berbew | 3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Size

123KB
MD5

bf6fae042cab73483cf0ab2d4b9cc680
SHA1

42378fa63fb7c1cb7319f2e0746ee6d8c62c0ad5
SHA256

3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7
SHA512

9748400a778c2f905613276ea48781e4e714a563dad1e03c5b4e85530b8f62d3a9c57832a3ea2e36b922f0a5f4db0aeca28f2d6081517c0e2e3335b61b1641c8
SSDEEP

3072:1U9+INZqqhRgpb5J7RM0MTRYSa9rR85DEn5k7r:1U9TPqqhWla7T4rQD85k/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 23 IoCs

pid	Process
400	Cajlhqjp.exe
4568	Cjbpaf32.exe
1044	Cmqmma32.exe
3416	Cegdnopg.exe
2544	Dopigd32.exe
3368	Dmcibama.exe
3580	Ddmaok32.exe
5116	Djgjlelk.exe
1212	Daqbip32.exe
4420	Dfnjafap.exe
1876	Dodbbdbb.exe
4028	Dmgbnq32.exe
2896	Deokon32.exe
4560	Dhmgki32.exe
4824	Dkkcge32.exe
3480	Dogogcpo.exe
3940	Dmjocp32.exe
2120	Deagdn32.exe
3456	Dddhpjof.exe
4440	Dhocqigp.exe
4524	Dgbdlf32.exe
3212	Doilmc32.exe
2524	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe

Program crash 1 IoCs

pid	pid_target	Process
4624	2524	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 400	3056	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe	82
PID 3056 wrote to memory of 400	3056	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe	82
PID 3056 wrote to memory of 400	3056	3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe	82
PID 400 wrote to memory of 4568	400	Cajlhqjp.exe	83
PID 400 wrote to memory of 4568	400	Cajlhqjp.exe	83
PID 400 wrote to memory of 4568	400	Cajlhqjp.exe	83
PID 4568 wrote to memory of 1044	4568	Cjbpaf32.exe	84
PID 4568 wrote to memory of 1044	4568	Cjbpaf32.exe	84
PID 4568 wrote to memory of 1044	4568	Cjbpaf32.exe	84
PID 1044 wrote to memory of 3416	1044	Cmqmma32.exe	85
PID 1044 wrote to memory of 3416	1044	Cmqmma32.exe	85
PID 1044 wrote to memory of 3416	1044	Cmqmma32.exe	85
PID 3416 wrote to memory of 2544	3416	Cegdnopg.exe	86
PID 3416 wrote to memory of 2544	3416	Cegdnopg.exe	86
PID 3416 wrote to memory of 2544	3416	Cegdnopg.exe	86
PID 2544 wrote to memory of 3368	2544	Dopigd32.exe	87
PID 2544 wrote to memory of 3368	2544	Dopigd32.exe	87
PID 2544 wrote to memory of 3368	2544	Dopigd32.exe	87
PID 3368 wrote to memory of 3580	3368	Dmcibama.exe	88
PID 3368 wrote to memory of 3580	3368	Dmcibama.exe	88
PID 3368 wrote to memory of 3580	3368	Dmcibama.exe	88
PID 3580 wrote to memory of 5116	3580	Ddmaok32.exe	89
PID 3580 wrote to memory of 5116	3580	Ddmaok32.exe	89
PID 3580 wrote to memory of 5116	3580	Ddmaok32.exe	89
PID 5116 wrote to memory of 1212	5116	Djgjlelk.exe	90
PID 5116 wrote to memory of 1212	5116	Djgjlelk.exe	90
PID 5116 wrote to memory of 1212	5116	Djgjlelk.exe	90
PID 1212 wrote to memory of 4420	1212	Daqbip32.exe	91
PID 1212 wrote to memory of 4420	1212	Daqbip32.exe	91
PID 1212 wrote to memory of 4420	1212	Daqbip32.exe	91
PID 4420 wrote to memory of 1876	4420	Dfnjafap.exe	92
PID 4420 wrote to memory of 1876	4420	Dfnjafap.exe	92
PID 4420 wrote to memory of 1876	4420	Dfnjafap.exe	92
PID 1876 wrote to memory of 4028	1876	Dodbbdbb.exe	93
PID 1876 wrote to memory of 4028	1876	Dodbbdbb.exe	93
PID 1876 wrote to memory of 4028	1876	Dodbbdbb.exe	93
PID 4028 wrote to memory of 2896	4028	Dmgbnq32.exe	94
PID 4028 wrote to memory of 2896	4028	Dmgbnq32.exe	94
PID 4028 wrote to memory of 2896	4028	Dmgbnq32.exe	94
PID 2896 wrote to memory of 4560	2896	Deokon32.exe	95
PID 2896 wrote to memory of 4560	2896	Deokon32.exe	95
PID 2896 wrote to memory of 4560	2896	Deokon32.exe	95
PID 4560 wrote to memory of 4824	4560	Dhmgki32.exe	96
PID 4560 wrote to memory of 4824	4560	Dhmgki32.exe	96
PID 4560 wrote to memory of 4824	4560	Dhmgki32.exe	96
PID 4824 wrote to memory of 3480	4824	Dkkcge32.exe	97
PID 4824 wrote to memory of 3480	4824	Dkkcge32.exe	97
PID 4824 wrote to memory of 3480	4824	Dkkcge32.exe	97
PID 3480 wrote to memory of 3940	3480	Dogogcpo.exe	98
PID 3480 wrote to memory of 3940	3480	Dogogcpo.exe	98
PID 3480 wrote to memory of 3940	3480	Dogogcpo.exe	98
PID 3940 wrote to memory of 2120	3940	Dmjocp32.exe	99
PID 3940 wrote to memory of 2120	3940	Dmjocp32.exe	99
PID 3940 wrote to memory of 2120	3940	Dmjocp32.exe	99
PID 2120 wrote to memory of 3456	2120	Deagdn32.exe	100
PID 2120 wrote to memory of 3456	2120	Deagdn32.exe	100
PID 2120 wrote to memory of 3456	2120	Deagdn32.exe	100
PID 3456 wrote to memory of 4440	3456	Dddhpjof.exe	101
PID 3456 wrote to memory of 4440	3456	Dddhpjof.exe	101
PID 3456 wrote to memory of 4440	3456	Dddhpjof.exe	101
PID 4440 wrote to memory of 4524	4440	Dhocqigp.exe	102
PID 4440 wrote to memory of 4524	4440	Dhocqigp.exe	102
PID 4440 wrote to memory of 4524	4440	Dhocqigp.exe	102
PID 4524 wrote to memory of 3212	4524	Dgbdlf32.exe	103

C:\Users\Admin\AppData\Local\Temp\3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe
"C:\Users\Admin\AppData\Local\Temp\3f7f66a23fcba3f8647d5800541067c48c811fca9d800e27f04138db0756cee7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\Cajlhqjp.exe
  C:\Windows\system32\Cajlhqjp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\Cjbpaf32.exe
    C:\Windows\system32\Cjbpaf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\Cmqmma32.exe
      C:\Windows\system32\Cmqmma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 408
        25⤵
        Program crash
        
        PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2524 -ip 2524
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
123KB

MD5
12b69712756c0734ef881aa312dd40b3

SHA1
812184bc38ae888a1e11ce4320d8bbade358a383

SHA256
1d51b3afa4ab3c3995ea5a15b14b80c44bb8d2441fec12f12d660bcd49c88f80

SHA512
1929a17fc6aad742dbf4367683201615e89b05267d49d0234c8ec7b20086d8966fc257cdd0d2e04f15f6fba93a37376e436d5685b121aa8257a5f43c5cefec53

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
123KB

MD5
eff743ff3683c2a88cb0b2fe72daaf56

SHA1
a29d91d45bc517be29fdf1b52c78955e96a81085

SHA256
d2e0bfc79303ffcc5109acc4c507458b447b778b21421e2fd71252e372fbb531

SHA512
fbf64968ef9c588c5b0da866fadbfa7c49b03e52cd6a85509f31aeef6e05b44d561f09e9875fb9ae4f1c30f8083cbdc01801259ba31798b1f6df7a15db1ca7b4

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
123KB

MD5
ef50c4765d2c309b59efb60b0ffb1a75

SHA1
5f077020020546f410f9d2983db3990d889e3a9e

SHA256
6fd4116a1ac7363070919b61df768cf61b984b86df2b167e0856be0d1a6c94ba

SHA512
0d1548ceee800a40b38df513607aeb95a1061d5846cdb065a7334281027707c0d3acaaa8aac840671a86c4c1ebb4231880dbbb289d4ea4ee80e5a8f0d2dd91e7

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
123KB

MD5
12ee749f7108e33fd2e506df58bd7a0a

SHA1
f135bb74ee589b705e20bbacb9a7eaf5712f89e9

SHA256
75cf7874b93eb73bad1c0ac8c3f48391097d3713edf3cdaf0ef3013ad9a33e54

SHA512
9db7b9568f7cd7327eeeac7f09c60c9e5a9e9243a5f9859a09ec8853d6a722d2713eb4ed09c2f176bb330d502a27326678901d64b0821f53e5156d57f685c2fa

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
123KB

MD5
d450672809b1af30073f87253082fa10

SHA1
da0e6d5fea0713a53ab82559bad322bb7410ec79

SHA256
dd3ab96549ab2ad815baaf483738ba92f202f6846341e60e89271f900ab3504f

SHA512
d89f24339cd43fa66285395342c144f09c892ac1826e310e2eb4ec4f57278338dd6f4d897c230900ca2e114405bba5bb31fa788fbda591a090b7cf144f253f9b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
123KB

MD5
9b858227b4608c617e07a4b87d80eecd

SHA1
96c4f958252510137b8a5291204d20274c89abea

SHA256
08c00634a781cb066bfe4c6091376c6c86c0fdf991dfc69f41182e3cb55cb284

SHA512
62a863bc02a21661363b927858014e440cb93b7f597ae9f02d361b51176fbd12bdb0fd7bab8d208acd34d640f08f30b9f250bc7b1f286148c336e089ebf97055

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
123KB

MD5
e367b69cd28a94b595b9ff653788bddf

SHA1
18e1013976d264cb1ce4f5f1e20ecd0c32b08676

SHA256
6761c6da2115f0e4043b92ca74385c1da5c4ff803e6fa895747b93d2d3aac36e

SHA512
11be47e64429a8d43f721998167bfad0e8019629d63796b51b9a7b579a94f4d315b466268bf55b698fab97412042871d8082bb7615984c73f5835619a6682644

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
123KB

MD5
576c3c1475843b498f55e7dc292fdd2a

SHA1
e71f31344d95d094be2fcd6970c700027e37d48a

SHA256
1e963d175ba1674577b681711e1f89282652ffc1e623cd814c4aa0c8d5684508

SHA512
b2639f3778f5b27b886fe3d1f1623e492e4d8509ca73cf7a606b9c2e3325eeb5877350fc1a326df6b214ff6b1742f9d45e48c172747277263cae9c8aeb569dc7

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
123KB

MD5
41878ac070b7da779bffde538e0e617d

SHA1
58339e26f9599e5692450c9bc19092658ce45fc7

SHA256
8e553f3370a7e7c041c587caa4aebad559d1dace2cbcdf902b77e3b8ba7bf088

SHA512
a52bf8c895e50e0b6e39183d5d7446a05d2d75d45419ec37c83117550ba35c596e4600a7193b0523c6740afa035b65342c5c111f2d1f2427951f53d2086c5eda

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
123KB

MD5
bd83997d9d99e68106276f21f40ececf

SHA1
73652436ecb65363d4ba283cfbfab9bc72da44e8

SHA256
d72fc1d7ca6ba6bc646725769edcf890171f28d53a67236cd2c0d75ea28f72fc

SHA512
0b996beb46ce0119ede2fd15bd1a6820a3011c11e8e201884f6adb553dbb7bb633f31633f3a7b6fda96877d69fae40896f2645eae54c022fa128c88608f65100

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
123KB

MD5
c864a46a10cb5d33fba469f2017664d3

SHA1
e81b4f73bf3ab0d58480f26c843f26ab95bdc681

SHA256
171d3d2301ccf202a1b5ec3389f38734eca4c6b8cabe50e8e9f29a9ef9e494ae

SHA512
811ecfff880d7180e2f9454307d6b399d79a089754b0d48fef249b920a0cc3ce087d8948a44c46e727c314e84ad8dc494cab891fc755772a64db612444c10b29

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
123KB

MD5
bc48f652ebcb14b26ba10efe6680f0bc

SHA1
225d0cc7eaa8a9a099a6c46032c986e3161124c6

SHA256
53a2290389b65aa51accf506dadfc3b0f375a913bb4cfc2b044eb26692b94472

SHA512
5a8087ad63ab457831276d5b6fa9fd2363de5ed9f4f29f6e91edfb8df6d0a17ccf356d283769fae9ff19743891ac6c0ab93fdb77b4722dbcbf28863d0b82ee76

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
123KB

MD5
e99534fdcc44462bda8cbe0e09add28e

SHA1
0e31ae22b9d41c6244d77b81b1b0241c259092e8

SHA256
914c44ef60811bf59b35cac304ed2f5cbf8ced1eb830e3e885fb742685024d39

SHA512
d130d334d64a1df911f8c387f987fab435459acfca00396792bf13adf5a1d834e4cb173ab5a4a3fef7bfdaa39c58240de2d72967ebe577b58c054c4b13aa1da0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
123KB

MD5
4a410d8c0c8283582aeae053d9de218e

SHA1
8e6d114a80c268752ec2b5b7fa866b4bfa2eb17e

SHA256
1aa202aa397a73d1801cfbd080734e5b2aa07bc7e7e40367a40d25585e81f6eb

SHA512
e91adafd3cee3b8cd8919bee8b21fc7139854cbb51eb35befe0495940baea857d72098ccfa89b4295cd889bbf4d3443803d0ba213ba140a9ffb1db1e70b7c3fb

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
123KB

MD5
2938819b8ea80c4d3eb7755c8a118066

SHA1
5ae890b163ad99da9bd3da953cb35b1f6fa214fa

SHA256
4ea3d32c23326017c0ca4a33317a463e9bb802ea959908cef6fb8e199aa0fb79

SHA512
bc8a636e915e09f6d172718f824e49569c7d63334b91a0e09e79bfc6116255008eb40fa7da22bd0068764c8ed7237f097023075c06b8f53f9f695f005b71189c

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
123KB

MD5
d5e26e0ba5f7c8047839e470d0fb3093

SHA1
6e8712e29ea88f535484623cdab3a91131d3430c

SHA256
0d5d0b7406000aaf874aa016a1942d5d669d72fbf0f47c2b01c8b5559365f2e5

SHA512
c3f63ab8b019a8dfb1763295ae474b79cc54884ddf974b615ff00edf58dec50f90686c60efdbe900429bd0ed2d87a1c3de1940f2e3e98793909ae5af1126c1a9

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
123KB

MD5
277a39a88b231202e26215afb943b422

SHA1
63111fa855a54a909f2a4556190da98a14f56b5a

SHA256
416b5b5b29a2da3580c12d0c5143391475921dbfa9d7ece15158c8556b6e66b7

SHA512
fca094d859469553a956dcee4e9e2f3a58c6f5bfeb0280834504621e91037d1a879808017e7df9a515cd2e5f9dd4f08cd359cd59e9276e5cd2d93308a4cdd391

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
123KB

MD5
5b0722c9d1121ea223b15a8040c3bc49

SHA1
8c19f97ea372de5949de730ffc20f406ee4b0e67

SHA256
32280079e42873d0d63e945614d5c244cee87c73cb770ea7c071bcd786ecad65

SHA512
d930e475da52f28c122676236f04c9162b337fd98b6c782796bb9c598c1be5078b4d2d926d75c1fe61424336774a7993818a6840ab519ba6f7ae0f52fded5338

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
123KB

MD5
2376ed274211a1f719e3b8d9b0d22e41

SHA1
53198f782960f510bb2f7f806f2205b07485f593

SHA256
6b857fa37a637949cb84ddf9d1573f92da384aa01aa65b86c3ed29e504e538af

SHA512
a8dbfa3c3259bee29a33b7af117f32ed549619a9ebf4758d9a0ca5e6dce631918c8c44853825b5858db16a516a46ac844609421ca498350b34eb09679009693a

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
123KB

MD5
54377125b994dd10fbb141fa86b58366

SHA1
5c09c1e3b145f6582eab4eb34f6991c8fca4710f

SHA256
d3844dd09249a67973007c7922a5eb2665012f55b88ee67f1dfe8544654fb77a

SHA512
313a08c6a843d80e4ff99d2d91060729a8db0f8c39af99df9ba82898f79dffa3cb5a6ba27f73ec274d0ee682f8385ae83a0cad1a9954281399bd07b60c7f5712

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
123KB

MD5
697064110fdb37c01b2c0d099f4f58ae

SHA1
242af0d82a85c46b7a1e6dbf4136b8dc09acdf89

SHA256
4a91c854351e142c1d2552616eb387683108a3d34b311d3789d3b5a01ff48a2c

SHA512
f2e24c6028f582f265cdd93a8f55f580082028f4354fa2a1e2e6dc00f79ed6c666881901a4249b0276b0ce0212966641a6bfc3b75c7eadc666cee0996b573099

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
123KB

MD5
7bff08fef2fa17f962d7832c06ce29cf

SHA1
50515ea158b2f97dba11fe3eb1b5b6dfcc9f7672

SHA256
f6429d016b324d210f9583b3ec7d96d1cbf41d204769e3d8ca8d7dc8bfcf0be4

SHA512
4f4bb50e8878a8645c2bebdccb4cc069222654cdc22531900f2e0c1e11317986b916831ea8d36c725a2e98e89152f56174f7ae8b5988e946ab612184870213b2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
123KB

MD5
4ac74453c706675ceaebd96d3c6a01c2

SHA1
a6ec99b4a934824917c7d7fb4c01ef602cea3e23

SHA256
e3d09c55a1b02cc8d256226f18e7c724ef35254715cea848d5a4a6a3b0a6e75b

SHA512
9462a772153b1dd7973d4b7dc2179ed1f33788b3c808c661654b1a583e2f0a68083512ca4c75320e5bfba9b1492d9b50c522faaa915a675c40e57299ad7f12ab

Download Submit
C:\Windows\SysWOW64\Hcjccj32.dll

Filesize
7KB

MD5
2ce1e39bb87a92cc53516fe96a951857

SHA1
b294d6e8eba8b1bafb43437622d6f0a3918ce026

SHA256
da1b4ada44e824f7a0fe9e4c0c44b322680f150eac6f973626fbe22edfc964b1

SHA512
09990d33b2249b5c6219b560e83f2f810e3db938515558e3d0fd8bfce097bdbe574d5fefe90403f62d87c6daf195776c96f6621e0ebd3b891b5d6ece31039c07

Download Submit
memory/400-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/400-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1044-24-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1044-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1212-165-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1212-71-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1876-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1876-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2120-158-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2524-197-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2544-129-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2544-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2896-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2896-196-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3056-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3056-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3212-192-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3368-138-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3368-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3416-120-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3416-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3456-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3480-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3580-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3580-147-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3940-149-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4028-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4420-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4420-174-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4440-176-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4524-184-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4560-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4568-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4568-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4824-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5116-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5116-156-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads