berbew | 915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Size

64KB
MD5

a46d256853671c9a4e9a0a7520e426c8
SHA1

91cba7b6832c62f44cf5b0ac91c679d6c453ce22
SHA256

915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03
SHA512

d41a4865d7c37e537b2739fb023671cc6595d89c3a9386609a8fc6e6a5959d049886fc2ffbdc117febf84eef9b32491722ef6a15f8ce58d8b1a6a73dff2c2799
SSDEEP

768:2T3OENxoviKUnQMqbW9RgYeCnSVBgZeHuCDKZtjDZlBL202p/1H57ZXdnhaBGHB4:I3xovO2sOtCnd3bBLj2L9sBMu/H1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 22 IoCs

pid	Process
2828	Cfdhkhjj.exe
4976	Cnkplejl.exe
4832	Cmnpgb32.exe
3056	Cdhhdlid.exe
1168	Cjbpaf32.exe
2872	Cnnlaehj.exe
3112	Cegdnopg.exe
1528	Dhfajjoj.exe
4452	Dfiafg32.exe
2528	Dmcibama.exe
1232	Dejacond.exe
3788	Ddmaok32.exe
2620	Djgjlelk.exe
1484	Dmefhako.exe
2396	Ddonekbl.exe
312	Dodbbdbb.exe
3312	Ddakjkqi.exe
4188	Dkkcge32.exe
804	Daekdooc.exe
2540	Dhocqigp.exe
1640	Doilmc32.exe
3616	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1560	3616	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2828	2824	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe	82
PID 2824 wrote to memory of 2828	2824	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe	82
PID 2824 wrote to memory of 2828	2824	915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe	82
PID 2828 wrote to memory of 4976	2828	Cfdhkhjj.exe	83
PID 2828 wrote to memory of 4976	2828	Cfdhkhjj.exe	83
PID 2828 wrote to memory of 4976	2828	Cfdhkhjj.exe	83
PID 4976 wrote to memory of 4832	4976	Cnkplejl.exe	84
PID 4976 wrote to memory of 4832	4976	Cnkplejl.exe	84
PID 4976 wrote to memory of 4832	4976	Cnkplejl.exe	84
PID 4832 wrote to memory of 3056	4832	Cmnpgb32.exe	85
PID 4832 wrote to memory of 3056	4832	Cmnpgb32.exe	85
PID 4832 wrote to memory of 3056	4832	Cmnpgb32.exe	85
PID 3056 wrote to memory of 1168	3056	Cdhhdlid.exe	86
PID 3056 wrote to memory of 1168	3056	Cdhhdlid.exe	86
PID 3056 wrote to memory of 1168	3056	Cdhhdlid.exe	86
PID 1168 wrote to memory of 2872	1168	Cjbpaf32.exe	87
PID 1168 wrote to memory of 2872	1168	Cjbpaf32.exe	87
PID 1168 wrote to memory of 2872	1168	Cjbpaf32.exe	87
PID 2872 wrote to memory of 3112	2872	Cnnlaehj.exe	88
PID 2872 wrote to memory of 3112	2872	Cnnlaehj.exe	88
PID 2872 wrote to memory of 3112	2872	Cnnlaehj.exe	88
PID 3112 wrote to memory of 1528	3112	Cegdnopg.exe	89
PID 3112 wrote to memory of 1528	3112	Cegdnopg.exe	89
PID 3112 wrote to memory of 1528	3112	Cegdnopg.exe	89
PID 1528 wrote to memory of 4452	1528	Dhfajjoj.exe	90
PID 1528 wrote to memory of 4452	1528	Dhfajjoj.exe	90
PID 1528 wrote to memory of 4452	1528	Dhfajjoj.exe	90
PID 4452 wrote to memory of 2528	4452	Dfiafg32.exe	91
PID 4452 wrote to memory of 2528	4452	Dfiafg32.exe	91
PID 4452 wrote to memory of 2528	4452	Dfiafg32.exe	91
PID 2528 wrote to memory of 1232	2528	Dmcibama.exe	92
PID 2528 wrote to memory of 1232	2528	Dmcibama.exe	92
PID 2528 wrote to memory of 1232	2528	Dmcibama.exe	92
PID 1232 wrote to memory of 3788	1232	Dejacond.exe	93
PID 1232 wrote to memory of 3788	1232	Dejacond.exe	93
PID 1232 wrote to memory of 3788	1232	Dejacond.exe	93
PID 3788 wrote to memory of 2620	3788	Ddmaok32.exe	94
PID 3788 wrote to memory of 2620	3788	Ddmaok32.exe	94
PID 3788 wrote to memory of 2620	3788	Ddmaok32.exe	94
PID 2620 wrote to memory of 1484	2620	Djgjlelk.exe	95
PID 2620 wrote to memory of 1484	2620	Djgjlelk.exe	95
PID 2620 wrote to memory of 1484	2620	Djgjlelk.exe	95
PID 1484 wrote to memory of 2396	1484	Dmefhako.exe	96
PID 1484 wrote to memory of 2396	1484	Dmefhako.exe	96
PID 1484 wrote to memory of 2396	1484	Dmefhako.exe	96
PID 2396 wrote to memory of 312	2396	Ddonekbl.exe	97
PID 2396 wrote to memory of 312	2396	Ddonekbl.exe	97
PID 2396 wrote to memory of 312	2396	Ddonekbl.exe	97
PID 312 wrote to memory of 3312	312	Dodbbdbb.exe	98
PID 312 wrote to memory of 3312	312	Dodbbdbb.exe	98
PID 312 wrote to memory of 3312	312	Dodbbdbb.exe	98
PID 3312 wrote to memory of 4188	3312	Ddakjkqi.exe	99
PID 3312 wrote to memory of 4188	3312	Ddakjkqi.exe	99
PID 3312 wrote to memory of 4188	3312	Ddakjkqi.exe	99
PID 4188 wrote to memory of 804	4188	Dkkcge32.exe	100
PID 4188 wrote to memory of 804	4188	Dkkcge32.exe	100
PID 4188 wrote to memory of 804	4188	Dkkcge32.exe	100
PID 804 wrote to memory of 2540	804	Daekdooc.exe	101
PID 804 wrote to memory of 2540	804	Daekdooc.exe	101
PID 804 wrote to memory of 2540	804	Daekdooc.exe	101
PID 2540 wrote to memory of 1640	2540	Dhocqigp.exe	102
PID 2540 wrote to memory of 1640	2540	Dhocqigp.exe	102
PID 2540 wrote to memory of 1640	2540	Dhocqigp.exe	102
PID 1640 wrote to memory of 3616	1640	Doilmc32.exe	103

C:\Users\Admin\AppData\Local\Temp\915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe
"C:\Users\Admin\AppData\Local\Temp\915f039ca9618e79b6b3162ca830b822c6afd4be51e806caf3542ba2d2b8ff03.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Cfdhkhjj.exe
  C:\Windows\system32\Cfdhkhjj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\Cnkplejl.exe
    C:\Windows\system32\Cnkplejl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\Cmnpgb32.exe
      C:\Windows\system32\Cmnpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 404
        24⤵
        Program crash
        
        PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3616 -ip 3616
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
4bf3571930b89d333455bfb8967245e8

SHA1
5b850368966fe528b5a045e2f620d2e5367b587a

SHA256
80acabc8102c7412ec903cd74dd616581909399a28929e4575471db422f72190

SHA512
9a44a508b0980f3b77512d0bb1f5757339ef851bbe8481506270bbb03e9e3142e2459aea3612a959e06d46521fa597495d559dc8016f49eaa2cb7fcdf3204498

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
f0004e78b21de86be4e29e14aad2a6de

SHA1
d4f3fd84c2f91e9974c7e461e409fca78addb031

SHA256
fea009f2761cd4e31c4579ac53394349d15716e4e9e39e06615b55d6414bc0ef

SHA512
7b37e0d241c4508018ed8457f2b7e966842498bc7684a2efd2714a49e5dd4d366b825947285ff22ddf0f97a49f71f7086bad97f2a9fb27a4dd2beb4409fc879f

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
e3396137be0cdf1a45985141144ecbbd

SHA1
eaff0bb986fd05f20e49bc47a684c8f0c18441c3

SHA256
7e8fe9c472ad9ae2523eb2a57d465f7a6bd997b5ee5734b1e0845f426f26fd1c

SHA512
9ce759224288759766aea744a53a455681f54cd39e593d98b53e60093e4d367d46e65cce844a4f54120b7382a3022bcde2b9751d8939eadb1e55c1fb5c22e032

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
d15027fcc166f53273a5acae645b3e89

SHA1
523db6ee0b4eaecefd36dea9b83ed5fcd0444dd2

SHA256
6cf820bbe915c903eeacac9cb61ad0be3369af1a616d29b01670877e9ddd05e6

SHA512
0ed900177aa0637f5dcb003fe404a0aad4780fc766100602d1c23158134fd1f958aeb56cc42b7c20e1a4b5d58fa01857c789d72037996bce0aa92f1adadb8354

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
716a171d7b0b9227daba23044ce5c1d6

SHA1
9bafb8425ebe86a09e46ff120fb9ef352184bc55

SHA256
ccc91b6c019cf193ee80b0f13a35947c63e59ef4eaa35b76c106496a3931064b

SHA512
96dd18c4e25974d1fafb7e7b4e1f4b4a37bcdc9fa31edef0b68d98db0983bf78638a10e27258d52d6768da3b330e0ea788b0ee2e407902de0541c168ffee2ad8

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
17789a49ee4ce48b108f4d8181992006

SHA1
54c29fca869fb70cde8ffa5d7e4d93e2c15ab093

SHA256
62d9037148579f667987f2e28b1175505bd97cbb02d21ac5feb79f186171c361

SHA512
976b97788814b6ccd0fc8b68e6f886f5adf0902200267c2b8ec16dc5c5e4d326ea12a7700daeb9579df8389d477a98fbd2928f0c7a7ee13d11d1ad016e174438

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
7989c739eba4fc6b0256612215f747eb

SHA1
f2e8cdae613ebfb92fb5a8c45e034c3ecdffcbbd

SHA256
08cdee7823a86cdde02c62e145c6124278d667d07a04262af6ca62189ffaad91

SHA512
6a1c25d6f8d7dcfb7914faf994f2ea74fcb05a42539edfe14bfb9d1bcf5ea665d0fbad7f42048607f337fb51087a0f9881539a8a8f163f19f8d28f1a8045941d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
b0b7777b8db45abb67779249409a4d5e

SHA1
fbc5b923c64b39e65acf5ecd874ba8b8cbe6ff8c

SHA256
afe0ed9abc67a1c83c41d8ffa3a421f74376724920141dbf118afe6f89f7e08c

SHA512
c6a77c56d14dfb4acf464a795ff636a133ce21ffd317b203174f00400f5280986bc2aab6092642d41bfd238d62664572c3d6aa39d2160542e0ef48ba902300da

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
f17e2ae92428c49d27bb925e4a517125

SHA1
0fd4988f76b80e52df28df6a42239ae6561688fb

SHA256
431766a2ac5c275ec8344f52ddead45f6bbc42a1cfc9354891174f2678847602

SHA512
63a450fddb8dd3e18ec24ad1d6c9bbc1b2578d65037189e262e74e6ed3af4c97516d8329a9fd3ed57104e9c0b75e4a02b394b76c51fa3239881ab727fd5966b9

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
4c7c2b99df15b0ab7f8131fd281a70d0

SHA1
ef9ee230ea36ef844935b1c1811c158db2fa72e6

SHA256
e236797d6ac0509a2ff19517954a043740d32909cf6bb378ea2dc034d0970ca9

SHA512
64e06bbaf58b97807827ef3232ace71aac6a5a29225b362a31458c4f9a6053d72e975f5d63ab6ca4eaf4919327116b560a10ed539127b78d1985b88c40d98931

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
4302a627330aa161baa6fb9f44755f79

SHA1
ebd05d481ef3a308ccf6d5455e112701cd204651

SHA256
2d98618273bcbc5659f51d6b59558891c44414de7b43bd6dfb52017a997a8748

SHA512
07feab2dba18e0c0cde1a0b5b5647b8c96bd74e8288c5f0ca2c16fe12635b4c1e6906c2f0e7fbfa1412f1e2195bb526049ac96d25377f90593094a63a5a4b1a3

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
18b03ab1bb7f2c97ffd88d9c1ccb715b

SHA1
e8881437002409ae51277f3e68ee5adc670973c4

SHA256
ce0e29087634a6f8581cccc975ccacc0e71fbaf279bbf5198c5507a0ef35f9be

SHA512
9b766ceda35ca9856f5296e7df0985482d92ebc7235de3816760984e26a3dd5152a83d13050a12dd9513494f5757d2be52bbb0d069fc85fca5414a75a9f613a4

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
141a7843ac1f09d7ac8c2770b3f4ee1c

SHA1
1dfa6a367c46ec5a2f5f93acb530a76cf1d22a24

SHA256
433a1264686f4d60ec87078b84e91b7bb4c11a0967bbd533d0de66402b2e1194

SHA512
09f438720abd15943bcd00ebc30db18e5bb927e765d3b5eeba2b4adfb794557c48d9af9f88d51db6a7a47a59b25b2cb62ef59d8cc2680c599f85dfc3f1ef17ef

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
935580dbc2dc30cca5793190796c38f3

SHA1
a16e2e28a63f6d3120c3fa302e97c76aad3f022d

SHA256
92b7c9143e95ba8c52d171bbdc18e2271b5042a872a5d6cd6adb838d4512dbc8

SHA512
f5171c5f8a1348c7e1eed76e0a965a2bddd360c5b1901bd8f4c4f8961f6832ff45cfb8a817b09fe76eb6e179ee448ca5bb15fbe0cfc319f59a934b9285d0b355

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
510476e3ccf7400e8e61def8568928c4

SHA1
a6838beed2bbd6986897c5d881f02eab04c338be

SHA256
ee07b692edd479ccd50ad8a02acef4f630a18e1752e03b2317630b15f4c5cda2

SHA512
3f8b2d6998dbf325677b876f3c6836252e0aee065cba8c6c13e01a8e6ca6e242fec9cbd4b78c948688b7013cf2bd1131343110be2802709c147d97934e688cca

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
8f10c68878bc9a5070c019c5348ad06e

SHA1
9fd324b37458c037b4fbd37d56276c0fd3dcb920

SHA256
81df4bf2d0f0a608ef585188cf2b7b08ad21aca40d43af268ccec532cddf0426

SHA512
1ff6267f500f0ee10e6f6e2ca221b060ee0ac8f12553f667d9a986a681f5dc5b53a860877302e724f8c9359501e63b38df9980bc5e47ca4a96465bfaf1dbdb75

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
d661f23391ffb6fef9f56928869d5c54

SHA1
bb566483f79db22e4943aea67b47dd8baef47488

SHA256
38b213f92b8353e2d69551163027ad37a179db3a81636f07e5a8470bdef145c5

SHA512
298ec0a44bcb9c7dac1a773c558f311ffb27aead884658e513fe730e010aa2126bf9edc9366fe3e78766d84acf6e6d53001a92d21fbe379cd7cf0e8bcf548043

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
49ec6e90c824ee7733832bf83b000063

SHA1
31d34db622e5252b5abec9d7d5e64c2da5b3e1de

SHA256
9ecaf1d1525b7250ebe62c20b14b2acbd3043a6cccc43645d70905a6e7cdd75f

SHA512
28a5a61f0e09d4c0aeb1bb01ba2ddebdead3a4b6c83843fca84239db867de81d96fe49069c01cd2c732bda665e01ca2d52a6a297b29435df7a6e634b15a51c91

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
7d03811d785346406b095999fa3cfc1c

SHA1
ff433bfa5b7e34d4e783011db03c008f2e09600f

SHA256
d3c0e866d9644c6a91743b5400e70df9a14f12d30281fda4c8e7b0e87c11222d

SHA512
67d4acb2eb899613147a6263d65ca3d52c1d32bca2ba60eeba225c5b2969c559706d88708d5ef99e077ea05339604de3c175e0dc3f92a115758f97163493ae5d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
06f314488c5df9f23f2d499154162e25

SHA1
43574b9cb6fc4ea7dd97849a764f710dd4dc9fd6

SHA256
4c92665ff9f7892a358c1cf40e00f4afa13b4ea9d015c6e5cc29b23942f691af

SHA512
1b8d87f5c6121c2e2da93b76593ca23f38ce2aef0fedb424f3af8cef6071d41979a670c3992186bf777e88561bf030f7b89ab9760027819f25e63a62c527517e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
9a766e8343710393a1e2f5d4a7161f08

SHA1
90775bcf01fbe9c95272b66891c495a29c39f8c7

SHA256
9b716f0351d923498a2229b13869a8e10aa1ea18f83548bc7e7569506a72dfab

SHA512
499061f3eb5c7476df1691465b490262d10d721ca4c854bede4827c3c28b431e8cc83a7475182fc58f58cce44f517bd71f4b968e08f5791987ef0730c2d611d5

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
64KB

MD5
c8749aac300c3c0a5e7d368920f56b03

SHA1
7ae7680a0cc11d8607112bc7048117db930c0a55

SHA256
364f61b0e6046ee9e6d284b0cbbbb4c1b4df609acb0b1e546f480604654f2814

SHA512
4398eb84137b9515eedac1df634deb4a0957c1fd348edd0181ea6429a5789107f7aae3e392539226aded37eadacaf538d7a423df947f67c33f42e7f8f057c75f

Download Submit
memory/312-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/312-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2824-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads