berbew | 2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9d

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Size

165KB
MD5

ac8701bc3ff91b372baa7b95d9d3d8f0
SHA1

17e6722f9d26f562a7a7f052bf635f3662911820
SHA256

2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9d
SHA512

b4a76d2bb2bbc577968d5622598b02160dfb60f8e7ad25d1b25c8d88621117c8cce8cfd158dcd9d2bc5c11222074e5c4ebb62534bbe6c819e6c61d10962ece62
SSDEEP

3072:uz1vzEgBgBwgMnsrT3vQfEdArGzHq+egM5bylnO/hZP:uz1vAobghrbQMdArGzHregqgnO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
3948	Cfmajipb.exe
1236	Cdabcm32.exe
1940	Cfpnph32.exe
4388	Cnffqf32.exe
3112	Ceqnmpfo.exe
2796	Chokikeb.exe
4188	Cjmgfgdf.exe
2164	Cmlcbbcj.exe
4264	Cdhhdlid.exe
3304	Cjbpaf32.exe
2340	Ddjejl32.exe
756	Dopigd32.exe
740	Dfknkg32.exe
3344	Daqbip32.exe
1848	Dhkjej32.exe
4076	Dmgbnq32.exe
2556	Dhmgki32.exe
4968	Dogogcpo.exe
1552	Dknpmdfc.exe
5064	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3756	5064	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dogogcpo.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3948	1732	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe	83
PID 1732 wrote to memory of 3948	1732	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe	83
PID 1732 wrote to memory of 3948	1732	2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe	83
PID 3948 wrote to memory of 1236	3948	Cfmajipb.exe	84
PID 3948 wrote to memory of 1236	3948	Cfmajipb.exe	84
PID 3948 wrote to memory of 1236	3948	Cfmajipb.exe	84
PID 1236 wrote to memory of 1940	1236	Cdabcm32.exe	85
PID 1236 wrote to memory of 1940	1236	Cdabcm32.exe	85
PID 1236 wrote to memory of 1940	1236	Cdabcm32.exe	85
PID 1940 wrote to memory of 4388	1940	Cfpnph32.exe	86
PID 1940 wrote to memory of 4388	1940	Cfpnph32.exe	86
PID 1940 wrote to memory of 4388	1940	Cfpnph32.exe	86
PID 4388 wrote to memory of 3112	4388	Cnffqf32.exe	87
PID 4388 wrote to memory of 3112	4388	Cnffqf32.exe	87
PID 4388 wrote to memory of 3112	4388	Cnffqf32.exe	87
PID 3112 wrote to memory of 2796	3112	Ceqnmpfo.exe	88
PID 3112 wrote to memory of 2796	3112	Ceqnmpfo.exe	88
PID 3112 wrote to memory of 2796	3112	Ceqnmpfo.exe	88
PID 2796 wrote to memory of 4188	2796	Chokikeb.exe	89
PID 2796 wrote to memory of 4188	2796	Chokikeb.exe	89
PID 2796 wrote to memory of 4188	2796	Chokikeb.exe	89
PID 4188 wrote to memory of 2164	4188	Cjmgfgdf.exe	90
PID 4188 wrote to memory of 2164	4188	Cjmgfgdf.exe	90
PID 4188 wrote to memory of 2164	4188	Cjmgfgdf.exe	90
PID 2164 wrote to memory of 4264	2164	Cmlcbbcj.exe	91
PID 2164 wrote to memory of 4264	2164	Cmlcbbcj.exe	91
PID 2164 wrote to memory of 4264	2164	Cmlcbbcj.exe	91
PID 4264 wrote to memory of 3304	4264	Cdhhdlid.exe	92
PID 4264 wrote to memory of 3304	4264	Cdhhdlid.exe	92
PID 4264 wrote to memory of 3304	4264	Cdhhdlid.exe	92
PID 3304 wrote to memory of 2340	3304	Cjbpaf32.exe	93
PID 3304 wrote to memory of 2340	3304	Cjbpaf32.exe	93
PID 3304 wrote to memory of 2340	3304	Cjbpaf32.exe	93
PID 2340 wrote to memory of 756	2340	Ddjejl32.exe	94
PID 2340 wrote to memory of 756	2340	Ddjejl32.exe	94
PID 2340 wrote to memory of 756	2340	Ddjejl32.exe	94
PID 756 wrote to memory of 740	756	Dopigd32.exe	95
PID 756 wrote to memory of 740	756	Dopigd32.exe	95
PID 756 wrote to memory of 740	756	Dopigd32.exe	95
PID 740 wrote to memory of 3344	740	Dfknkg32.exe	96
PID 740 wrote to memory of 3344	740	Dfknkg32.exe	96
PID 740 wrote to memory of 3344	740	Dfknkg32.exe	96
PID 3344 wrote to memory of 1848	3344	Daqbip32.exe	97
PID 3344 wrote to memory of 1848	3344	Daqbip32.exe	97
PID 3344 wrote to memory of 1848	3344	Daqbip32.exe	97
PID 1848 wrote to memory of 4076	1848	Dhkjej32.exe	98
PID 1848 wrote to memory of 4076	1848	Dhkjej32.exe	98
PID 1848 wrote to memory of 4076	1848	Dhkjej32.exe	98
PID 4076 wrote to memory of 2556	4076	Dmgbnq32.exe	99
PID 4076 wrote to memory of 2556	4076	Dmgbnq32.exe	99
PID 4076 wrote to memory of 2556	4076	Dmgbnq32.exe	99
PID 2556 wrote to memory of 4968	2556	Dhmgki32.exe	100
PID 2556 wrote to memory of 4968	2556	Dhmgki32.exe	100
PID 2556 wrote to memory of 4968	2556	Dhmgki32.exe	100
PID 4968 wrote to memory of 1552	4968	Dogogcpo.exe	102
PID 4968 wrote to memory of 1552	4968	Dogogcpo.exe	102
PID 4968 wrote to memory of 1552	4968	Dogogcpo.exe	102
PID 1552 wrote to memory of 5064	1552	Dknpmdfc.exe	103
PID 1552 wrote to memory of 5064	1552	Dknpmdfc.exe	103
PID 1552 wrote to memory of 5064	1552	Dknpmdfc.exe	103

C:\Users\Admin\AppData\Local\Temp\2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe
"C:\Users\Admin\AppData\Local\Temp\2d9516279d6a6d06cb5f696a4cb6c389024dad9d32774da647dab24251031d9dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\Cdabcm32.exe
    C:\Windows\system32\Cdabcm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\Cfpnph32.exe
      C:\Windows\system32\Cfpnph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 396
        22⤵
        Program crash
        
        PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5064 -ip 5064
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
165KB

MD5
b347d2d1ffd3727fa1d6c7514d10f3a2

SHA1
e43aec525b982fbeb85e308beb0fd05347cace41

SHA256
750afeab6c07e87f8ca6176c9222157393da5cde43225f6f5458d7ade364cea7

SHA512
c28f5c94a10dfcba75bdeb523b3b36297d54ec7c7fd3648d6e3f22e4efd0e148a0ecb15acaebf03c8e5e33a71ad3e59d377e08d8c2da99875f6726e3daf49353

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
165KB

MD5
997bc42e28e36ebe67cff18865a9b3df

SHA1
09f2b0512365740b6a6ecaf1dad1e9d14cb59abb

SHA256
9090ca67478f3acc4213b1cfa8346983d0ab78459723bc62e94e0ca04858ff16

SHA512
e78233b69acd7c1c34ccd2b11fdad854772cc838e723d63c8e0452dc93b83bd3814e8ddc1db425505f609939b65b608476b83446bf44d2c9ffaa7e21ca454368

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
165KB

MD5
35600659ebce9ef6100304376eb70d77

SHA1
24ac4d7ccec1ed02706c3c273b697da6afd9d823

SHA256
efb593bb5716be755cd8d213d6158ab495e5ca5200cbcd57bfecdfa539c3c890

SHA512
5b902f762deb04dbb16c7c4e1f4dd6b393f4270b2a4634959e34f3c7f9a86a1072e0065035aa6cd5a50cdf731834c33c9cf7a424b6cbfab2038f4a21fe90e94e

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
165KB

MD5
b34190ea93894a3ca3d83af5b87afb95

SHA1
b6873f4f0d428be2c55fb3cfbceec41dba4fba28

SHA256
4dbd9a8a327db788d1191f6d1c517be69957879ef272972c012ded1d51ee1d21

SHA512
14709c2e7df9e5fd5c85fa063e9ab389c82c0d92fdb624524f651f5d58bd18347aeaa326e930459ca4db83549433c9fb7e937238abea3196f135bbaa59795278

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
165KB

MD5
88b3c134c8c8f0b06ee0152fb2ca5c73

SHA1
7042a271e8f5cb6ab7d201998159000bca4144fa

SHA256
71d0cdfb40cdfe38781f8cb60f2cf83f73d1000ecb706458ddc6ec0bc59b0ff9

SHA512
3345feb1ba1803bb59ed41c7b0a1102e5a9893495d68bf6a69d1dfe9ee1bdc7109b782adbbf3aa49e2b5180f775ccd34d0ce42ad1dd82068496bc5702b7ea3b3

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
165KB

MD5
3969c9fc80de65574490a008cdebc1e8

SHA1
80e6e9a40e073be0ce27ac381c45977caa8e0efc

SHA256
48ee5e65628cc98572e5ca626e0cce4adc0e66610869446bf02639b43929b695

SHA512
8d481d9a73f77525035362756b3521f53c60abc25d8ad43ba64c4fb73a31ca5d6ca8560bbc4455c8d74e54844e469d4fbc7b03fcec9ef1ad8fd2589581eac111

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
165KB

MD5
fb6aa78c94cca825584ab3fe2425a982

SHA1
4dbff45ae299fe3a603be9acdd2f7a489c15069d

SHA256
8d2a89bf7b761fb9d1d09e37e7d96917c746173441c50562eca90ce682a3ad72

SHA512
b6d62b89772b4ef54aba7ce3f705a7e84e7304df58638cf2f49ccdd5fc809054e4c81bcc7f2f3218b2600eeeacc837e6d6407f7988c6ff88c8b2949174af894a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
165KB

MD5
63a307a4921160da73305bc186b7b85d

SHA1
00285a6088be8b3b1538fadf207819c4e4f6d352

SHA256
32e6d6e12d566b2f8f4f2729f0595164230d13675d2995c606253ba597b905cd

SHA512
c4311ebc2a930a5c2a24008e44a08b375b94f1ed9944cca4cbc38f7f2757da390bd3d63ab0e1f38e52cc593383792255a1364155f2e829a9945fea7127ea7610

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
165KB

MD5
7346109d0493abe87cf674249e422d02

SHA1
daa8047d6f876ca204e42e06e566f0a3673c49ba

SHA256
0515546e8322c43a0cde6f18422f25e7efda2232c72f9bf602194e0bff27053e

SHA512
1d9beb50495da693acb34f78a8f7ba55cd1a71c66d2121c7dbce56880018c5f975b7b1f4ff399493ed23223417bbd0b6d4816d56f22159d06a3356c8c925eff5

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
165KB

MD5
9e8cfb6dfae13c459ee60d8f7fd497b2

SHA1
23b9dbfd4ffaae689c3b1bbe888d0e56b5d2a832

SHA256
e7daa2bf258438006398beaf9fcf7dc29a2b456c2cbf5d69658f205367f31574

SHA512
32acc89fa13ee12b8dcf252cd170e78fe4e58ddea5c3e4dfa36a0ae177b8c6d437585bdd1052f13489cd3710673ac94ab0fc9c97606c7151ad7970e160ed836f

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
165KB

MD5
48e40022d9f9364acb7a9218140419c0

SHA1
afa4682c94b8429606f53e03b684d1800db53160

SHA256
5938424076709c005520c52bc04a08124f004d39fcd3349f502e6edbf738236b

SHA512
d56b71306e6dfbafbb1ddac3622a3e316d4a8f8ef7cc3b4fb49226c52766fd6fa7423cceb880633da379a59c04f31aef2104099e836703f44da2da649cb99d89

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
165KB

MD5
617cabd750abd8d16f1be516d632a047

SHA1
61eec65d934c83c2d57f0e708e888759ee40fc07

SHA256
16e6e84bee84b205a2552ac52a9fbd2de597798666a4ac96ced6c6ad880b9ae2

SHA512
23c291c4a4a7fc5e1eb6c7fec92e169dd3144b4cc9c7f0f188e32d6425db017264bc1b927d222494b2c99629b197e41f1d9eb51151ef99066cebf4fba601c7b3

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
165KB

MD5
5f0d63f3676d588a8e821a36a462800a

SHA1
a3406ebddac4f991bea67ef5d203ac961b773172

SHA256
889fa2147dbea382c7bed7a9d1c139de12a500086a62476069fff782ba770393

SHA512
e55d4f47316b12b7913c4b40d94c9bcba73cc88d10de7cf85acda15991c1d2b59f322d5a08fb8b2c62f46b4bc5cd5b2b4f316f9dd090dd50c8033323209580ca

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
165KB

MD5
4ec8ec943b6531ac0d2175b76515753a

SHA1
e6f9b94cdc8a5f7a39eee082acb26ecbde77cef5

SHA256
f792c49868a29299aa982d8d5289edab1314bced10573d78fbf503f2aea99907

SHA512
422fc383025cd0e8cc56fae860515d5c1ad0d41a6403c01611bf7ffedd1c01221f3fc388ed66609a05ebe8e2726e98cb3c8d096380b7d9974364818df1f36db0

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
165KB

MD5
7b7e738583ed6210cf52dd85354882cf

SHA1
592eef7700852aebce10109d5ed8bd4e627374b5

SHA256
ced7ee9026c4c3767e70ea39a94021a14df0552c948353802e558bf157c1f1a6

SHA512
b70a26462ec86d6e0d8b18093ebe7fb2a20f80a0cbc2ada6281be549f34e7effea816a0d89dd4e20ac5703e71badd283db6bed3970336ea30cd4e5b4bb65eaca

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
165KB

MD5
6f0be0b12b8991cf3d48f119068cf68c

SHA1
4e3705f3884fbb3b8a215f918fc2b9b4f92b799a

SHA256
ad06f82d662d2cc07104ac4eb9f759462c7275f2e038ff4884c321def4eab396

SHA512
13b2aa2046e374180a10683ce973a65cd3845ff58f4d342c74a4e2f24e52ea4b5d52ea8c7ab9fac44020488700890de2468279b1057bbafd63e3b6f7c99c7b3b

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
165KB

MD5
005cc46dc26684274bbf7178ef1a1bdf

SHA1
752e1dc3a68a10c55e1322651171bfca52f56a2a

SHA256
803ff64053dfca0151cb3beab2d3f01a468a9e05c9db4522451ca91b6f64ab49

SHA512
95e3e685f08f57f6c093f6178bb0576cecd91061300cb3eb893ba638edb4df1ae7376bc562c1042be4d3a969c1e6628744097ed63b2a11a49a47fbd6b07cac74

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
165KB

MD5
0da7c0d995fd5fd2ab573ca93bd320b6

SHA1
c300829270b56acb4241602feb81d3f0975c8419

SHA256
5b51e1b31fa3997ab662e5f63dceb01ce54fb3042349eafa9a24b659697deae0

SHA512
9f6bc8b46c29028f34a7032bf81ca55e7f8dbbc322f0c4e519e156093adb560f262637ff3b9c20571664edbd1be2f395bf67f31d61886972bb9451ae5cf4f577

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
165KB

MD5
1ab4f93c368409037a7a3fa4128df92b

SHA1
333b32a59405177efa9b8dadcf94dac916a595e2

SHA256
13791ccd5ab14737d4b10a746a750d2409d9383b4d4ed8d6c1bf8fcd73231a1c

SHA512
96d66c62621bcaeece19213a3eb6ea5b76f0fc64813b29d89fab2eb6c6ecb9f7a28407e10e0cff0ddcef6c15349a60cbad1a1bd24ce1b5e3f7bd1eaa78c8a3a4

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
165KB

MD5
fcbc0a0666c2596f37358c6f2cc36685

SHA1
3945004ea9a6af93ea8b5de6a16ef8085e8fc03a

SHA256
f74cf805f10f72afb1ec21d2a63004417dc2b94fcf7ce4d3860896dbd92ec136

SHA512
2231ccaf4340980a959c6ecdd2d101343c9e0657a90db88ee85497771b16ee9c90e3dd69e2add3f5a2102b2f2affd6b5a40db6c2df07b9b577e8f6672c1708bf

Download Submit
memory/740-103-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/740-178-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/756-177-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/756-95-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1236-198-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1236-21-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1552-164-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1552-152-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1732-202-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1732-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1732-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1848-120-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1848-172-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1940-196-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1940-29-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2164-186-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2164-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2340-87-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2340-180-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2556-167-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2556-136-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2796-190-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2796-49-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3112-41-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3112-192-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3304-182-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3304-80-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3344-176-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3344-115-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3948-200-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3948-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4076-127-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4076-170-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4188-188-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4264-184-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4264-72-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4388-194-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4388-33-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4968-169-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4968-144-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5064-163-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5064-160-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads