d8572899ae25c5d4ab5d

SHA1
414e9af48df43b62c347e28066fb78895b73314f

SHA256
e23293f5d20573f5439bb104b884f553c534005d359862b37859691955b08c54

SHA512
6022c0c61d64e60bf28b77fce72871022ae18bd85c732899127ac65d2353ff786403f02b66c5884e3f0703e520c247ab4a9701fcec56f05e4385e1fd66015dba

Download Submit
C:\Windows\SysWOW64\Dliijipn.exe

Filesize
406KB

MD5
9be79a45faaf95d7cac7242d2e197a52

SHA1
ebcba5b241c1506b29a95726c50db9ebd4be5cf9

SHA256
5a7d6a86b7f47513b9e3e9ad29817e34a028195a24d0ac19787562c6091d0944

SHA512
7c4081d66417a1827456821c7776d1ec25225a18ff4c46bb209b96b429ae78c3a8d37c63ab7023f2232efc288f505969ed8201b92147bb5e3d53f42c675a7767

Download Submit
C:\Windows\SysWOW64\Dlnbeh32.exe

Filesize
406KB

MD5
4fa5639e9195c724f4aa6991d7dfdb9a

SHA1
c71d26d34d14d55d004824cdbb4df8583923ce70

SHA256
7aba43f97370d9ba03a2a094a744511530cea1dc47b3ded64b20603756321ebd

SHA512
39c28221ebcaaee6a65795e6b7988c057185e8ac82a1065e9ef6e2e6792766eb8085be0f3f3109409e5484081774b52fce1ef6cf1522b7952ed16fb80b053f6e

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
406KB

MD5
d6ceb7346651451b29f02f3018957875

SHA1
32ef49a84658595e619e962525752ea8db536624

SHA256
9e0fbe64fa88c829db6e3967c1fbdde70e37218f9ec2accbb0245112c00a94fc

SHA512
2de5712c7dcff5f2cff174f669db22e9228cc79dfaf1f887977b357b9cdd69acc8b8b32af7925f6c665a41750dece3a01d84e5912ea3c7c5f033bdcbaa5a3381

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
406KB

MD5
f6f637a29f10f6f07d36892f99abd863

SHA1
b25869f4fb59dba70d5f636c70f648c37cee439e

SHA256
b148a878cd4cf5b7ff527a70f02422eff2602bc5bf79210ac0be14e9ca702834

SHA512
250dc2a277c623c74ddae4237b0e18e2e18938d0958d9a78cef07682bebbc4dc6e699ce0fc8cb90aaee2927bf21a4789e20244cd1896a37525c177dcfbbfc26a

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
406KB

MD5
5d45facfdffea28621320175e77e3ad0

SHA1
3de442b6ce5135ac6d129f60628175b58b082809

SHA256
85885f34f1e4d25a5cd060f72ffa3623f3224ee030d9870cc9066dce2a3a6c79

SHA512
72944c880e16f5afce9a35cea31087854efef7353a22b1c24a75f16b92a5dda22db7d738233022e885233cc2a146be911be1d5eef2071e1455da2025b7e880b7

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
406KB

MD5
0c898accdcf276c6f6e338006fddbd2d

SHA1
2e48309e50a595682f9b39f4c8794bbda1f542f0

SHA256
e5c14d447ea0484cce9bb4561993dd9f7646d4e42ce6c56abadf66193d633b8f

SHA512
d51b6e7183ba3bbeca0879964bb285990f45e6215dd2b25251933f82ab990c930e4659411e6d3ebf52f43cada132cc8fc91a1712a90782a931f04b553284ee8b

Download Submit
C:\Windows\SysWOW64\Egoife32.exe

Filesize
406KB

MD5
70ba71e9e96616e321f02acd5c48d144

SHA1
624bb43ba7d57f6a4eb03a54e642391af56d75cc

SHA256
7aa34cfb65d66685dbc034415c0371e973f48e02410caca3175fce6d411502b2

SHA512
6000c3f24c6156f6318dcde376f67c7dc23ac9b5458f8d541ed94cb734e84cc2be88ccd92975506ea87817020fe81a51c8d79121c425bd715431b0577c4db03d

Download Submit
C:\Windows\SysWOW64\Ekhhadmk.exe

Filesize
406KB

MD5
34b23267c3648c0da296684f2c7f325a

SHA1
a4fe6a762731556221ba054df2edbf8431b4a8dd

SHA256
b8f3ba1e177d330707db2c6317dac7479c829999478deeb5c0af41d3c646ba31

SHA512
5c99127070fd6ba1025051bcfb6a41ccfd44bba19afaa48e767b3a697cc01dfdd687331dafd11e0f929e80539df95b1915836a2624b9714c64af83baf1640ec4

Download Submit
C:\Windows\SysWOW64\Emieil32.exe

Filesize
406KB

MD5
2be734b2ff5624edc1cb93ceff46ab91

SHA1
6188e1d5a8bdf4721765fecf083904bde7354840

SHA256
e2e7e9313c42ccfde7f90a90108899649fc7f9822ef99f27973c1141e90c4dc5

SHA512
0f8f54ef16ca8fa7a4cbc4a557b18ddc555196316388ae22bdc129c7dd823dad40018576e3bb5c1f40c5083e46e5a5f19cd1ab029ca2e5a3e85f33c968d3bf2c

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
406KB

MD5
4886e0033dff626cee78f5ef16b6eff2

SHA1
6d0e75e65c9f25fce66010b8d862a10af77f85df

SHA256
1dc2fab8f092a735b7d70f711a53ed991819420095d5d9d3f99d51a8e8578227

SHA512
68a00e6bf575835f1f897c92f2a6a3492ab36523ff60c0e02e770342047b26427ba71cf8c6d6f253477d8a9265cad0cec06800eb6dc88e187e06dee668047076

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
406KB

MD5
32b4f91e4a3a2d63de1efa39c45bab33

SHA1
c2e67c0bb5a8e25464b391e1409374afff4c0dc5

SHA256
89c43b18a22cfe866e34ac9a6df73609671aa77be3391c2f438994a5097f6abb

SHA512
2d4b36a23f13c603d279ed56c0660472b435052753089455098364dbf58bf49bca6d95797a0d79ea8847d7a9d646544b93ee48fef47e5af9e6b7b9169e919ce6

Download Submit
\Windows\SysWOW64\Cclkfdnc.exe

Filesize
406KB

MD5
e280ebc477c3f042e738be5903efd918

SHA1
c8053143d379096ff68a7e22167a5ee114c7993c

SHA256
6c6f93bb52f41cab9a5b375f68bb79f6e8cd545104671b5296d45f6e882b090d

SHA512
6db1a58117ff40e53f493180591a378905993c848200d73c488f7b2ead0daac704ac96d70bbd59e6c9dc18006dedc7a335fea3b64abd3ef122738c3088308200

Download Submit
\Windows\SysWOW64\Cnaocmmi.exe

Filesize
406KB

MD5
52482446d54eb598d97910e211f22f7c

SHA1
4052d09d62dfc1a0c8515fddfb61a36770045930

SHA256
a70f2dafa1953c2d0030a45807a02863d77bdc50587b637031c0482da0f2768e

SHA512
ead2c7d2b8ce2d756c53fa601b0214243e0b5bdb38de1d172317a729e22af6faadb723661ce0f2331172d45f2071f7ba29721bd074cdd3af3b50bb7f6ddf3625

Download Submit
\Windows\SysWOW64\Dfmdho32.exe

Filesize
406KB

MD5
f6b44b197fd5b9c930ddac71664061d5

SHA1
ac4e03e13bea689c85c63aeeec9c857affcbacad

SHA256
6ca0c45732f418cb1687849f9a3e299a1e83a6291f14046d86a884cce8f4e6cc

SHA512
6879860973c0d3c5549dccdefc51b57ea3ce26e8c40cdaec33701294f118e3ee3d8cc3d69362657f173b79df31faaed6fb382fb3c9c850ce7cb6d1ecb645f480

Download Submit
\Windows\SysWOW64\Dhnmij32.exe

Filesize
406KB

MD5
624ea787dd40264ea20033248237c74d

SHA1
ecdf907707ab7445b11135940070068ef55a9e06

SHA256
34b57e6a5c2d174c50197ea75585d723f62c6e574b672ac51bde9b55fc34844b

SHA512
e443d6961ff33e2333d7909905932327fb416e21742b640f098a81023c9d86d6bb330dc7b508dfdc76c52454dafdd801239084a481f69d13aaa6c1f95c790959

Download Submit
memory/264-108-0x0000000001F80000-0x0000000002010000-memory.dmp

Filesize
576KB

Download
memory/264-105-0x0000000001F80000-0x0000000002010000-memory.dmp

Filesize
576KB

Download
memory/264-92-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/264-284-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/380-197-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/380-280-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/380-213-0x0000000000250000-0x00000000002E0000-memory.dmp

Filesize
576KB

Download
memory/380-210-0x0000000000250000-0x00000000002E0000-memory.dmp

Filesize
576KB

Download
memory/540-195-0x00000000006F0000-0x0000000000780000-memory.dmp

Filesize
576KB

Download
memory/540-272-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/540-196-0x00000000006F0000-0x0000000000780000-memory.dmp

Filesize
576KB

Download
memory/540-184-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1288-260-0x0000000000340000-0x00000000003D0000-memory.dmp

Filesize
576KB

Download
memory/1288-250-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1288-265-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1288-256-0x0000000000340000-0x00000000003D0000-memory.dmp

Filesize
576KB

Download
memory/1408-288-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1408-121-0x0000000000490000-0x0000000000520000-memory.dmp

Filesize
576KB

Download
memory/1408-285-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1408-119-0x0000000000490000-0x0000000000520000-memory.dmp

Filesize
576KB

Download
memory/1408-106-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1568-137-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1568-277-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1568-145-0x00000000002D0000-0x0000000000360000-memory.dmp

Filesize
576KB

Download
memory/1568-150-0x00000000002D0000-0x0000000000360000-memory.dmp

Filesize
576KB

Download
memory/1600-261-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1600-301-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1728-166-0x0000000001FC0000-0x0000000002050000-memory.dmp

Filesize
576KB

Download
memory/1728-286-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1728-152-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1728-165-0x0000000001FC0000-0x0000000002050000-memory.dmp

Filesize
576KB

Download
memory/1844-171-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1844-180-0x00000000002D0000-0x0000000000360000-memory.dmp

Filesize
576KB

Download
memory/1844-181-0x00000000002D0000-0x0000000000360000-memory.dmp

Filesize
576KB

Download
memory/1844-273-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2080-17-0x0000000000330000-0x00000000003C0000-memory.dmp

Filesize
576KB

Download
memory/2080-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2080-300-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2336-274-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2336-225-0x0000000000360000-0x00000000003F0000-memory.dmp

Filesize
576KB

Download
memory/2336-211-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2336-226-0x0000000000360000-0x00000000003F0000-memory.dmp

Filesize
576KB

Download
memory/2464-291-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2552-298-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2552-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2628-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2628-90-0x0000000000490000-0x0000000000520000-memory.dmp

Filesize
576KB

Download
memory/2628-283-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-287-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-294-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-77-0x0000000002090000-0x0000000002120000-memory.dmp

Filesize
576KB

Download
memory/2664-51-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2664-63-0x0000000000250000-0x00000000002E0000-memory.dmp

Filesize
576KB

Download
memory/2664-296-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2664-293-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2716-292-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2716-31-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2792-239-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2792-248-0x0000000000250000-0x00000000002E0000-memory.dmp

Filesize
576KB

Download
memory/2792-249-0x0000000000250000-0x00000000002E0000-memory.dmp

Filesize
576KB

Download
memory/2792-266-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2892-135-0x0000000000250000-0x00000000002E0000-memory.dmp

Filesize
576KB

Download
memory/2892-136-0x0000000000250000-0x00000000002E0000-memory.dmp

Filesize
576KB

Download
memory/2892-122-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2892-278-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2892-276-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-230-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-238-0x0000000001F80000-0x0000000002010000-memory.dmp

Filesize
576KB

Download
memory/2900-234-0x0000000001F80000-0x0000000002010000-memory.dmp

Filesize
576KB

Download
memory/2900-268-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads