berbew | 73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Size

224KB
MD5

d63bbe7fa3223fb14b08bf47d0a6d510
SHA1

860fa571ad9d506caa3f33f2b64858c5084c3487
SHA256

73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58
SHA512

6419152f7f95b273258e9dc1fd351a384b7f4a69806d6bdf74c44cdb9a7945456984fb36492c61da1b29b8a20cac993de670c91034b3a594be5424ff574d64f1
SSDEEP

3072:cFDw294NIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgtSU:cGrL4s5tTDUZNSN58VU5tTtf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2700	Chmndlge.exe
4844	Cnffqf32.exe
3660	Chokikeb.exe
4572	Cagobalc.exe
3788	Cfdhkhjj.exe
2916	Cdhhdlid.exe
1548	Cnnlaehj.exe
3548	Dopigd32.exe
1624	Dhhnpjmh.exe
3312	Djgjlelk.exe
2036	Daqbip32.exe
4704	Dhkjej32.exe
2476	Dkifae32.exe
4104	Dmgbnq32.exe
3624	Deokon32.exe
2496	Ddakjkqi.exe
1488	Dfpgffpm.exe
680	Dogogcpo.exe
636	Deagdn32.exe
2432	Dhocqigp.exe
1808	Dknpmdfc.exe
4608	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cfdhkhjj.exe

Program crash 1 IoCs

pid	pid_target	Process
4672	4608	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 2700	3564	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe	83
PID 3564 wrote to memory of 2700	3564	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe	83
PID 3564 wrote to memory of 2700	3564	73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe	83
PID 2700 wrote to memory of 4844	2700	Chmndlge.exe	84
PID 2700 wrote to memory of 4844	2700	Chmndlge.exe	84
PID 2700 wrote to memory of 4844	2700	Chmndlge.exe	84
PID 4844 wrote to memory of 3660	4844	Cnffqf32.exe	85
PID 4844 wrote to memory of 3660	4844	Cnffqf32.exe	85
PID 4844 wrote to memory of 3660	4844	Cnffqf32.exe	85
PID 3660 wrote to memory of 4572	3660	Chokikeb.exe	86
PID 3660 wrote to memory of 4572	3660	Chokikeb.exe	86
PID 3660 wrote to memory of 4572	3660	Chokikeb.exe	86
PID 4572 wrote to memory of 3788	4572	Cagobalc.exe	87
PID 4572 wrote to memory of 3788	4572	Cagobalc.exe	87
PID 4572 wrote to memory of 3788	4572	Cagobalc.exe	87
PID 3788 wrote to memory of 2916	3788	Cfdhkhjj.exe	88
PID 3788 wrote to memory of 2916	3788	Cfdhkhjj.exe	88
PID 3788 wrote to memory of 2916	3788	Cfdhkhjj.exe	88
PID 2916 wrote to memory of 1548	2916	Cdhhdlid.exe	89
PID 2916 wrote to memory of 1548	2916	Cdhhdlid.exe	89
PID 2916 wrote to memory of 1548	2916	Cdhhdlid.exe	89
PID 1548 wrote to memory of 3548	1548	Cnnlaehj.exe	90
PID 1548 wrote to memory of 3548	1548	Cnnlaehj.exe	90
PID 1548 wrote to memory of 3548	1548	Cnnlaehj.exe	90
PID 3548 wrote to memory of 1624	3548	Dopigd32.exe	91
PID 3548 wrote to memory of 1624	3548	Dopigd32.exe	91
PID 3548 wrote to memory of 1624	3548	Dopigd32.exe	91
PID 1624 wrote to memory of 3312	1624	Dhhnpjmh.exe	93
PID 1624 wrote to memory of 3312	1624	Dhhnpjmh.exe	93
PID 1624 wrote to memory of 3312	1624	Dhhnpjmh.exe	93
PID 3312 wrote to memory of 2036	3312	Djgjlelk.exe	94
PID 3312 wrote to memory of 2036	3312	Djgjlelk.exe	94
PID 3312 wrote to memory of 2036	3312	Djgjlelk.exe	94
PID 2036 wrote to memory of 4704	2036	Daqbip32.exe	95
PID 2036 wrote to memory of 4704	2036	Daqbip32.exe	95
PID 2036 wrote to memory of 4704	2036	Daqbip32.exe	95
PID 4704 wrote to memory of 2476	4704	Dhkjej32.exe	96
PID 4704 wrote to memory of 2476	4704	Dhkjej32.exe	96
PID 4704 wrote to memory of 2476	4704	Dhkjej32.exe	96
PID 2476 wrote to memory of 4104	2476	Dkifae32.exe	97
PID 2476 wrote to memory of 4104	2476	Dkifae32.exe	97
PID 2476 wrote to memory of 4104	2476	Dkifae32.exe	97
PID 4104 wrote to memory of 3624	4104	Dmgbnq32.exe	98
PID 4104 wrote to memory of 3624	4104	Dmgbnq32.exe	98
PID 4104 wrote to memory of 3624	4104	Dmgbnq32.exe	98
PID 3624 wrote to memory of 2496	3624	Deokon32.exe	99
PID 3624 wrote to memory of 2496	3624	Deokon32.exe	99
PID 3624 wrote to memory of 2496	3624	Deokon32.exe	99
PID 2496 wrote to memory of 1488	2496	Ddakjkqi.exe	100
PID 2496 wrote to memory of 1488	2496	Ddakjkqi.exe	100
PID 2496 wrote to memory of 1488	2496	Ddakjkqi.exe	100
PID 1488 wrote to memory of 680	1488	Dfpgffpm.exe	101
PID 1488 wrote to memory of 680	1488	Dfpgffpm.exe	101
PID 1488 wrote to memory of 680	1488	Dfpgffpm.exe	101
PID 680 wrote to memory of 636	680	Dogogcpo.exe	102
PID 680 wrote to memory of 636	680	Dogogcpo.exe	102
PID 680 wrote to memory of 636	680	Dogogcpo.exe	102
PID 636 wrote to memory of 2432	636	Deagdn32.exe	103
PID 636 wrote to memory of 2432	636	Deagdn32.exe	103
PID 636 wrote to memory of 2432	636	Deagdn32.exe	103
PID 2432 wrote to memory of 1808	2432	Dhocqigp.exe	104
PID 2432 wrote to memory of 1808	2432	Dhocqigp.exe	104
PID 2432 wrote to memory of 1808	2432	Dhocqigp.exe	104
PID 1808 wrote to memory of 4608	1808	Dknpmdfc.exe	105

C:\Users\Admin\AppData\Local\Temp\73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
"C:\Users\Admin\AppData\Local\Temp\73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\SysWOW64\Chmndlge.exe
  C:\Windows\system32\Chmndlge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Cnffqf32.exe
    C:\Windows\system32\Cnffqf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Chokikeb.exe
      C:\Windows\system32\Chokikeb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 396
        24⤵
        Program crash
        
        PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4608 -ip 4608
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
224KB

MD5
38dc50b307b3216529d33c22be69591f

SHA1
3747dc2d876fd147e7e8ef2bed43bb0dddaf1fc2

SHA256
f507fbcb70e6c1b7ada171396a12162a0100b994c70339259d9d8554f9d7a9ff

SHA512
8d48bdf970234cd660a353d89ad3d5f5aaa87db8b50fc30f13a1817ff542fefcf378dd941b4d9dad9643f8065814b4528ba0337ce53d778ba9ea93421b854a98

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
224KB

MD5
cdb0e2a087ed69b9a12f1ef31a1dc324

SHA1
e7ca2daa89bc2caf0a0f66bd300fb680a8f44d41

SHA256
46fdd43142ed7c61582b843aea44854747b012bae30d17a301e98a65bc67ce47

SHA512
b61ea3a72f59f9fa2d7ab20db66baa8d8c3e14debc14a86048eaa2cc058de26ab1ae3b656f86a903061d8b5d9127192a01aa601e1661258d0195825ac68eb143

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
224KB

MD5
17e7ed38b09691c977616977e265653d

SHA1
7421111cfda2a1171154b63adba97559e2080cdd

SHA256
413495200d0e39095043919e8ce84fa381a974ab1f1c73e6ddd272169ff9d213

SHA512
6e5b148bde8c5150a6de91d7f2b06afebbd31b96d0f13d682a552954c83a645fd88a3645b3d14a1269eba1578139ac0bb2ea4793c7f12cf674c1368cd67a3e6e

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
224KB

MD5
d7a25f6c6956483420d7c530756923d7

SHA1
b618b089b4b7e7bf1bfb3a9e95fa5be6447d70b4

SHA256
cf52af3c7d4c015d9b1a69f7aa8aa08690b39165698ec7c4cfa673fbee7c7174

SHA512
be9084ec0972324e2671be81df9b9ec2aaa290781b83abc920dfc7f2aa2ea6ad6e6a7a2a19594551f70f9d98b4d99ffbbae2c9787d76dc78946302bbe3bfc2f5

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
224KB

MD5
da701bdd6045d0d97f79cf96a815e93d

SHA1
b996532c11d6a84c75b93136982b5e04d438d8d4

SHA256
55c5be04628d313c7ee7e28ce85ccd009af2569246c15beb34c1b1ef1d90278b

SHA512
5f0a833371a545571adf776a2b3c767676cf2d52824b5ca62caa8d90bbc70d343bb8d072e152cd4be41347614d555907e5d414d0b36ae0e3570924f8eaf42fad

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
224KB

MD5
609600391b52d6f0ebcb7a8254e675aa

SHA1
63eb076c532639360f63559d2de76810695b0ac7

SHA256
63fe9a4eddaac4462671e2e98116d3e3fe676cd7476505c0a9e3572e6db4e06f

SHA512
d5efbe814533d4e599b057052f2bcc0fcb4a8762808d58b19989f6eaafc5532ac47f76308fba6e5ef491d58e613045769ae5ae0aaa94d0a353869608a4fe5e6f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
224KB

MD5
1846ba31b7c9f43d11441811dd8fdb28

SHA1
98bd4a2ef3184e11ed1478d65f94fd6197467a6a

SHA256
0dfbe4c7668c8a08940f5fadf847dd80602651ee2f29ac35b8caf4994b63b3fc

SHA512
dce5071cc7485f324326105165314f8601cbaf04a8d3d8d02701f41ee788fde40891154ead2991bb3a283eb61bc77d57df1eb2fcaa02dc2217945021d254445b

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
224KB

MD5
828bbfe1a138abbc7ca918ccb95b7ec1

SHA1
fcd1ed35e613b203f42dc2f51eb188772952b056

SHA256
a62503869cc910a1d484baf99cf602f62dbb98ec40c4fe669d71ec98356df15e

SHA512
4525f41679c6a821b11f899f3331938a096d818654258d59a9f0a3848a254e4ec169ec354b487ee8fc1c933a36e3708bd914a1476d96d386bfdd654751250d37

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
224KB

MD5
00c3cc19198bfb36cb2b933c6b708545

SHA1
c8391082c38b97ce402c24c378f955045e7f76a6

SHA256
854dc732674e9851cdc39fad4a44afe2c35911bd3dc80cf1e4926e0af8327f31

SHA512
8dc88b7029b9e074f47bc384d081243eae2d02a703f3102a11d94d798f95656064d6a8956a58992b16739737a42386150ad25359600f7d772a75270484120724

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
224KB

MD5
1111b845b5fb7884722eaa2ce60b561a

SHA1
2a9eb4890f29cf1b81374967a3a028c2ba5df990

SHA256
f28a79adc447b0d7f3f45d832ebbd9d46b3db22f4d0ba06981120812b3933e7c

SHA512
c82a41800f897c964ca9662328836dc9171c36f97714e8bf0f31d797bc16d4a50d05754cf3e01edb9786964bbe9030e8b52c2a4d5ffb32f253ca0791d3ccb54c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
224KB

MD5
fdaac23eb1b030e378dbfd924f2cdc92

SHA1
369446c726db5efd1c0fc4984d2cdc68aca9f791

SHA256
d81d11c3c1e2039a847dec992b5c835ba6b9cb34e14ff861718c678fb9799bc4

SHA512
378a98d88ca4f7bcf91d8a34315f12d30b18ccfc9ed032fe62286d0c5a47490c850cec5c420d8708ce3a57d939f3c20c504f3b887e79b5e654b3632d786e4f2c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
224KB

MD5
44c1c1328b6e078ce96f4f1942844559

SHA1
7d9db607acc7e099c67c407d548807445119d833

SHA256
20e88e7a16d077dfdfa1aa302fa50fa68753248c498e1adc6c6f9e10b5de4fdb

SHA512
53f6d6126c8e693402df6d9da666b765bff6df6e3a125ff2067f21ef48ffe62603632fe6a3a0dc1b6b444bfb27f395f38de2df0ddb80cd2ee129cc2935e66b1f

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
224KB

MD5
eb6e854327c89abf17cea59c6a304916

SHA1
6f3e487ed79c2a698362c27331354fd9e720698d

SHA256
ef3290861374a27a5fe37913793f3888dc461aea28104c99a36e0d39ac0f67f3

SHA512
95385cd2c2857ed41c33089fe5ea1ef94aff7e91b8cb5ab20e9b02476c6c417c5903f5743600e1e44eb31c8036f15c47c40fbc2a005a39d85f6f40bf3c055f6e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
224KB

MD5
5b3d42e15c1b19537ce8802c8e889294

SHA1
5b337d9197a23e771cd6a36bcfb91d8263a601bd

SHA256
6dcd038778362508c5de3c14652bfefb8b0cb4cb8b6ff28332607e61d3f36453

SHA512
83188e9e1b48a2ef0cf0df6221d6ed5c5f1e29edf51730e386d1385ce5c1280a8451a3efe5fdfaddac4e6702c5f99e8215f3be58e392be272e068c263533db7e

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
224KB

MD5
df7f72ce314d15d18da6b6b6d762b577

SHA1
359d4b50b553e88220b3218cb8f56f4dd6d8e861

SHA256
40acedd992bac8136a0ddff57c796c80ad3cae0936ded9974acfb464af5c45d5

SHA512
451d598548737a3f4ddfcfbbfcd30b443c386a6177e04e7969760e38bde981bfe2e3fc12a364a5e945ef32a77627e968d1b12d02c7151e50dbb33f121dbeda3f

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
224KB

MD5
e7f4651f67f607f060e5ed71aa653c4c

SHA1
dc3e7c333f46c42729c1b0cf01b6786da3bed4c9

SHA256
13e7aea555d00ad308b6b9e3ab2f41b1ccc613a4f7095e0ac80f89ebf9f0d078

SHA512
4c1acbf1a89fddfca1b59e5adf5377444f855691d7673b2cf1c17f9b8b14f3b25eda7ef1742e6682702a04ac22b89ee1c5fdc92eb07409e87955371a70528c0b

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
224KB

MD5
8626ce4dae4f494f24fef1ca1ba47a2a

SHA1
315b88214b90de00bc04f7e6529a7c51771515bb

SHA256
9454afd77a47cfbef0f5a00fbee0424f196750f82b59a462cc2baa0a7a8e332d

SHA512
725b9efea8192089d4fa2bfeecdca850d7e69be89f39ad632d9731a399ec33ad5322dfc0994e5d55e1a44673672da11fc5e591b9351870723a144cc0346e4711

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
224KB

MD5
ef49306d61f64eb3a7808252da388b72

SHA1
2ea980cb1a5fa85a143809334d379511109f10ed

SHA256
46e97654c677dd3026b5e6ec5ca0e7cbd3150c52b126ab8119473591218f35ec

SHA512
a8440cc5e0f47c027059190a1e999104d25bbda4df5a31d57045b82fa6a26a993d21e6d0792e8e6bae80b88c04cb8b46248bf656368905e848002ceaf5f64d51

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
224KB

MD5
f9ceb1a6760fc83980d664c72e4bc9a0

SHA1
10b0be0552a7c7ede399c475123c683204864d24

SHA256
0d1fcf42aa7691b014e7b3262575a0a419686d8f8f7dc087ac8d2b6e774b0d90

SHA512
3e483bafdb93cc0c810c75a13cf6d93fba719fdc20b91ab06776683a470b94f905434d4b99008337e5c6df5ba48935bb2fea1ea0b475324acd901b28e9e48baa

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
224KB

MD5
86af68595e381cdbadeb332014d470d6

SHA1
5101483921d088bf1655307e4b9bd03d9125197d

SHA256
69ca3572ce3398fd7d517ecf446a931c9461f0f1849aac4528d029baee23b7f9

SHA512
ad5d722509696de512e0d129a38adb1a6cad94bc2e2c7c3ca13498c405a3da8e3d265a71060f9ab06d0eaf47596a8c1697b3373144901b9b1adb6f491e5d1e17

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
224KB

MD5
062b7a70c8f060cce0c7f5ca1ab3241d

SHA1
35ade61b5cafb2d1802183e130b5e9e760a825f1

SHA256
a05b00976277777f8a94b88ba2dc063ca90fcd3a1ed0d9df0aa06dbc4b61d96e

SHA512
ad20d78a9f7316c807eac0b053a15c0f5231e3a848859da351c08cb57b242224a135fa17abb7e597dcb519ed7cf8537af2ccf686d77ccb1d791fe1990b2cc4b5

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
224KB

MD5
42e35e23baf16f96dddcdea39eaf0e86

SHA1
e2b4e2b30aef3f20c79ee7d1580cd163586165aa

SHA256
b68764b1a94834ed232ca8d10580582b77e7f28b66eea07f99d125d7b56fd680

SHA512
4114218ea816676adce3277015dc3b52c339fe4af5335e833e350902d0c8ddc053d228522ef538ba6d9e8a1804961043ee720d8804e8bab8ff07f4730192eded

Download Submit
memory/636-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads