berbew | 0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Size

415KB
MD5

8ddf7ad133d44979d64cb4fe1aa434b8
SHA1

abe9c516ca9d86db632dd7ed2a477c2533d1de9b
SHA256

0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa
SHA512

e20d0cc23c650a25dc32c97a73cea8f6f5a5923b93d900ba2185d67433ff66c98e52fa2ea94a68915299ed1274111a46a39074f2f9021b7b231e854022696fa6
SSDEEP

12288:MoWj7NtInBBBBBBBBBBBBBBBBBBBBBBBBB0kfBBBBBBBBBBBBBBBBBBBBBBBBBNz:Mklp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojald32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cppkph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckafbbph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckafbbph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojald32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
2136	Cdgneh32.exe
2732	Ckafbbph.exe
2700	Cppkph32.exe
2144	Dgjclbdi.exe
2488	Dfoqmo32.exe
2108	Dliijipn.exe
792	Dhpiojfb.exe
2772	Dojald32.exe
2920	Dbkknojp.exe
2168	Dhdcji32.exe
1540	Edkcojga.exe
2528	Egjpkffe.exe
1752	Enfenplo.exe
2068	Ejmebq32.exe
2440	Egafleqm.exe
1720	Emnndlod.exe
2220	Fidoim32.exe
2308	Fkckeh32.exe

Loads dropped DLL 40 IoCs

pid	Process
2132	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
2132	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
2136	Cdgneh32.exe
2136	Cdgneh32.exe
2732	Ckafbbph.exe
2732	Ckafbbph.exe
2700	Cppkph32.exe
2700	Cppkph32.exe
2144	Dgjclbdi.exe
2144	Dgjclbdi.exe
2488	Dfoqmo32.exe
2488	Dfoqmo32.exe
2108	Dliijipn.exe
2108	Dliijipn.exe
792	Dhpiojfb.exe
792	Dhpiojfb.exe
2772	Dojald32.exe
2772	Dojald32.exe
2920	Dbkknojp.exe
2920	Dbkknojp.exe
2168	Dhdcji32.exe
2168	Dhdcji32.exe
1540	Edkcojga.exe
1540	Edkcojga.exe
2528	Egjpkffe.exe
2528	Egjpkffe.exe
1752	Enfenplo.exe
1752	Enfenplo.exe
2068	Ejmebq32.exe
2068	Ejmebq32.exe
2440	Egafleqm.exe
2440	Egafleqm.exe
1720	Emnndlod.exe
1720	Emnndlod.exe
2220	Fidoim32.exe
2220	Fidoim32.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Cppkph32.exe
File created	C:\Windows\SysWOW64\Eaklqfem.dll	Dliijipn.exe
File created	C:\Windows\SysWOW64\Enfenplo.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Emnndlod.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dhpiojfb.exe	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dojald32.exe	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dojald32.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Dgjclbdi.exe
File opened for modification	C:\Windows\SysWOW64\Cdgneh32.exe	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dgjclbdi.exe
File opened for modification	C:\Windows\SysWOW64\Dliijipn.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Epjomppp.dll	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Dbkknojp.exe	Dojald32.exe
File created	C:\Windows\SysWOW64\Dhpiojfb.exe	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dhdcji32.exe	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Ejmebq32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Illjbiak.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Egafleqm.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Egafleqm.exe
File opened for modification	C:\Windows\SysWOW64\Ckafbbph.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Cppkph32.exe	Ckafbbph.exe
File created	C:\Windows\SysWOW64\Dgjclbdi.exe	Cppkph32.exe
File created	C:\Windows\SysWOW64\Dliijipn.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Dhdcji32.exe	Dbkknojp.exe
File opened for modification	C:\Windows\SysWOW64\Egjpkffe.exe	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Cppkph32.exe
File created	C:\Windows\SysWOW64\Edkcojga.exe	Dhdcji32.exe
File created	C:\Windows\SysWOW64\Abkphdmd.dll	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Ejmebq32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Egafleqm.exe	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Fidoim32.exe	Emnndlod.exe
File opened for modification	C:\Windows\SysWOW64\Dbkknojp.exe	Dojald32.exe
File created	C:\Windows\SysWOW64\Ckafbbph.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Gjhfbach.dll	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Gogcek32.dll	Dhdcji32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
File created	C:\Windows\SysWOW64\Dojald32.exe	Dhpiojfb.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Dhdcji32.exe
File created	C:\Windows\SysWOW64\Egjpkffe.exe	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cppkph32.exe	Ckafbbph.exe
File created	C:\Windows\SysWOW64\Mhkdik32.dll	Ckafbbph.exe
File created	C:\Windows\SysWOW64\Lqelfddi.dll	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Kncphpjl.dll	Dbkknojp.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Pgicjg32.dll	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Egafleqm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	2308	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dliijipn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgneh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckafbbph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppkph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpiojfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojald32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egjpkffe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egafleqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll"	Cppkph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll"	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojald32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll"	Dojald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckafbbph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfoqmo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2136	2132	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe	28
PID 2132 wrote to memory of 2136	2132	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe	28
PID 2132 wrote to memory of 2136	2132	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe	28
PID 2132 wrote to memory of 2136	2132	0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe	28
PID 2136 wrote to memory of 2732	2136	Cdgneh32.exe	29
PID 2136 wrote to memory of 2732	2136	Cdgneh32.exe	29
PID 2136 wrote to memory of 2732	2136	Cdgneh32.exe	29
PID 2136 wrote to memory of 2732	2136	Cdgneh32.exe	29
PID 2732 wrote to memory of 2700	2732	Ckafbbph.exe	30
PID 2732 wrote to memory of 2700	2732	Ckafbbph.exe	30
PID 2732 wrote to memory of 2700	2732	Ckafbbph.exe	30
PID 2732 wrote to memory of 2700	2732	Ckafbbph.exe	30
PID 2700 wrote to memory of 2144	2700	Cppkph32.exe	31
PID 2700 wrote to memory of 2144	2700	Cppkph32.exe	31
PID 2700 wrote to memory of 2144	2700	Cppkph32.exe	31
PID 2700 wrote to memory of 2144	2700	Cppkph32.exe	31
PID 2144 wrote to memory of 2488	2144	Dgjclbdi.exe	32
PID 2144 wrote to memory of 2488	2144	Dgjclbdi.exe	32
PID 2144 wrote to memory of 2488	2144	Dgjclbdi.exe	32
PID 2144 wrote to memory of 2488	2144	Dgjclbdi.exe	32
PID 2488 wrote to memory of 2108	2488	Dfoqmo32.exe	33
PID 2488 wrote to memory of 2108	2488	Dfoqmo32.exe	33
PID 2488 wrote to memory of 2108	2488	Dfoqmo32.exe	33
PID 2488 wrote to memory of 2108	2488	Dfoqmo32.exe	33
PID 2108 wrote to memory of 792	2108	Dliijipn.exe	34
PID 2108 wrote to memory of 792	2108	Dliijipn.exe	34
PID 2108 wrote to memory of 792	2108	Dliijipn.exe	34
PID 2108 wrote to memory of 792	2108	Dliijipn.exe	34
PID 792 wrote to memory of 2772	792	Dhpiojfb.exe	35
PID 792 wrote to memory of 2772	792	Dhpiojfb.exe	35
PID 792 wrote to memory of 2772	792	Dhpiojfb.exe	35
PID 792 wrote to memory of 2772	792	Dhpiojfb.exe	35
PID 2772 wrote to memory of 2920	2772	Dojald32.exe	36
PID 2772 wrote to memory of 2920	2772	Dojald32.exe	36
PID 2772 wrote to memory of 2920	2772	Dojald32.exe	36
PID 2772 wrote to memory of 2920	2772	Dojald32.exe	36
PID 2920 wrote to memory of 2168	2920	Dbkknojp.exe	37
PID 2920 wrote to memory of 2168	2920	Dbkknojp.exe	37
PID 2920 wrote to memory of 2168	2920	Dbkknojp.exe	37
PID 2920 wrote to memory of 2168	2920	Dbkknojp.exe	37
PID 2168 wrote to memory of 1540	2168	Dhdcji32.exe	38
PID 2168 wrote to memory of 1540	2168	Dhdcji32.exe	38
PID 2168 wrote to memory of 1540	2168	Dhdcji32.exe	38
PID 2168 wrote to memory of 1540	2168	Dhdcji32.exe	38
PID 1540 wrote to memory of 2528	1540	Edkcojga.exe	39
PID 1540 wrote to memory of 2528	1540	Edkcojga.exe	39
PID 1540 wrote to memory of 2528	1540	Edkcojga.exe	39
PID 1540 wrote to memory of 2528	1540	Edkcojga.exe	39
PID 2528 wrote to memory of 1752	2528	Egjpkffe.exe	40
PID 2528 wrote to memory of 1752	2528	Egjpkffe.exe	40
PID 2528 wrote to memory of 1752	2528	Egjpkffe.exe	40
PID 2528 wrote to memory of 1752	2528	Egjpkffe.exe	40
PID 1752 wrote to memory of 2068	1752	Enfenplo.exe	41
PID 1752 wrote to memory of 2068	1752	Enfenplo.exe	41
PID 1752 wrote to memory of 2068	1752	Enfenplo.exe	41
PID 1752 wrote to memory of 2068	1752	Enfenplo.exe	41
PID 2068 wrote to memory of 2440	2068	Ejmebq32.exe	42
PID 2068 wrote to memory of 2440	2068	Ejmebq32.exe	42
PID 2068 wrote to memory of 2440	2068	Ejmebq32.exe	42
PID 2068 wrote to memory of 2440	2068	Ejmebq32.exe	42
PID 2440 wrote to memory of 1720	2440	Egafleqm.exe	43
PID 2440 wrote to memory of 1720	2440	Egafleqm.exe	43
PID 2440 wrote to memory of 1720	2440	Egafleqm.exe	43
PID 2440 wrote to memory of 1720	2440	Egafleqm.exe	43

C:\Users\Admin\AppData\Local\Temp\0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe
"C:\Users\Admin\AppData\Local\Temp\0d3f76e1e200cc1a1b6254a647472ae9f6da601d5248b3e8f80dbf1a28baf8aa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\Cdgneh32.exe
  C:\Windows\system32\Cdgneh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\Ckafbbph.exe
    C:\Windows\system32\Ckafbbph.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Cppkph32.exe
      C:\Windows\system32\Cppkph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Dliijipn.exe
        
        C:\Windows\system32\Dliijipn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Dhpiojfb.exe
        
        C:\Windows\system32\Dhpiojfb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Dojald32.exe
        
        C:\Windows\system32\Dojald32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Egjpkffe.exe
        
        C:\Windows\system32\Egjpkffe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckafbbph.exe

Filesize
415KB

MD5
bf4acd269f73b5f1926717214063dad9

SHA1
8ebb4a2abff435cbdd60e8cdd9205e3fef0d7c87

SHA256
1c26c75d1cf95680b8828c66d7c9720b15110f535ea5fb26a7f0e47eb9b3dfe8

SHA512
0fbb583fecd9e8df5bcbf8a332d6f1c362812ca0614ebd1a94cabc1f5603d88229182216b361bbdcd2016d272f5b33ca4caff3b719f5c478ab687300a4625230

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
415KB

MD5
f01ed1ac7f448a39188481bddcb9f714

SHA1
e07241ee3909c5d0909f22157a4be1e71358b34d

SHA256
f459207ef0ac2602d3d9917824ec0dd405484026d2873c21bb19539da03e607d

SHA512
2ba394378e547ccfd54e3d5aa025402eabf425011226f8f6eae688fff3bde3f2f9c93124c087deab56333f5e4165bbb6493694aaab32f5f086fefb37cf30ce90

Download Submit
C:\Windows\SysWOW64\Dliijipn.exe

Filesize
415KB

MD5
2f86ad2db421b626d6ee4286ce0b58b8

SHA1
86380c79d48791702fe307da630f42a07faa8ec7

SHA256
afdb747e752fa1989f25eadac5f02188e55faa11a6d8b4432dd08c63e3c4ecd8

SHA512
f723d7a25f4d93fa67391d5d7c349c561c8513e920c1a838f59ffe0fc02d474d6701292e56863cf07b0d1c7441c0f50281092108cf9b521c85b03c4460b671c2

Download Submit
C:\Windows\SysWOW64\Dojald32.exe

Filesize
415KB

MD5
edb40f5de23975954cc3b343ff421638

SHA1
59b87179837e648e04f6af79957eed4062a143c4

SHA256
cc4e5bcfaf48bdb9751525aad40aa4a3fcb003499ce982a0bb592814e21f311b

SHA512
9f6561ecbda60e6e723ae7846cedd82fec0a2bbe755483ea4b6caa29c0bc16f1bae4c9e279ac4666fca5c6ed21f1b907ea0888156ee65e944a1a2152570157c6

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
415KB

MD5
b180f05c466439a4242f3473c98aba4a

SHA1
693cbea3ca7ed3515b88e9a0e3fec1faaea09dc9

SHA256
e1faf2d61d0cde81b07a0f52e0bb024fd9c319a58630969fd6fd220b0fe04cff

SHA512
adac8eb8d6490c0d763419418bffb94be938a266708b95932b64c432a9c6829b9acf63f30de72e4221d8dcf7d149e87512496a1432f54073c00ce2a6d5afaf23

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
415KB

MD5
102122560d46cc5bbf73095aaa1cf39e

SHA1
2fe9800512e60758045a346fdc7bc01791165d5e

SHA256
b7ea0f3ef4c794bb871f61bcb7352451acec289653ca306a3679c00ae5190d5e

SHA512
ece585614084c29a306443165b799d552e7792448c19a44a1666df055596925affdcded1503f94987e8d7e350155691b1c72c0f85a04b53fb797b5bf8b28e175

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
415KB

MD5
32795cdea896292314bbef23f8803417

SHA1
a9b2ddd08f869ea503d67d6f008dee448c516597

SHA256
221844e70aa05aa61c5df27143476dcbc311676618b5c4b4510158e29a232ebd

SHA512
b966975822b9dfed097ffae21b60ab863c622dfdd2b3a856b38635313459e8f2c6f7115193214e024c8e10afd4a9f9476216cb044bf229b22b2eb26957c0c392

Download Submit
\Windows\SysWOW64\Cdgneh32.exe

Filesize
415KB

MD5
be20288a55f2b283d72e967f5278f20b

SHA1
af7f1c40bc113f5e1d7ab459e56be1956f05a60f

SHA256
5c782e9ff5693c60c80c76389fcc2771d8c37765fc280525f6ffd64b1ab0d252

SHA512
ead565e04d565e0701c6e0a0e2e16c0bb994a7d3811e6b4eb1da62f58e78e6fc4c9d6c74f3d01e7fc499762099257224cdbf6b85ce272ff86c9ab514abe2f165

Download Submit
\Windows\SysWOW64\Cppkph32.exe

Filesize
415KB

MD5
4e953ca158075dcfc796d3e480d4b42d

SHA1
de8c11228914e4093618a16989e91b3eaea27f95

SHA256
448239381fd81a9310cbaadb09d4cfc4cfc77be042ae7849b350af1d851561bc

SHA512
be2e8547f47d042774de8c2fbc33f8d4368be37919191f775ff82c86343115ed60fd9a3d24d93230f4c8e3c94a96a4671d5042e40ce593d916603b1e344fb9c1

Download Submit
\Windows\SysWOW64\Dbkknojp.exe

Filesize
415KB

MD5
faecfebdb78a174800a29cdea1ead6a8

SHA1
81f2e54ee427c2d840d355e48c87779f6bc5758a

SHA256
917b6db04d009c371a60b8dbf85f825c82a7d9bd10bdc5af819539a612277787

SHA512
c1b60ea8184b6b22fe784eda4200f9f0b4cd92901793acf35fab9607141a876018a22847ff1a24ec1a76239b7837d87ccc153f4e80e8b4275016bd40da72e4b7

Download Submit
\Windows\SysWOW64\Dfoqmo32.exe

Filesize
415KB

MD5
5e52c47b72bf5a793e823adf792bff26

SHA1
29f74b1db3cc0cc93f5cbdad862d723943e4a782

SHA256
90937731d8a29e561b6dbefb550e5912293f82be2c2e299cf6e3abbb21216b61

SHA512
cd39b7832b47da8d0feea6c565ceef4d51fe6aa53dab54f99098ed1d4ffe881bbb313e051c086e158a26e1d980f56bdce69715c7d7926d10fd16fbe1b6b1cd5b

Download Submit
\Windows\SysWOW64\Dhdcji32.exe

Filesize
415KB

MD5
202396a87edca7b17b90c163717f4ac1

SHA1
a6b372554ff60eeb55d850d6521eb93c7fb97833

SHA256
5c02289d9a10c431843be489c0f15f349ddb86b49971abe1ab40e2e5c6f8eb47

SHA512
a4801c96b83a8abcc6ac677bc3e623ee7d11c627fd93c16910904a1dee62711c5db45f990517ff0b1be55dedbe26c1596a8d6acf08f467ebf63f93bd8d4c5c9b

Download Submit
\Windows\SysWOW64\Dhpiojfb.exe

Filesize
415KB

MD5
afb9e60d7a8813655e635ed966cb69c3

SHA1
7a28668ed5b086befccca88275871311242c247c

SHA256
dde440510a1d385b684b60beaf6dd8a936535a80264ed18e94e0aba36228c9cb

SHA512
4c79fe638c64947806dffb38ef24857553deeabd6564bc645fd3fa25e8aba3332cd079b902a07ea93eade21b14922772593b11d794b261b5a9cb8cb4928274aa

Download Submit
\Windows\SysWOW64\Edkcojga.exe

Filesize
415KB

MD5
dd16db1ffb2efa48964da2e144ef281e

SHA1
c73aabf950ff6cdb57de056fab9acfa1381bdca5

SHA256
64bce35fd1eabeb5afb2ae44dc0e907716c2baf856954938f754cb05ca1574a2

SHA512
15993d7628208ed1aebbe620cd7bf94aabe9ab426276c4eb896eb0fe9b73031b17c0bcd450428b85579acea67eca7f376b575be5982b734eb131f4a6720a8b72

Download Submit
\Windows\SysWOW64\Egafleqm.exe

Filesize
415KB

MD5
fcebe95a34aac25899ec85969fab5e50

SHA1
8806b328673580b74d2137d12b0c139921811f50

SHA256
d10eaae9cae3f39be3835dfe859ee24ca240e9c7e704a2aa3a1268d5264a9a58

SHA512
42d9ead90b23670f49839ed5b516f57b0ec5425dc38f849b2604f80160a6c901c4653942a89a237361e50305ecb335d019c666ad9ee99c32ac53ac2036c26a9b

Download Submit
\Windows\SysWOW64\Egjpkffe.exe

Filesize
415KB

MD5
b4ac1c00ac8711dab475189ac8f6da42

SHA1
3c70b3dd0d9321845e9cf25617c7767d943c5635

SHA256
934eef38c5d37950a0d648435f1535395a00492e1a9940da89491e8a8dac0ce8

SHA512
2c88bcd2284bcdddeb09d2acf938893c5514705bdc3c3bbd221060942dbfb040b3e1d8fb282caa10c3adddc2e71de52e4a9a5c74f1d03929d528ba93df5cd2db

Download Submit
\Windows\SysWOW64\Emnndlod.exe

Filesize
415KB

MD5
9f63b2b00e8392bde65da208de88ed6e

SHA1
a5595b9a2457dde250e10a6feb0a6709b678aaeb

SHA256
18e8a88f37d0880631650bf0589dbab097ef5545fcaee8fcf303e08ff8d0e0f8

SHA512
b54d796ef73edfcac6f2f8c51f24cec1b672af0e16d2bdfc5085037252a55f7c5a43c294939849ac43badd2cf5396d60d1c8403178c89ceba819ec043f4eed8b

Download Submit
\Windows\SysWOW64\Enfenplo.exe

Filesize
415KB

MD5
726db2bc844425b9ac3312073029f151

SHA1
174fa601f17acc445d69d0fd4eb7437d6191e7ab

SHA256
13ee4242e60a1dffe5b3616bc912e5ff555e29206eb5cf9dfe6539194028ced4

SHA512
179082e3846c2a22c4263d6e92fc363c70f06060f7a56cfb62bafd34ea16e143c8465dfedb2032c434672157cfd023f3e7c461e989ce43d4152b402fca8be489

Download Submit
memory/792-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-110-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1540-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-166-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1540-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-234-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1752-195-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1752-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-205-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2068-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-91-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2132-12-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2132-11-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2132-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-27-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2136-26-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2144-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-64-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2168-152-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2168-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-244-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2220-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-222-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2488-82-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2488-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-181-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2528-176-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2700-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-54-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2700-55-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2732-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-37-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2772-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-119-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2772-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-134-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads