berbew | 592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Size

96KB
MD5

be7f2bcdc3cf316a8c355a75857ee484
SHA1

5fb80286686e9c3fd5f30015e6f345ea74279181
SHA256

592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132
SHA512

bccfd98209e2be938e5a5a404dd208711ebd05019834bc8fea86de208b26808ee9997d7eb6959233a853b7da2a8b1946a056c80342ed95dc3af72e5751d201fd
SSDEEP

1536:4sV37OhpenxzNt5Pm6fQlhL2n3lKiMJxP18SduV9jojTIvjrH:wsFx1YlhylKv18Sd69jc0vf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
1352	Cfpnph32.exe
2132	Cmiflbel.exe
3576	Ceqnmpfo.exe
1424	Chokikeb.exe
1832	Cagobalc.exe
4824	Cfdhkhjj.exe
3876	Cajlhqjp.exe
3724	Chcddk32.exe
800	Cmqmma32.exe
2432	Dhfajjoj.exe
4152	Dmcibama.exe
520	Ddmaok32.exe
1952	Dobfld32.exe
4472	Ddonekbl.exe
4912	Dkifae32.exe
4492	Daconoae.exe
2248	Dhmgki32.exe
2668	Dmjocp32.exe
4988	Dgbdlf32.exe
4104	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4760	4104	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1352	4316	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe	83
PID 4316 wrote to memory of 1352	4316	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe	83
PID 4316 wrote to memory of 1352	4316	592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe	83
PID 1352 wrote to memory of 2132	1352	Cfpnph32.exe	84
PID 1352 wrote to memory of 2132	1352	Cfpnph32.exe	84
PID 1352 wrote to memory of 2132	1352	Cfpnph32.exe	84
PID 2132 wrote to memory of 3576	2132	Cmiflbel.exe	85
PID 2132 wrote to memory of 3576	2132	Cmiflbel.exe	85
PID 2132 wrote to memory of 3576	2132	Cmiflbel.exe	85
PID 3576 wrote to memory of 1424	3576	Ceqnmpfo.exe	86
PID 3576 wrote to memory of 1424	3576	Ceqnmpfo.exe	86
PID 3576 wrote to memory of 1424	3576	Ceqnmpfo.exe	86
PID 1424 wrote to memory of 1832	1424	Chokikeb.exe	87
PID 1424 wrote to memory of 1832	1424	Chokikeb.exe	87
PID 1424 wrote to memory of 1832	1424	Chokikeb.exe	87
PID 1832 wrote to memory of 4824	1832	Cagobalc.exe	88
PID 1832 wrote to memory of 4824	1832	Cagobalc.exe	88
PID 1832 wrote to memory of 4824	1832	Cagobalc.exe	88
PID 4824 wrote to memory of 3876	4824	Cfdhkhjj.exe	89
PID 4824 wrote to memory of 3876	4824	Cfdhkhjj.exe	89
PID 4824 wrote to memory of 3876	4824	Cfdhkhjj.exe	89
PID 3876 wrote to memory of 3724	3876	Cajlhqjp.exe	90
PID 3876 wrote to memory of 3724	3876	Cajlhqjp.exe	90
PID 3876 wrote to memory of 3724	3876	Cajlhqjp.exe	90
PID 3724 wrote to memory of 800	3724	Chcddk32.exe	91
PID 3724 wrote to memory of 800	3724	Chcddk32.exe	91
PID 3724 wrote to memory of 800	3724	Chcddk32.exe	91
PID 800 wrote to memory of 2432	800	Cmqmma32.exe	92
PID 800 wrote to memory of 2432	800	Cmqmma32.exe	92
PID 800 wrote to memory of 2432	800	Cmqmma32.exe	92
PID 2432 wrote to memory of 4152	2432	Dhfajjoj.exe	93
PID 2432 wrote to memory of 4152	2432	Dhfajjoj.exe	93
PID 2432 wrote to memory of 4152	2432	Dhfajjoj.exe	93
PID 4152 wrote to memory of 520	4152	Dmcibama.exe	94
PID 4152 wrote to memory of 520	4152	Dmcibama.exe	94
PID 4152 wrote to memory of 520	4152	Dmcibama.exe	94
PID 520 wrote to memory of 1952	520	Ddmaok32.exe	95
PID 520 wrote to memory of 1952	520	Ddmaok32.exe	95
PID 520 wrote to memory of 1952	520	Ddmaok32.exe	95
PID 1952 wrote to memory of 4472	1952	Dobfld32.exe	96
PID 1952 wrote to memory of 4472	1952	Dobfld32.exe	96
PID 1952 wrote to memory of 4472	1952	Dobfld32.exe	96
PID 4472 wrote to memory of 4912	4472	Ddonekbl.exe	97
PID 4472 wrote to memory of 4912	4472	Ddonekbl.exe	97
PID 4472 wrote to memory of 4912	4472	Ddonekbl.exe	97
PID 4912 wrote to memory of 4492	4912	Dkifae32.exe	98
PID 4912 wrote to memory of 4492	4912	Dkifae32.exe	98
PID 4912 wrote to memory of 4492	4912	Dkifae32.exe	98
PID 4492 wrote to memory of 2248	4492	Daconoae.exe	99
PID 4492 wrote to memory of 2248	4492	Daconoae.exe	99
PID 4492 wrote to memory of 2248	4492	Daconoae.exe	99
PID 2248 wrote to memory of 2668	2248	Dhmgki32.exe	100
PID 2248 wrote to memory of 2668	2248	Dhmgki32.exe	100
PID 2248 wrote to memory of 2668	2248	Dhmgki32.exe	100
PID 2668 wrote to memory of 4988	2668	Dmjocp32.exe	101
PID 2668 wrote to memory of 4988	2668	Dmjocp32.exe	101
PID 2668 wrote to memory of 4988	2668	Dmjocp32.exe	101
PID 4988 wrote to memory of 4104	4988	Dgbdlf32.exe	102
PID 4988 wrote to memory of 4104	4988	Dgbdlf32.exe	102
PID 4988 wrote to memory of 4104	4988	Dgbdlf32.exe	102

C:\Users\Admin\AppData\Local\Temp\592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe
"C:\Users\Admin\AppData\Local\Temp\592858f5aba53b3d53905dd3cf6691b6f93a107ee9c3c6da077e42662c215132.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\Cfpnph32.exe
  C:\Windows\system32\Cfpnph32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\Cmiflbel.exe
    C:\Windows\system32\Cmiflbel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Ceqnmpfo.exe
      C:\Windows\system32\Ceqnmpfo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 408
        22⤵
        Program crash
        
        PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4104 -ip 4104
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
137d7fd0bee11888df6f3e1600ee2208

SHA1
c5f6c0f56be91e5cfbfed181e0d02c9381825d38

SHA256
e7d2c4908aa5c59163ecd37e2a011c4554b15d476389c699d041723e3dcf5dd2

SHA512
3779150dd0e79e1ace248791b2671b8cd2abb7be714d0035206831575e1f9d291994462a4ac5d7656546c3205b0936172d4e7304687292f7f417472205beb261

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
1ffe73ee4a1cc6bc5eefe725fea59699

SHA1
62c8af39d50c63d570198c0b536aaacdc2bb43ec

SHA256
0fadba7d1dee8e492a343bb746996cb73dea85d17056568ebf3faac8daaa5f44

SHA512
3162c52dcec22367bedf95cdb07a11b29052a7114c3fa958cd91b91dccdf126b3646941b6f23457b2017a96ba3fd8bf38b2d299f076854117b8665ca1714f342

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
58d8125c70e6acaaa723478000f299de

SHA1
7f2915d58b15c97237867a66f9cfb442a0c1e56c

SHA256
ccfd7adc8aeef898c201a3fff7311a55d52c250d4ab4432cc76ec49e9769f4a1

SHA512
b2ab707504986df982508208aab43eb3b26d0b094aefc0517fa20ab3728e34bb757fc3e574540c6090b8c4e918e4e9b68803a8e9a17e3e61ffa63f5775481c34

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
b0c79bf66877e9ed1579f10f406e3768

SHA1
85cf1c9d1c72b89918012f91ef52484782b350b6

SHA256
ac4a8a6f530194b4fa7b8b7f80452d2abc4febd482c150db139b4fcc6409e2d3

SHA512
8276e5848ed77924b6dd4e14f0dc652406387bd6c5342e80362908432f733cfbb497f055699725e7580b33b52817f5585458e513d30aa30e24e3f6d207572672

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
570b82507bf35c3d6441dcec288ea914

SHA1
013620b162690064988532274fe50fd7f646d15f

SHA256
65dab3f1138056e9f188818b2d0cafb89e8232a505673fc414d4a43825a1a6dc

SHA512
316826fd2fdc9f5122268b970779a60a0d4caadec2315428ba986d785d907404255aa8055109438acd7e81be7cd72cfcb359b2c0949208581be16441a2d467f6

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
78525d3bf818be1e76ea526822bd0921

SHA1
513bdb42e9d2cd74132ef0157adff31d4ddd3e1d

SHA256
1927e81401dc00f736dff67dc0788f55b43221ddad44f751534a93b25220a7e3

SHA512
f0ff6205a057a2b82b25fbdfaf2284cc69c976277b3870c8366eb7c77222f2d5f8ead32279517a38f4045c60ff7950890b01997f60706e0bc69350c327954cad

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
b45a9ae3e4eeb7593d8e8adec89c0433

SHA1
b673d93ddc2dfb2773089e66b4cf04edcde7ae43

SHA256
3d2d81ab401c6513eb50dc5c34a051928d6fea37bbca0df1f939e031131a9d75

SHA512
9556ee75f6ffa143d4812ead1c955983bb1f2731ffc760e089f101be18be73f9c56f34b3d84acf794665930e68f92a344e037c1aa3f6dcff7f21d80c6b02ad72

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
0f83a1a0cc641c04795d72669e2f7e40

SHA1
1105bf15f970e644f442c77e18328fbe66055849

SHA256
1242d732c5e8b584922f8acd1c1adb97d462980156dc5b1088f2c065f6183721

SHA512
9a72246a54758f2f0b0980986b963b42d698808d4d42047e77e68665b4131a9234e51e7914b29ab029f5bcf3177bc8924cf3df4c8748ec80a9e1c57dde96f013

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
65b78a76485bee3e95bafe9927bfe652

SHA1
79d708d43d86a917ad9d4b4fce4133735a86fad4

SHA256
41c580ec0fbbb5a033e2ec2f2b7163600069b33a4204f4738e9f4b334bb98f29

SHA512
033ce71b1587d626fb3179527f91303fdc3f792000147c79e4c4b57b588bd81bc754e2c24f291c65ef404cc7a9b3b64ba6b003f2b6a47d53806dda5f6286d469

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
a016385907dc9a51982185e388c2e359

SHA1
7b9bc3dcb648e4b94f362ac20bcf803de758f156

SHA256
30ac29d4b85aa1c05be2c076e32acb8dca07a359c382b7219869b4bd71717a01

SHA512
586aa9af0e22cbd7795344405d6bea1445b64556480cb6ec20c85921094a0b79167d1fa649870ee1d084ef7ceeb2d366afc643768b4e62ec915a8c671057eebf

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
5ea5079882a28318d799828db2b4b337

SHA1
e436b8ee9c4c3fc1bf0a8d04fa06c59febe25a23

SHA256
470a5d49025e087a9b662212dcbb28332f580fa5f2ac470831f3cd7d3ba30aba

SHA512
c82358bd5d328baceee212651b253af337e5c3144837c28a2b7e6313b3c0b737f52304de5b3ae8930f3e369839e4ab79f5b1d094ba1748080da212c65579faa4

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
fde732fe0989bdb512d47f1ec6491f6b

SHA1
3c11d27cad6f9fc7f7743267d2eb3017dfdfbd0b

SHA256
a4b9652514ed1556b189a3e75671ae7b0b6cca732c8ca668a535c1780261c1b5

SHA512
8a1ff25b6908c40082f59f76352334d7a860e00a07c931668a46d4de5c4a0d63a63f7fe75f16e0601fc359df4830b76994df44c1178b1c07ab14897d1d6e9645

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
ca0b572282b29f4b64be9cd97cb16ca3

SHA1
265fb55570c3182bbbf1431e52b38f7d706c0f8a

SHA256
5082015e65ecef7f05e907d6bf5b942782123febd1d252255fa2258a0051cbfb

SHA512
65c6f7f0168964028582c8d02ef6196bd609d1bec662ca37103173643d3b0a5445eeaf524b4b2e3ed53c294103f8132519d260d23b72839692cf5b6dfcedb2ec

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
d03fe8fa9385fe8c6c26079927878be5

SHA1
6c188339201f20f28ca49e3d88dee9f92f1dbaaf

SHA256
a6472328205e967e803963527dc85de8b5d8e24363e11f1ac8a2a42bf424dfe8

SHA512
59bdcb577250a678afcffacfddd6cef6ae192857e893831be00bdfc0ea9beed09d1bcd3f79c435a1ca57fae3b2231f0a4406a44b05cddce14c08a3d0225fce0e

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
5fd2c012af25d5e8645238a79821629d

SHA1
f754b4a9be3f70630f0d65f1a78b8543b8db810f

SHA256
900d9631bb279f6c990e00ed4370f44e71026c0ded9970ddd37ac57bae4ec2c9

SHA512
4acfb65928333c17680da1fbd349e6047aea97b82066d5856e3b001614cb9461e6b85df519b426129b18f7e04d6499242e764f01b2acf64ab9c3b0b45abe49e7

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
a29ed35f3e97ad7a6f5d00c113f4d1d3

SHA1
c743065cc80b923f0e2af5806d234a884ca8f119

SHA256
8ca7b42424e92ec0518d5a9ec101af9edfb1896f81bdccf5db0a8372e049c13a

SHA512
a1fd55a13e04860d99a1fb88a59c9a56a0df5c0cb6dd3246f645b5a4965e1a47d81d7b5f40502c252493bb23a44df1a4721f082b252f7e58a2dd26633d843f51

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
4b0626fb7b3cc13eff4cccc0fd2305ca

SHA1
fd55030cf2795fd74de00974116e71b1dbb6df6c

SHA256
fac139da5bc43879923ce30ff90915a7af1f9bb329fe818e43e7e11d50264372

SHA512
e0f4beca10eec646319bbcff8136f68cb54062da217cdaec126db982943ccb6ea93168593f8df604cd5cf329303ad713e94a9ed908c214220001388ceb5af900

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
0ef726b8ac947dbd07b563a45f24d35e

SHA1
61796c108363c06de8a91f6e63bbfb1f911dbdb4

SHA256
14d2b799b1682b895c546fc8af1dedea197b7ee3e6d49c923e28ff9d31659b23

SHA512
d4d6d0ba3ed35ce41dfe929372c030c051a8c5888580aa889b495c2b1c2a9db9b254fe8c6cd30ee627ead9bacd13b31de2b449d48b2fdc8353e695819ff23bc7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
71bc5cd273bfda57986ee9b291f3e643

SHA1
aa1253dbd32278547017c169cb8fc283566267ec

SHA256
1c387093265d5184d4d872b53e5a37c97d678afa27a2ad1e30a0e355bf015eaf

SHA512
955cc3f4ce1c6c9c4565fcadebd5201f3ae7fa907aec3daf23a19d000be128e852aac00b90f74595fda7c6771d86e450621dffabc39e73fe0582a1f172dd297c

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
32b3c8718fcc75185fdfb68706950d93

SHA1
15884943cfcaf8cbc18614d11bb4c8759304d94f

SHA256
d6e0cb1479489e583e61e8eee2cd4ad9e4b135367867f6cd2bba9a9603c1b083

SHA512
e20605666a52b38033468e9046692f365242e28a4402ab0b505d1d9e121ab644cfa18741d4f39bb1136517a5de527351fd9ed94f6accf9344afccc62ebea54de

Download Submit
C:\Windows\SysWOW64\Echdno32.dll

Filesize
7KB

MD5
910c4237b962005e935568bb869ee1a2

SHA1
07370326764a44abc01c63ead10f6ea912db1be9

SHA256
ed56c19d1955133773e9e2794a5e71d4b4b5748945029e6b300196ab16403667

SHA512
d67dfb058ab228f1305ea8bf8303b2da307118036d94abd8ac19f48361e020bda6bac94b2f85232927bd94447f2bd8a0a60444fa6b20667a297b2a4a2cb77486

Download Submit
memory/520-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/520-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-171-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1352-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1352-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2248-163-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2248-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-162-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3724-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3724-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-173-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4104-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4104-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4316-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4316-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads