berbew | d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62

Analysis

max time kernel
114s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Size

74KB
MD5

acf07ac7933f60bbe3780a49b879408c
SHA1

12d9b65315872db13a640781a4d27c1d82d64027
SHA256

d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62
SHA512

519df7acf1f9b3f944036df2a8ac367b0742bdb03ae48c561c8e30f314d7d49ded91786a7bb039139b6219431c46bcce215bc411382d497f905132ae2ff0ccef
SSDEEP

1536:so7s55qy7WLx3ShRNgzr5hzfHeN73ZCtcmastaMUea:s4s55qXLlSizVhzgiJUea

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
1372	Cfpnph32.exe
3280	Ceqnmpfo.exe
2760	Chokikeb.exe
3256	Cmlcbbcj.exe
1932	Cdfkolkf.exe
1036	Cfdhkhjj.exe
4748	Cajlhqjp.exe
1100	Cffdpghg.exe
2952	Cnnlaehj.exe
1784	Cegdnopg.exe
4952	Djdmffnn.exe
2940	Danecp32.exe
4340	Dhhnpjmh.exe
4400	Dobfld32.exe
2004	Ddonekbl.exe
900	Dfnjafap.exe
1740	Dmgbnq32.exe
1532	Dfpgffpm.exe
4612	Daekdooc.exe
4056	Dhocqigp.exe
2724	Dknpmdfc.exe
4392	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4296	4392	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1372	860	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe	83
PID 860 wrote to memory of 1372	860	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe	83
PID 860 wrote to memory of 1372	860	d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe	83
PID 1372 wrote to memory of 3280	1372	Cfpnph32.exe	84
PID 1372 wrote to memory of 3280	1372	Cfpnph32.exe	84
PID 1372 wrote to memory of 3280	1372	Cfpnph32.exe	84
PID 3280 wrote to memory of 2760	3280	Ceqnmpfo.exe	85
PID 3280 wrote to memory of 2760	3280	Ceqnmpfo.exe	85
PID 3280 wrote to memory of 2760	3280	Ceqnmpfo.exe	85
PID 2760 wrote to memory of 3256	2760	Chokikeb.exe	86
PID 2760 wrote to memory of 3256	2760	Chokikeb.exe	86
PID 2760 wrote to memory of 3256	2760	Chokikeb.exe	86
PID 3256 wrote to memory of 1932	3256	Cmlcbbcj.exe	87
PID 3256 wrote to memory of 1932	3256	Cmlcbbcj.exe	87
PID 3256 wrote to memory of 1932	3256	Cmlcbbcj.exe	87
PID 1932 wrote to memory of 1036	1932	Cdfkolkf.exe	88
PID 1932 wrote to memory of 1036	1932	Cdfkolkf.exe	88
PID 1932 wrote to memory of 1036	1932	Cdfkolkf.exe	88
PID 1036 wrote to memory of 4748	1036	Cfdhkhjj.exe	89
PID 1036 wrote to memory of 4748	1036	Cfdhkhjj.exe	89
PID 1036 wrote to memory of 4748	1036	Cfdhkhjj.exe	89
PID 4748 wrote to memory of 1100	4748	Cajlhqjp.exe	90
PID 4748 wrote to memory of 1100	4748	Cajlhqjp.exe	90
PID 4748 wrote to memory of 1100	4748	Cajlhqjp.exe	90
PID 1100 wrote to memory of 2952	1100	Cffdpghg.exe	91
PID 1100 wrote to memory of 2952	1100	Cffdpghg.exe	91
PID 1100 wrote to memory of 2952	1100	Cffdpghg.exe	91
PID 2952 wrote to memory of 1784	2952	Cnnlaehj.exe	92
PID 2952 wrote to memory of 1784	2952	Cnnlaehj.exe	92
PID 2952 wrote to memory of 1784	2952	Cnnlaehj.exe	92
PID 1784 wrote to memory of 4952	1784	Cegdnopg.exe	93
PID 1784 wrote to memory of 4952	1784	Cegdnopg.exe	93
PID 1784 wrote to memory of 4952	1784	Cegdnopg.exe	93
PID 4952 wrote to memory of 2940	4952	Djdmffnn.exe	95
PID 4952 wrote to memory of 2940	4952	Djdmffnn.exe	95
PID 4952 wrote to memory of 2940	4952	Djdmffnn.exe	95
PID 2940 wrote to memory of 4340	2940	Danecp32.exe	96
PID 2940 wrote to memory of 4340	2940	Danecp32.exe	96
PID 2940 wrote to memory of 4340	2940	Danecp32.exe	96
PID 4340 wrote to memory of 4400	4340	Dhhnpjmh.exe	97
PID 4340 wrote to memory of 4400	4340	Dhhnpjmh.exe	97
PID 4340 wrote to memory of 4400	4340	Dhhnpjmh.exe	97
PID 4400 wrote to memory of 2004	4400	Dobfld32.exe	98
PID 4400 wrote to memory of 2004	4400	Dobfld32.exe	98
PID 4400 wrote to memory of 2004	4400	Dobfld32.exe	98
PID 2004 wrote to memory of 900	2004	Ddonekbl.exe	100
PID 2004 wrote to memory of 900	2004	Ddonekbl.exe	100
PID 2004 wrote to memory of 900	2004	Ddonekbl.exe	100
PID 900 wrote to memory of 1740	900	Dfnjafap.exe	101
PID 900 wrote to memory of 1740	900	Dfnjafap.exe	101
PID 900 wrote to memory of 1740	900	Dfnjafap.exe	101
PID 1740 wrote to memory of 1532	1740	Dmgbnq32.exe	102
PID 1740 wrote to memory of 1532	1740	Dmgbnq32.exe	102
PID 1740 wrote to memory of 1532	1740	Dmgbnq32.exe	102
PID 1532 wrote to memory of 4612	1532	Dfpgffpm.exe	103
PID 1532 wrote to memory of 4612	1532	Dfpgffpm.exe	103
PID 1532 wrote to memory of 4612	1532	Dfpgffpm.exe	103
PID 4612 wrote to memory of 4056	4612	Daekdooc.exe	105
PID 4612 wrote to memory of 4056	4612	Daekdooc.exe	105
PID 4612 wrote to memory of 4056	4612	Daekdooc.exe	105
PID 4056 wrote to memory of 2724	4056	Dhocqigp.exe	106
PID 4056 wrote to memory of 2724	4056	Dhocqigp.exe	106
PID 4056 wrote to memory of 2724	4056	Dhocqigp.exe	106
PID 2724 wrote to memory of 4392	2724	Dknpmdfc.exe	107

C:\Users\Admin\AppData\Local\Temp\d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe
"C:\Users\Admin\AppData\Local\Temp\d4e967619c4a88c6daabe422b439bad0f440ca2d146144c995d5f9a2e4341a62.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\Cfpnph32.exe
  C:\Windows\system32\Cfpnph32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\Ceqnmpfo.exe
    C:\Windows\system32\Ceqnmpfo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\Chokikeb.exe
      C:\Windows\system32\Chokikeb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 416
        24⤵
        Program crash
        
        PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4392 -ip 4392
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
74KB

MD5
6548ce2d98a2d949c2036e370f3e11c3

SHA1
eade20b1668f9b6dd8d40bdcdbe28db785daa47b

SHA256
3a16c2523aedfe0e80637fb17ca1b0ae03118ffe971f4280340d2012282af6b9

SHA512
7a4f75ef1f2ef341d75bbad5c93d5fc7220a053dda2dd60a9502a0410a1b75a0f01fa03051c7d4fac14e79cf84c76321d96c6d3599534b200d9582830fc35880

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
74KB

MD5
be7cef90b7118839e86409e80004a80d

SHA1
d4963362aa12692f7c497fc322369455318762ff

SHA256
4a86fb99648f2a9c5abbf571c5756fbf95eb702d405c3bbd345873789bd14656

SHA512
b0c754cc98df9aae5f4508991cf2e8fb5e7f70a17906fcd744cdbff9b08c63f8b064f36664a576eaf5c2766363944f4020b500646d31922912f2d6dd646d7ebe

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
74KB

MD5
4c7399801faab97f0320a072a57fa6cf

SHA1
4b2ec35b806e1ed597047b9410905ca585b39083

SHA256
5dee690e2cef61a66e4dc9b88fe119a2100b7be980249f0811e1358a7bc2f856

SHA512
fbf074b67ee445c41499136d2ee2c2a1134235d59d19de37f73e8cba3954cf5984586e89ef4380a0834c60e7a0a9adde024116bd2980c75f5689dba78ad40834

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
74KB

MD5
7aa96f9d65403b94e086278c3e96918b

SHA1
94e97b74b4c6cd4782e8ab1f66fa755bed14f8c8

SHA256
ce16bfcd879ca8ebc8d6ef6b462c314d899511fb812be836c245029569fa51ea

SHA512
7ef4e6857cad4def8393726bd69b85c09cf69f46cc77a88718113a056f7754939dc69d5a733795b8576b9e181d0eb3f136274a82e8a1706469ca311f082d0150

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
74KB

MD5
3b73b46f837e5d8f9cb9d251607048e2

SHA1
472b92bc08b24d545d792329c31deb6e7225b87f

SHA256
bf2e8ea9bf8cfa856025d5e6755a7a9491767dcba5031bb8812c387dc401c264

SHA512
4d7798453033f5aa76fd3c9dda00727f5caf5ee68bc51d03a9639618cad1ae92cf7667691ab22463e7ba83e2e2ed1bd60efcb9f1097db35904d2bba96f782787

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
74KB

MD5
392321f30fe001cfb0fab37949ec0ef8

SHA1
2b49942fab4781c5d80e0166686a019f94b57eb1

SHA256
b47b65fd6c3ec1914cac9c7cd0be617c7c9255b3733f5e024bbf41c72f973ba5

SHA512
443066cb01c58fc294dee2986637f9c2cfcde1eb24e6a71f3744627bb9186bd02f0ef4abbf08e28d7a6ffaa610d36fdf92d006342dca86a5327eaa30e918549c

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
74KB

MD5
341f53c2cdb5a4ec7b038ca248e5dc13

SHA1
cf88a74e374d2a51d242d75c2b95a4ef53c8523b

SHA256
56507c42f9ac01ca48fcf8f1e3cf83c30d54a793e3609227667eb0605de4a915

SHA512
9161cdca06e4abfc2359304a46012a84d860379e9eb39f829ca70c13e063493a7729fadc38c3a57abf4cee9a983aab9ec458fbf14a4081723fd5830348bdcb78

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
74KB

MD5
87c05f1e5faf53ff995d6d22d9a89b1b

SHA1
59802d808c7b5bd3f3d341a5c55a6ba9c5704c0f

SHA256
6b6565d4f1f78c675fb23e7d399aed87e7ed562f1b6efb5f3512395477d8b499

SHA512
27ccdaa31675958cfe6e166fa8d108241eb0516bffcb76e391b90b11416e94f1c47d206d0cd44cbe5b912070fe664bc20042080ee710949a631b0c5d6f9def7e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
74KB

MD5
5bcfd5e038ad2655f7cf35f58df84310

SHA1
752966a92ee44ba283ef65b3a43197eddbb06292

SHA256
c422f04f804f314ff7060a06e2d5a3679178fc7ff672a3b7025dd867b3ab90c3

SHA512
0ec58083b9647b872ea5932dd46d3e9894899bdd8f19a1342dae988765bb9d416354646fd6e8c7d6e1615ff14f1af731264bd2c3378d9c3f68831b9f95b24ca2

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
74KB

MD5
b4551bdda29ae0740646dfd96d405263

SHA1
9a624176362481d6ea86426085ce898d044444eb

SHA256
20d94deb7bbaa09c507b60cff28520b86a7b73629c41bdf3772785a09d958414

SHA512
ae76226fb0c7d19b1d1086a4034e330a3d4272a28b9826852dc9a28598f5d8aa02c8a917d31e83944a324e0f9cc538c46d1dfb1022e83d690d9ca5d30a045aef

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
74KB

MD5
8ac4c081421895f523774024a77f5bd6

SHA1
f784ea51f28ecf5030005d47b5fcb820c8511b25

SHA256
32771d5ee4b0af18dabb070dfd6fe3720491492acf351d32d40902d48b5db154

SHA512
128cfba0e7a81d448972f38dd1efd0054f7881cd8567c575805e23ad30eddd85f3d296e0030a15f3bf8809036366c4c40b20ac9547e4b0da1864d7b60be2c5e8

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
74KB

MD5
5ac279055b3976fa55f1826e000eca43

SHA1
d73a5093c61357a4a6800e685cda87d66dcf61e5

SHA256
29066b6e6fa477fdfa9e008b9b7d908b48ccaf8d3cd7b7efa3d019d7766ef192

SHA512
b4aa6f5c9a61a8ba0135c5be6704af443c6609a55bed4050cf9439c6b1b45558aca08334f72176614941d554a23d4637a6994cb3af496cafa0f21b859d4823ec

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
74KB

MD5
f59a23240ab0143c0f5498dc9e76cc2f

SHA1
cae432875e3ca136fc286ed93f0a2352315baa3a

SHA256
c5b447c322ef2313d26d55949c9e5e7795741bed4fbdd9254bf0e7e58c2091c2

SHA512
024751121f211dfd476cd07d6dab5f19e603f995366472e1625906469aff6d0403058522ecee92abbd32a6de20657a247be60c55a32ac2a148b67d5f99a35d30

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
74KB

MD5
e8dcfebb52c7ebd3e8c58f172ed40d7c

SHA1
213dfe18f9444b534a9d365a0e3c6237f341dbf7

SHA256
1df00cbec3c40a0a6b85cf4da95c916f508f16abc0e7d83a77aba423185e1002

SHA512
3b28ac685a424777314973f73b5ca02024281653f7ca1cbec7106c58875b6e598d8884f19e2d5140829b4b123ecaf0716e3ae0fdf1fa0abfa16b11f6876d29b1

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
74KB

MD5
b21bc4481f4cb8a6ac13255a9eb49a6d

SHA1
3fcc75f6789815a9a63ffe847d196846b64d7f18

SHA256
29ea57f36036021e3e02a84f175d057e180bc77677fca55e87fa17bd1b4e068c

SHA512
8ae16c044ca02bd249b94753c02e198bc601a9264c8a2771bcaa38d77475be5281e024295e90857894d5d51822647e3f1133a2686f35954157dc79724c309936

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
74KB

MD5
1d62e17d729871d3563a77ce90e18004

SHA1
4afad58614e7df54444b340a3a6e2acbfb7096fc

SHA256
0b15096c08f0ce78b2759014accf9b56b13b2e7d00727619c0050e1bea816ddd

SHA512
cc92a704d89fa18b983ad80f8aa29748c1e1e5f28ecc34658a8a8cd0b244647659375c9ed81e8f7f9578fb834df6124c03317f35068cc81aba23b2b512ae0379

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
74KB

MD5
654b9d7169a8edd8b69d44274dcb8143

SHA1
1b586816b32a07c2b5040eedd99181f96ee409bd

SHA256
1262e38aa431b6a77f7dfd7e10aa470e69e9665dd5ff62818fe5c25c10890b2e

SHA512
2dcf5da107f2b3113455162bb7f3f9929fd46379bbb09cb6578f7ba149dc22a6ad2d25e9beb7852fc990ed917dda5d258695e6069b2844718e22ae83913e93fe

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
74KB

MD5
a80e0755ca6f60c5c7fa74c2ed67a020

SHA1
286b54c3fcb9ffade0c5611fad6be87fb9fbdc72

SHA256
71963a4a918b21421af0ba6685d449cb85eba36e5fd11581c061bc55ebcf82cf

SHA512
2fe1cddfa8aeb3044a56e1df5ceefe062c3de8443e33738ad2ff072c40764cd475f6eea31358fcff5cee8ecbec0031f8df4985a1acd0794d6ef9b4ed0bd0e6b6

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
74KB

MD5
9a4e19bd7156c1667e1603e84ddb2624

SHA1
1f53a9b89145a45031d5e2cde3e1095704c9b9f1

SHA256
bb55e251d39eb08ec82f515fa93fcc424dd18d38eef4ea244ba40bf06a3a2285

SHA512
9c152b64d8b9131c985dba528cc591ffcd9c106ee51b79abe06baeed68c4c9e62a3721e962d2c9a7e655f40595cd8cfd6e36c5a8a7cf9d47997ee1faa1fc0894

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
74KB

MD5
8781baa654870931d41e5e9a520de31e

SHA1
977f820db5f87ad050a7aeb5c5e4efbaa3e62582

SHA256
9458f5bc0e14e7bdfa9e2fa3b6390720a07a24b251ef8886c9ee96c541d8e0d7

SHA512
d5896f86cd9990d787b103f2effaf2f27181d27f724924418c15c0208f607042458ff6b2bd16f7b1a3a2e0c11a018ad69bd8b754d0439cdcaafa9d297e9fa393

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
d85d4ed11708506977ac27f04419a52d

SHA1
b7d52dbffe7c58bbe1d3a3e4e8dc2c5690820ccb

SHA256
a1721cdee60c45fda42c7deb423cddac87ee78ebe13e848c022abcac1cc00ca5

SHA512
85df4dc4555748854962d8cebeec706942d431656be77be000c7b7f7b6fde27f08eebb0175aae819eb988eed07eb5bd323de5bdcdc3e10d457237dfdce38c89b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
74KB

MD5
6494e79abae443841f912cc2b34bfc55

SHA1
b1145b94a6e712fe41071832cdd840252a80fce3

SHA256
6fd257841161913c1d19656f2d30e50fe0347c65693a3b1534d72d1429196a68

SHA512
05586823d788677e02174d7058b61ac728bb88643a2257e4da2b6c4e5ffb1f21c78d5e61455d956d9403cebb320ddb8bbcfe0212a6518bf1a6795afc43e49946

Download Submit
C:\Windows\SysWOW64\Jffggf32.dll

Filesize
7KB

MD5
8814a6123757c250f07fd8b97772a28b

SHA1
6b5514ae25065464b7de9d19b00e09cafaafefc3

SHA256
c29b6ace0d8ad51e12e9aae9c876f555b620c61489fb272e89eecda3c72ebd4f

SHA512
0423fdb788a1cb69dd209ef637f547ce0985175fba05a97b890bafffcd97024f6c95be55f198c460e4389e166757f695a7e06ebda5cbd87d8dfe67b92630e8a3

Download Submit
memory/860-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/860-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/900-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/900-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1036-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1036-193-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1100-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1100-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1372-198-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1372-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1532-180-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1532-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-181-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1784-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1784-189-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-194-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2724-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2724-178-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2760-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2760-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2940-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2940-187-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-190-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3256-195-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3256-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-197-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4056-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4056-179-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4340-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4340-186-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4392-177-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4392-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4400-185-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4400-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4612-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4612-182-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4748-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4748-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-188-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads