berbew | cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Size

93KB
MD5

ce22144f92af71f8c487e6a5fb6a6eed
SHA1

dec5ec7c57d5dd7f64c6b6461d8580ce433e2a62
SHA256

cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b
SHA512

14699699f21f3c5b0663f17a74b2b7ef7abf821f6fc7f048da61e9efd588e5618d0b0b4cfd92107d3834957c649337cac64b156c445e54ca74069a90a5733adb
SSDEEP

1536:u5E7AGB6omjcx2ig2GrzuCNf8O7GnL3qYYqcsRQtRkRLJzeLD9N0iQGRNQR8RyVP:QEbmjAgtrzucDCL3JetSJdEN0s4WE+3e

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cmgjgcgo.exeChokikeb.exeDfiafg32.exeDmgbnq32.exeDdjejl32.exeDdakjkqi.exeDhmgki32.exeCdfkolkf.exeCjbpaf32.exeDelnin32.exeDknpmdfc.exececc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exeBcoenmao.exeDddhpjof.exeCeqnmpfo.exeCfdhkhjj.exeCfpnph32.exeCajlhqjp.exeCdabcm32.exeCmlcbbcj.exeDhhnpjmh.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 21 IoCs

Processes:

Bcoenmao.exeCmgjgcgo.exeCdabcm32.exeCfpnph32.exeCeqnmpfo.exeChokikeb.exeCmlcbbcj.exeCdfkolkf.exeCfdhkhjj.exeCajlhqjp.exeCjbpaf32.exeDdjejl32.exeDfiafg32.exeDhhnpjmh.exeDelnin32.exeDmgbnq32.exeDdakjkqi.exeDhmgki32.exeDddhpjof.exeDknpmdfc.exeDmllipeg.exe

pid	Process
2912	Bcoenmao.exe
2700	Cmgjgcgo.exe
2148	Cdabcm32.exe
3700	Cfpnph32.exe
1472	Ceqnmpfo.exe
4476	Chokikeb.exe
2408	Cmlcbbcj.exe
1112	Cdfkolkf.exe
3296	Cfdhkhjj.exe
1896	Cajlhqjp.exe
2680	Cjbpaf32.exe
3396	Ddjejl32.exe
4580	Dfiafg32.exe
3992	Dhhnpjmh.exe
3748	Delnin32.exe
3744	Dmgbnq32.exe
1104	Ddakjkqi.exe
1300	Dhmgki32.exe
3824	Dddhpjof.exe
3980	Dknpmdfc.exe
5072	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

Processes:

Chokikeb.exeCjbpaf32.exeDmgbnq32.exeDknpmdfc.exeCmgjgcgo.exeCfpnph32.exeDhhnpjmh.exeDdakjkqi.exeCdabcm32.exeDdjejl32.exeDfiafg32.exeDhmgki32.exececc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exeCfdhkhjj.exeDddhpjof.exeDelnin32.exeCeqnmpfo.exeCajlhqjp.exeBcoenmao.exeCmlcbbcj.exeCdfkolkf.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2388	5072	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cmgjgcgo.exeDmgbnq32.exeDddhpjof.exeDknpmdfc.exeDmllipeg.exececc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exeCfpnph32.exeCfdhkhjj.exeDdjejl32.exeDhhnpjmh.exeDhmgki32.exeDdakjkqi.exeCdabcm32.exeCeqnmpfo.exeChokikeb.exeCmlcbbcj.exeCjbpaf32.exeDelnin32.exeBcoenmao.exeCdfkolkf.exeCajlhqjp.exeDfiafg32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe

Modifies registry class 64 IoCs

Processes:

Dddhpjof.exeDknpmdfc.exeBcoenmao.exeChokikeb.exeDdjejl32.exeDhhnpjmh.exeDmgbnq32.exeCfpnph32.exeCmlcbbcj.exeDfiafg32.exeDelnin32.exeDdakjkqi.exeCfdhkhjj.exeCajlhqjp.exeCdabcm32.exeCjbpaf32.exeCdfkolkf.exeCeqnmpfo.exececc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exeDhmgki32.exeCmgjgcgo.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exeBcoenmao.exeCmgjgcgo.exeCdabcm32.exeCfpnph32.exeCeqnmpfo.exeChokikeb.exeCmlcbbcj.exeCdfkolkf.exeCfdhkhjj.exeCajlhqjp.exeCjbpaf32.exeDdjejl32.exeDfiafg32.exeDhhnpjmh.exeDelnin32.exeDmgbnq32.exeDdakjkqi.exeDhmgki32.exeDddhpjof.exeDknpmdfc.exe

description	pid	Process	procid_target
PID 1596 wrote to memory of 2912	1596	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe	83
PID 1596 wrote to memory of 2912	1596	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe	83
PID 1596 wrote to memory of 2912	1596	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe	83
PID 2912 wrote to memory of 2700	2912	Bcoenmao.exe	84
PID 2912 wrote to memory of 2700	2912	Bcoenmao.exe	84
PID 2912 wrote to memory of 2700	2912	Bcoenmao.exe	84
PID 2700 wrote to memory of 2148	2700	Cmgjgcgo.exe	85
PID 2700 wrote to memory of 2148	2700	Cmgjgcgo.exe	85
PID 2700 wrote to memory of 2148	2700	Cmgjgcgo.exe	85
PID 2148 wrote to memory of 3700	2148	Cdabcm32.exe	86
PID 2148 wrote to memory of 3700	2148	Cdabcm32.exe	86
PID 2148 wrote to memory of 3700	2148	Cdabcm32.exe	86
PID 3700 wrote to memory of 1472	3700	Cfpnph32.exe	87
PID 3700 wrote to memory of 1472	3700	Cfpnph32.exe	87
PID 3700 wrote to memory of 1472	3700	Cfpnph32.exe	87
PID 1472 wrote to memory of 4476	1472	Ceqnmpfo.exe	88
PID 1472 wrote to memory of 4476	1472	Ceqnmpfo.exe	88
PID 1472 wrote to memory of 4476	1472	Ceqnmpfo.exe	88
PID 4476 wrote to memory of 2408	4476	Chokikeb.exe	89
PID 4476 wrote to memory of 2408	4476	Chokikeb.exe	89
PID 4476 wrote to memory of 2408	4476	Chokikeb.exe	89
PID 2408 wrote to memory of 1112	2408	Cmlcbbcj.exe	90
PID 2408 wrote to memory of 1112	2408	Cmlcbbcj.exe	90
PID 2408 wrote to memory of 1112	2408	Cmlcbbcj.exe	90
PID 1112 wrote to memory of 3296	1112	Cdfkolkf.exe	91
PID 1112 wrote to memory of 3296	1112	Cdfkolkf.exe	91
PID 1112 wrote to memory of 3296	1112	Cdfkolkf.exe	91
PID 3296 wrote to memory of 1896	3296	Cfdhkhjj.exe	92
PID 3296 wrote to memory of 1896	3296	Cfdhkhjj.exe	92
PID 3296 wrote to memory of 1896	3296	Cfdhkhjj.exe	92
PID 1896 wrote to memory of 2680	1896	Cajlhqjp.exe	93
PID 1896 wrote to memory of 2680	1896	Cajlhqjp.exe	93
PID 1896 wrote to memory of 2680	1896	Cajlhqjp.exe	93
PID 2680 wrote to memory of 3396	2680	Cjbpaf32.exe	94
PID 2680 wrote to memory of 3396	2680	Cjbpaf32.exe	94
PID 2680 wrote to memory of 3396	2680	Cjbpaf32.exe	94
PID 3396 wrote to memory of 4580	3396	Ddjejl32.exe	95
PID 3396 wrote to memory of 4580	3396	Ddjejl32.exe	95
PID 3396 wrote to memory of 4580	3396	Ddjejl32.exe	95
PID 4580 wrote to memory of 3992	4580	Dfiafg32.exe	96
PID 4580 wrote to memory of 3992	4580	Dfiafg32.exe	96
PID 4580 wrote to memory of 3992	4580	Dfiafg32.exe	96
PID 3992 wrote to memory of 3748	3992	Dhhnpjmh.exe	97
PID 3992 wrote to memory of 3748	3992	Dhhnpjmh.exe	97
PID 3992 wrote to memory of 3748	3992	Dhhnpjmh.exe	97
PID 3748 wrote to memory of 3744	3748	Delnin32.exe	98
PID 3748 wrote to memory of 3744	3748	Delnin32.exe	98
PID 3748 wrote to memory of 3744	3748	Delnin32.exe	98
PID 3744 wrote to memory of 1104	3744	Dmgbnq32.exe	99
PID 3744 wrote to memory of 1104	3744	Dmgbnq32.exe	99
PID 3744 wrote to memory of 1104	3744	Dmgbnq32.exe	99
PID 1104 wrote to memory of 1300	1104	Ddakjkqi.exe	100
PID 1104 wrote to memory of 1300	1104	Ddakjkqi.exe	100
PID 1104 wrote to memory of 1300	1104	Ddakjkqi.exe	100
PID 1300 wrote to memory of 3824	1300	Dhmgki32.exe	101
PID 1300 wrote to memory of 3824	1300	Dhmgki32.exe	101
PID 1300 wrote to memory of 3824	1300	Dhmgki32.exe	101
PID 3824 wrote to memory of 3980	3824	Dddhpjof.exe	102
PID 3824 wrote to memory of 3980	3824	Dddhpjof.exe	102
PID 3824 wrote to memory of 3980	3824	Dddhpjof.exe	102
PID 3980 wrote to memory of 5072	3980	Dknpmdfc.exe	103
PID 3980 wrote to memory of 5072	3980	Dknpmdfc.exe	103
PID 3980 wrote to memory of 5072	3980	Dknpmdfc.exe	103

C:\Users\Admin\AppData\Local\Temp\cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
"C:\Users\Admin\AppData\Local\Temp\cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\Cmgjgcgo.exe
    C:\Windows\system32\Cmgjgcgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Cdabcm32.exe
      C:\Windows\system32\Cdabcm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 408
        23⤵
        Program crash
        
        PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5072 -ip 5072
1⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
93KB

MD5
4c8a1fc3b2d3ac6db4e4e0d97bc055d5

SHA1
8118e30024510f4629458a5cb8545bf5639407cf

SHA256
7b4a0e1b0eb752590dcd533dc66d68344b748d60553c27d04f24616217f92f5a

SHA512
1f12fcaae78cd8a9f46caa2dec606179e61db5bfef58a0c702ed81b2e31018007181d604fbb50867435b9f43856dc7386e4d759e12ba44cb9ac53a23787c73b2

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
33f6fd4130e0d53b0556f18769cad7f6

SHA1
0977e8372304a0bc4621e9e7a1db66046cb1d32e

SHA256
bae595011904929a11a744db5dfe8988cb324bfe646014cc4cd5a30fe81e113e

SHA512
6aea3423e81c60b97e413c8dca3433d9e96cb9b506a68d474f512c82743797240ed39eb350457d8ec7a3ce2031b3f4a079e3bfbdf12a580ac5b41c6d25957e40

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
93KB

MD5
6ab1b4bd7afda2afed3a99db2f10f218

SHA1
0bce1f89b917138cd587fd5be913342a6aea0c1b

SHA256
7d37a6ca22a4afe43cb27eccedbe29dce5a88f380ec4656922ab551630640a95

SHA512
9187ab00d65181c3914ad1594c337f254cc0c142e26220e95d313e93986a1800209008e8891e8094a900bc04335866b9c93bdeed213cbb272deb7aae1848facc

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
93KB

MD5
e3691c3e11d7f6789abc0ba2d834efe8

SHA1
cdda2bb78a4824a10a6f86a2d114df50d1035d99

SHA256
1c0290b56af56bfe605e30be1eec2439075d78a331752a974dba29e4caa41510

SHA512
7ca20316c24958a9bbb527915d18184290cfc87bee11b805f760141e76001f749e2f7e2888ef42f97d5db05f248ae9823a496c0df1a9556f444d351b1dc86b6a

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
93KB

MD5
235749ba5eea16072cdab956cfb6e123

SHA1
3fc20b717fbf51d72395923c37a10508bf92109a

SHA256
e603778846566488f199c6e207d2f896a8dd56c51c7556604f732ef97ba2d8c4

SHA512
d53c592e4ede0e2d7138e037db2d592af7173c1447dd87f21db5a287fe5143ff5f292256e7c708518a48f7ac23c08ab024de099272e12c93252f75dfa725853b

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
93KB

MD5
f02b95d9411a5c3934d006ddc3427c77

SHA1
8d50fc3b64e520b78e284a12ecb0f858eb66ca8c

SHA256
33ed8d01f042b0a8ad81f3ebbe3a09a900e762c4ffaceb89c2bbc2f28b242243

SHA512
54b4e8aabc6fd856ed95dcb7aa9fe9cc08411bf140cf566eb8f2e589776c150da93e72702a4767808ded333b9aebbc6797f0c027f7b6ac56ce1e61ec2c46330b

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
543765a00705d69cb059947b4a99a0a0

SHA1
e975dd945f1d8a1cae13118becf5b394699d9bed

SHA256
19e940eaae92410a023f057fcc325f63339a938aecabed02f50cf5f3d205f4b4

SHA512
cf45f778c60efb494e75eb6c637d5fd69ca9df4aafeb4b17979e22b93940e608a1d15d182e5913e0cbaffb144f61cc08c9ef443e99019474e7ee006e5678f315

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
93KB

MD5
6abd579daa0caeab732eca955da29b41

SHA1
fd754a16febd53c5d45867e35308a0cd14c4b2e0

SHA256
98b6640a05abe1b990d30832ae32df006e451c1f7091607bb8295399f255f92d

SHA512
e1b804476d426fe685f2d6a4c01de94414f61180d4c757a3200e2de6460f9c29c83d3df3dc1c7d8d1d7af864170b078a961d1aca66c1dcd2288738d46f38e16f

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
93KB

MD5
5e8d9356e267d39e49ce136a990dc077

SHA1
27510b3fd73d7464867e334e5c088a4af63bbe3d

SHA256
6f3e4c8d4e0d255fce21f3255dbb31ca2afb2ff92f9537ca7a7fa7b9225013ca

SHA512
0bea7098fe28d1362ca9034a24397bb1f45e3f1ac345b31fcde214a57b321dffd50e99546305e47a2c6b975890255d456ccb186487f75a1257c5d388c4187287

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
33f67d566dd335c93c760acd5d6a50af

SHA1
57e35afe431fb30dc7e5a456593d119e7d7203f1

SHA256
12e2c8645367ea872f8142c0580028332b308810b32b6150911b36203b5a694a

SHA512
6ba1988577484645abceec8c4824a92b435f0a7d5d232297c91f52777bb6a4f0a79b433ad3fddf51dc194be3d1829a992fcd398fa1092355707e4aaf094d76b1

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
93KB

MD5
244cad125439e327a1ac61dcf6a7ea65

SHA1
3ed9ca1371f456e9d485e4e2b66ba01b52ec9960

SHA256
b1902714e1c3d6a7a93500421cf15a99a1d4cf92ab993778ca6f5b82fedd053c

SHA512
0437fb6c0e6b08262fb9a54dc8d19944300ed1a98ea07081136d294f4d93e47c3f9b7c447662b443dc2c6b867650998c00931dab965b3dfdd88aa9e8967b17ea

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
42ab45d0b1c9fca35e498acb33fa6fe8

SHA1
2a4d7f417c41280ee83939a72104a0a83422d3a2

SHA256
940b29c349442c3bab02ef2a876dd4751fd92e97d33c469ca6c454560ff28a22

SHA512
61fd284bd4b0622f918ad2bc30af1858d34f96be99c5bf8af30edc853063321dfe6c2599c57d3268c8ec37a5a3f6ec7af9f9c91771fd00926937eee339848c03

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
445ac64c2a95ca7a8e7f4861c68ae1fb

SHA1
097c9f712b8d93eeb212ac9ddac6265772003715

SHA256
73d8ff8d1895a2d18db72fcd5ab5624e395e1302faed876fbf8ef16d5fb80c01

SHA512
29313cca3e411b4d201a697afae275bd3bfc83126858fbf56616136c7b0ee2eeb4d5d4dd2c08a7a99a7b757d25e2597d352938cfc336b7db624f6ded45e6aae4

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
c3cc7180051a396c7f8875053a47d2b6

SHA1
53b81434eb05d7ae29549bd2f5b6597fe6083be0

SHA256
ec129282b7eb443687991f56fb859efe22a46aa9004c7ca351dc0758199edbb4

SHA512
f87c9a065b51f748a9f2dfd2cde9644f5a95581a17452b38b97ef00f7680ffe3daa4de30b189c9df7e165e13fe0b274812a43916e286d2485dccf779f288d61d

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
89ff85df38932075b60d3dc2c4b2d19d

SHA1
33cee70bddc7e6786d52e03bcf04016a662c79e8

SHA256
c0c8de707d84c09c2b35015ca0ba3a69863ce0341176f8fcf4120c99ef174912

SHA512
55882305e34506128ab2e055e070c0d72e878bd1e3baaf23558ae9277f808a89e00e07004148199e528fcca8e4a92d449a5c11bead0b22479b32e38d73dc7b2b

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
909ca05a0c8ba92fe56b051d29077947

SHA1
ffd8b269220eee309b26e699850272433dc4d66e

SHA256
8ae43920864841024177d0e6a9c1eab9ed7bdad60ffdb8f10140f44afca7c479

SHA512
e34f943c083b08c1b75c912d632c2e97fef31c54af8dc97bce1ce982655f294ea63e6b352bd2f2a711bdfd74178bbec09599a786cdd659c58f65cd4eb5da1d0c

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
e74a0882042e0aebb4aec55a50aebae8

SHA1
9e2f47abab803b2d58fdcdd46e282ed06bc0f50c

SHA256
b4388b0599f01e6d3a7ba3df5316db87a54d4719b5d732033f06f2333d360d27

SHA512
4a3a0a9e144a5dc99f4d2bbd854b15684706eaeb63253c97f9134ff872201ba4a6977403ee7034d920ab37398ff52adb35d5cdea846818c5db5d8cd87c3b03e2

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
2ede038b707bb4efc81d3fde66c95f1f

SHA1
c396ea4286c541acf75f63eaf1c227b84edaab67

SHA256
66a42ecf514e564dc15dbada76f82c87cdddf2c776d6aeed7c4dd07170b3437e

SHA512
3f3e175000b458c692ad13c69be1271aff6ef97de90f80046fbadd186632bdb8bfffc1078550a4f227457a2b2ad6c2765b0819f3fbf24c3fbda5660ccaf63c7a

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
93KB

MD5
1e8025eeeaf77d123caf0576f3b343dd

SHA1
ebb5e5c8802b8ca1a52f391c079d613281a9d1b0

SHA256
d2f00321df87620d72b2f3155c06006527eb9920f866b88209b9b58a0cef1d84

SHA512
df83b70a8e2873ac1f3c3a753e20931907045d13fdb26bed9ab605518da29308f8a08a7f7e85f15630025cd2207846ccfe55a44b5b7122c5b65b683412ff893a

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
c9f9a0caeef25564037c9c4779d8d11b

SHA1
3665ff22a648d888f9bf3bedf736f19c1edc92e7

SHA256
8d316ed2707d6486d9727ef001aeb0d0342561c9dae39191aee99dbd08d15a45

SHA512
3e6e50333afd3143623cce3832c7f0159a58b642e6b1b18860ba03d89f752e040638e770d7e4ee271ceb74233bfce7a8aee979ca1e7f104c4dc422f27c5a3ef3

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
6a8cfde77e94fb79a4114bfdcd36061e

SHA1
01c81a75f36ddbf1a30b7368c506df5f480b62d7

SHA256
47d260b47b6d620db9edf7411c30ccbaeb4846b1eea3dfe0cd02ff4bd9b4c19d

SHA512
e559f9269fb7a60e4e03cd1cf525aa05c98df68abde4bb93c299b56f281d7aea31d5cb1934a38e9247c3da6962fc090ab9dd6af6726e72044b00551219f5f60d

Download Submit
C:\Windows\SysWOW64\Kdqjac32.dll

Filesize
7KB

MD5
92d0b66b6d817fed8a0247978263e815

SHA1
e49858974afd93096a29ca7b55289987a2b78aff

SHA256
db3e0897f9eb9e18c19616f4e19a541e6d07e2fe9894a5a1a777f8e182087c3f

SHA512
cd34e36171cc33f45f1151c361e4f044719ac1ae9c0effef9e43d02ac791fb53073778eb1ffe186ba8bfa37c97b40b2f993edbadeaa3780b29caea1561f924a3

Download Submit
memory/1104-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1104-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3824-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3824-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download