berbew | f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a

Analysis

max time kernel
83s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Size

3.2MB
MD5

5ee3d5d4becbe49f0956d523fb4d1abc
SHA1

6f60b0e8461ad7f75b2317e505de94dc85e1e2b0
SHA256

f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a
SHA512

5092606e53b31545ce1c1c7047dba67cc760a4cfeeb228de6d0852a76031c1e3c1441effdca5aff3fe6b4adaf141940558d65c39e0eaf38aa61bec1e016566ee
SSDEEP

98304:1UlBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NT/YUugy:1UlBFLPj3JStuv40ar7zrbDlsa2VIlPu

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdiakp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2216	Dckoia32.exe
2984	Dpopbepi.exe
2520	Edoencdm.exe
5088	Eahobg32.exe
3592	Fnjocf32.exe
1424	Gjaphgpl.exe
1444	Gkalbj32.exe
656	Gdiakp32.exe
1796	Gbmadd32.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Eahobg32.exe
File created	C:\Windows\SysWOW64\Gjaphgpl.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Gdiakp32.exe	Gkalbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gdiakp32.exe	Gkalbj32.exe
File created	C:\Windows\SysWOW64\Backedki.dll	Gkalbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
File opened for modification	C:\Windows\SysWOW64\Eahobg32.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	Edoencdm.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Apocmn32.dll	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Eahobg32.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Gkalbj32.exe	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Dckoia32.exe	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
File opened for modification	C:\Windows\SysWOW64\Dckoia32.exe	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dckoia32.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Eahobg32.exe	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Gkalbj32.exe	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dckoia32.exe
File opened for modification	C:\Windows\SysWOW64\Dpopbepi.exe	Dckoia32.exe

Program crash 1 IoCs

pid	pid_target	Process
3388	1796	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdiakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckoia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkalbj32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocmn32.dll"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dckoia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll"	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2216	2072	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe	88
PID 2072 wrote to memory of 2216	2072	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe	88
PID 2072 wrote to memory of 2216	2072	f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe	88
PID 2216 wrote to memory of 2984	2216	Dckoia32.exe	89
PID 2216 wrote to memory of 2984	2216	Dckoia32.exe	89
PID 2216 wrote to memory of 2984	2216	Dckoia32.exe	89
PID 2984 wrote to memory of 2520	2984	Dpopbepi.exe	90
PID 2984 wrote to memory of 2520	2984	Dpopbepi.exe	90
PID 2984 wrote to memory of 2520	2984	Dpopbepi.exe	90
PID 2520 wrote to memory of 5088	2520	Edoencdm.exe	92
PID 2520 wrote to memory of 5088	2520	Edoencdm.exe	92
PID 2520 wrote to memory of 5088	2520	Edoencdm.exe	92
PID 5088 wrote to memory of 3592	5088	Eahobg32.exe	93
PID 5088 wrote to memory of 3592	5088	Eahobg32.exe	93
PID 5088 wrote to memory of 3592	5088	Eahobg32.exe	93
PID 3592 wrote to memory of 1424	3592	Fnjocf32.exe	94
PID 3592 wrote to memory of 1424	3592	Fnjocf32.exe	94
PID 3592 wrote to memory of 1424	3592	Fnjocf32.exe	94
PID 1424 wrote to memory of 1444	1424	Gjaphgpl.exe	95
PID 1424 wrote to memory of 1444	1424	Gjaphgpl.exe	95
PID 1424 wrote to memory of 1444	1424	Gjaphgpl.exe	95
PID 1444 wrote to memory of 656	1444	Gkalbj32.exe	96
PID 1444 wrote to memory of 656	1444	Gkalbj32.exe	96
PID 1444 wrote to memory of 656	1444	Gkalbj32.exe	96
PID 656 wrote to memory of 1796	656	Gdiakp32.exe	97
PID 656 wrote to memory of 1796	656	Gdiakp32.exe	97
PID 656 wrote to memory of 1796	656	Gdiakp32.exe	97

C:\Users\Admin\AppData\Local\Temp\f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe
"C:\Users\Admin\AppData\Local\Temp\f69e040123c624cf530ea91c1ac8ae5be8c674066b0782b4f58b77233ae0193a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Dckoia32.exe
  C:\Windows\system32\Dckoia32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Dpopbepi.exe
    C:\Windows\system32\Dpopbepi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\Edoencdm.exe
      C:\Windows\system32\Edoencdm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 412
        11⤵
        Program crash
        
        PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1796 -ip 1796
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dckoia32.exe

Filesize
3.2MB

MD5
a6f05eed4d276dce7d8b20db23ed1b2e

SHA1
2186481b8a6cc4701bc2b7826eb018fea57bb46d

SHA256
06b67c3c475537fde3aff8eacdf168d7bf78820a9cf3e512cb3b16061ee5d548

SHA512
c4b5cef22aacb15012c9f0dadcfa8e7091467936a834768707f02ea86fcb2e31e2def8068237ebaafc82ec9521bfad13ec25c08f3d058cbc3bb77afcd3feb41a

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
3.2MB

MD5
fc10cee928ec0b9208451d0966d2ff0c

SHA1
db8bcfd25981982de57701060f00e022b76347da

SHA256
f00af0e4602dbe1ed2f4809acee7302104fb2fcea5ddbb3e5912fdf6ba0927d3

SHA512
baa26d230417bd25d4923dc9c5e355b5c15b39e5795421f4d366d9b060d4967d35cea9dc1241dff44946845162b1249982b2915687e822d86cd6dd4aed0ed5a4

Download Submit
C:\Windows\SysWOW64\Eahobg32.exe

Filesize
3.2MB

MD5
8c239f7a646b0b8f5dd99a5267897ea8

SHA1
4ea4da614ae91c18b2419354f978c94b28af9eae

SHA256
8663542ef0ad795b9bfef9dc244b280d02c525e9e2689e615d3c988c0a65d214

SHA512
0e7d6009a28286cf6b0a6410b5e10875fe2c5e355ce43c331214f0410a9e34a8b14ebeb26f515267e1a9409eb2d55aafe6969a2a71f487e3dd6f21020bc2fb2d

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
3.2MB

MD5
cae720a146719a8228169c4a71c15b26

SHA1
f9703d1ed54ac49047231b462b1513a83e33e46a

SHA256
3353cfea2926362c0c7aa7d05884953060b879c7e9187f19cd1bf7e6e1964d9e

SHA512
4fbf422e9c8bcb47cdf1be76c9e8d82595ea1ee229de1cd75c9b61a63eb6bb0c6edbdaf760d6609a4ae0830b07bb5e175868ba61fd5dac718cf87a2ceb253cdf

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
3.2MB

MD5
9f3ce63e13b07dd92268db9abe8d735d

SHA1
9e269b4f5a194f0382f0e9e7ab2b92db753581f5

SHA256
999c3a3b0d53dc869e165adf4b73e578baca8158318249641266680fdf07ec0c

SHA512
7fe09c8da908d5a0e0049389600c0ec4ffd38a704a6f41d54a7950fffa66a9c8315664336eb2a9adef982d8dc8216251449f9f2af8456b2afe487a1b22285efe

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
3.2MB

MD5
61744b79bc2744981975c13217b242fc

SHA1
4147bedfc09413cb10c34e488ec4a15d3887d363

SHA256
3cc7f2bb18bbfa42ed6612dd88eb76af55d08e335899d163f5e4486405ef1756

SHA512
2f72c3863612cd94d655caf91890b6c857ca8f849e4b69c6857051e98c5135a95ad4c7f60835ec882902e97d96bde767baa8f7707fbc75580a2777456df3a074

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
3.2MB

MD5
d4302b7cfd9a7d9c9950887308b57a77

SHA1
edc70f8c3d4bc640ef82ad57bfe28aa3dd424d69

SHA256
c150a4ee255d824b75793606b4c321e45e50f625835d0a534d77e3856ed54012

SHA512
c65c86f204d532c245991ff262ad3d1db1462426bedf3a8dbc413a51a631edd27e16cff01a09da7af4bcf28ecff726ea13c7992fb60d9d3a1a0f3503a6575b78

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
3.2MB

MD5
a25bb8e2aae93a35f81317c7d4649de6

SHA1
978fa070c691f1e7a46fcafe6e9e3dcec8a52bb8

SHA256
5bded49396110fdcb2c79ddb677e000de721c4e01f65260ed175cd6ea09e0d9c

SHA512
edc1197d712d207b64578a8842a22a755d418b5e8192b1b098a3aa06b9bd47967ac2256b451301412adf1b7f9f17b4223ea26e1bab1f7cdde6791dda24cf661a

Download Submit
C:\Windows\SysWOW64\Gkalbj32.exe

Filesize
3.2MB

MD5
5a3c76bfd73bdac10df148ebe0bf20f2

SHA1
2d5987759db3ea1e8165078fae72d08735bfd6f3

SHA256
0cb40a008153f06f1a1087ad40eb10c746ee6691cb3e8ad7ad81e4affe1d50a8

SHA512
8c21419ccd6a070593b73a247eb8a6a5eb3953301312fb057bf888312c8cf4ae7efa946f223da793bc9e1f87150243345c3eb79c08d3fff93b5e85c7db940a9f

Download Submit
C:\Windows\SysWOW64\Lhlgjo32.dll

Filesize
7KB

MD5
22d121a452609754789913ab9287cd60

SHA1
ce56c9f8e9cca7bd6910eaf2121f507205806f17

SHA256
5e4ed3952106e3912d94b28f3e2750125c33a02499e12c4fce048318f5716d76

SHA512
a16296d8dd37cb65af25098f38431b38a06f0e758324a5546967ba8a1441c1ace3e9362a909979d6056f007e7862990a5b30bd6e63d61a6eb492a744e475b406

Download Submit
memory/656-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1424-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1424-74-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1444-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1444-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-77-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-78-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3592-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3592-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5088-76-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5088-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads