berbew | 1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e

Analysis

max time kernel
94s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Size

95KB
MD5

c7d7471237fae02eb450bedf64f25204
SHA1

ad2a96e306bf466f8a45206c31b505abd6747183
SHA256

1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e
SHA512

faa0e8e93880f8baf6f9d13ee363a8d7d17f1262bde488773f331b34bd91018e3c4ead1bc9722257b566be6bdc8f706312b903d727f56372357f418b9b9cb0ad
SSDEEP

1536:hJE/m40Uu34tCtg+x7eVlWlTxIrqOM6bOLXi8PmCofGV:HEkU9C++x7eVlWl9SqDrLXfzoeV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 21 IoCs

pid	Process
2828	Chokikeb.exe
1004	Cjmgfgdf.exe
428	Cmlcbbcj.exe
224	Chagok32.exe
2200	Cnkplejl.exe
2068	Cdhhdlid.exe
4256	Cffdpghg.exe
4936	Cmqmma32.exe
60	Cegdnopg.exe
456	Djdmffnn.exe
376	Dmcibama.exe
4900	Dejacond.exe
1484	Dhhnpjmh.exe
3144	Dmefhako.exe
1988	Dodbbdbb.exe
1328	Ddakjkqi.exe
3736	Dfpgffpm.exe
1480	Daekdooc.exe
2324	Dddhpjof.exe
2908	Dknpmdfc.exe
3048	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1920	3048	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2828	4068	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe	82
PID 4068 wrote to memory of 2828	4068	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe	82
PID 4068 wrote to memory of 2828	4068	1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe	82
PID 2828 wrote to memory of 1004	2828	Chokikeb.exe	83
PID 2828 wrote to memory of 1004	2828	Chokikeb.exe	83
PID 2828 wrote to memory of 1004	2828	Chokikeb.exe	83
PID 1004 wrote to memory of 428	1004	Cjmgfgdf.exe	84
PID 1004 wrote to memory of 428	1004	Cjmgfgdf.exe	84
PID 1004 wrote to memory of 428	1004	Cjmgfgdf.exe	84
PID 428 wrote to memory of 224	428	Cmlcbbcj.exe	85
PID 428 wrote to memory of 224	428	Cmlcbbcj.exe	85
PID 428 wrote to memory of 224	428	Cmlcbbcj.exe	85
PID 224 wrote to memory of 2200	224	Chagok32.exe	86
PID 224 wrote to memory of 2200	224	Chagok32.exe	86
PID 224 wrote to memory of 2200	224	Chagok32.exe	86
PID 2200 wrote to memory of 2068	2200	Cnkplejl.exe	87
PID 2200 wrote to memory of 2068	2200	Cnkplejl.exe	87
PID 2200 wrote to memory of 2068	2200	Cnkplejl.exe	87
PID 2068 wrote to memory of 4256	2068	Cdhhdlid.exe	88
PID 2068 wrote to memory of 4256	2068	Cdhhdlid.exe	88
PID 2068 wrote to memory of 4256	2068	Cdhhdlid.exe	88
PID 4256 wrote to memory of 4936	4256	Cffdpghg.exe	89
PID 4256 wrote to memory of 4936	4256	Cffdpghg.exe	89
PID 4256 wrote to memory of 4936	4256	Cffdpghg.exe	89
PID 4936 wrote to memory of 60	4936	Cmqmma32.exe	90
PID 4936 wrote to memory of 60	4936	Cmqmma32.exe	90
PID 4936 wrote to memory of 60	4936	Cmqmma32.exe	90
PID 60 wrote to memory of 456	60	Cegdnopg.exe	91
PID 60 wrote to memory of 456	60	Cegdnopg.exe	91
PID 60 wrote to memory of 456	60	Cegdnopg.exe	91
PID 456 wrote to memory of 376	456	Djdmffnn.exe	92
PID 456 wrote to memory of 376	456	Djdmffnn.exe	92
PID 456 wrote to memory of 376	456	Djdmffnn.exe	92
PID 376 wrote to memory of 4900	376	Dmcibama.exe	93
PID 376 wrote to memory of 4900	376	Dmcibama.exe	93
PID 376 wrote to memory of 4900	376	Dmcibama.exe	93
PID 4900 wrote to memory of 1484	4900	Dejacond.exe	94
PID 4900 wrote to memory of 1484	4900	Dejacond.exe	94
PID 4900 wrote to memory of 1484	4900	Dejacond.exe	94
PID 1484 wrote to memory of 3144	1484	Dhhnpjmh.exe	95
PID 1484 wrote to memory of 3144	1484	Dhhnpjmh.exe	95
PID 1484 wrote to memory of 3144	1484	Dhhnpjmh.exe	95
PID 3144 wrote to memory of 1988	3144	Dmefhako.exe	96
PID 3144 wrote to memory of 1988	3144	Dmefhako.exe	96
PID 3144 wrote to memory of 1988	3144	Dmefhako.exe	96
PID 1988 wrote to memory of 1328	1988	Dodbbdbb.exe	97
PID 1988 wrote to memory of 1328	1988	Dodbbdbb.exe	97
PID 1988 wrote to memory of 1328	1988	Dodbbdbb.exe	97
PID 1328 wrote to memory of 3736	1328	Ddakjkqi.exe	98
PID 1328 wrote to memory of 3736	1328	Ddakjkqi.exe	98
PID 1328 wrote to memory of 3736	1328	Ddakjkqi.exe	98
PID 3736 wrote to memory of 1480	3736	Dfpgffpm.exe	99
PID 3736 wrote to memory of 1480	3736	Dfpgffpm.exe	99
PID 3736 wrote to memory of 1480	3736	Dfpgffpm.exe	99
PID 1480 wrote to memory of 2324	1480	Daekdooc.exe	100
PID 1480 wrote to memory of 2324	1480	Daekdooc.exe	100
PID 1480 wrote to memory of 2324	1480	Daekdooc.exe	100
PID 2324 wrote to memory of 2908	2324	Dddhpjof.exe	101
PID 2324 wrote to memory of 2908	2324	Dddhpjof.exe	101
PID 2324 wrote to memory of 2908	2324	Dddhpjof.exe	101
PID 2908 wrote to memory of 3048	2908	Dknpmdfc.exe	102
PID 2908 wrote to memory of 3048	2908	Dknpmdfc.exe	102
PID 2908 wrote to memory of 3048	2908	Dknpmdfc.exe	102

C:\Users\Admin\AppData\Local\Temp\1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe
"C:\Users\Admin\AppData\Local\Temp\1697c8dd8d39bcd86b051b3cd9695e0ebd20e343f49e28c1f75999770486a11e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\Chokikeb.exe
  C:\Windows\system32\Chokikeb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\Cjmgfgdf.exe
    C:\Windows\system32\Cjmgfgdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\Cmlcbbcj.exe
      C:\Windows\system32\Cmlcbbcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 408
        23⤵
        Program crash
        
        PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3048 -ip 3048
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
95KB

MD5
0946e9991c14adb7bbbfd001a2cb9449

SHA1
014f34bb7db5ad5b7c2f1d7621eb102410b10e3b

SHA256
7e5d8e95261b06b8f3f6e809632fd8d4b399da631978dda6cfee655421eb6d93

SHA512
bf239241766691d115afcdc8c907cd47b129e0d98dbb22af2f85dd2bfecc72823a15b66abffc58b98a04931d4e81e6579d137cbef895dc98774ab0884357da09

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
95KB

MD5
0ca2109ecefa01e2ca8e4b12518e4b93

SHA1
3c453412eba44c4102758f6bc124272c84674c6b

SHA256
1a86d9b3860efe021b322048ebf49d257aecd6bd51817599898fba7a2dbb0a72

SHA512
fbd803871f78799b8336dad3873b0778cf7a0d17d096920e39a0d481b14ddd82aa7e48478681787003a3ff8aadfd0715010b8db32a32d3a01ccb83a12058d1ad

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
95KB

MD5
b427c0be3c8110aaae276b059449e642

SHA1
0ed2cbd3bbb4467ed8db6707359a16aee7bcc6db

SHA256
d1c2e5dde15dfef3ddd873d56ac25ec65c434e93c9a0fabcfba94bf58bec8259

SHA512
6ef5aa02a571849dbb20ac8275e95f394f98f7a79d6de52e586f382ed4012bdf50d959b39ccd24ab06016660b745021c029d3d5a351fd5f13036e8a5cd673ca2

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
95KB

MD5
fe02b26c2dbbd3880888710e9d348d26

SHA1
dee4f356c3a5c8087b84854ab471aca71a0fefa4

SHA256
7702b3a53fb989fc4c3f1c9724e50f9c732e661bdf7d9cba9167655f8b351bc9

SHA512
1741196b2982f8331715ba919d22693a8f89e3eecfcce1169d7f8eed0b0a7bd5d99636e50d7e12c9ca8b948fd6e9821bc89b64e841fe7b48f1fbed149d096419

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
95KB

MD5
c0eee9b9bd0b82549df2dbf5c510b65d

SHA1
447c574f6e2eb6e4ad769a55c40f781ae2fbdc89

SHA256
5b6a584076ffc661e76b3db9f85a34313101678e9e630c80d6e1b0c27d455cf0

SHA512
a298f875eb37be9021805c71256623bee5451bc02ad8154d0a89b34797348fc1a4666edb02bbf52d0de232923af0e1993e29ee4110a989e5d75443e3a35afe2a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
95KB

MD5
15fdc95ad1ee3f56e3394db670b7c188

SHA1
9bb9dd002af75023a5c1e4deb50a00bca9f15677

SHA256
4ff0070829d1a3a0238ac616d022c984a1ca28a1923b3300feb9aebf954f1823

SHA512
5781c81c36bddf9dc1bc216fdaba32e456117de088d052247ae34233d844028d0f783fa8a60ac1a3b8f3c2bf99996d629921cc9c7ea6385e5ab0ac945c67b736

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
95KB

MD5
fbe4094bf494550dcb975318d0d5bbf6

SHA1
0c3fe8e1a8bd65ea121ee533b0ed9e3e8c28c955

SHA256
01a349d2203f3b65c91c41230652f3b62d07778e9b8818ca42f1bda4d7661445

SHA512
07ee91517b062d9ea7b89c1fae6e09ea4b1aafd9f474543bc192109173bfc1adcb1201f388792af7a347cbc812b00fe48e90034e8e02a52d5c03b544810f39a0

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
95KB

MD5
f25c3b107ceca83d081b06bb6f345dda

SHA1
4fbd78656515142e675a840a050666a5d527d18c

SHA256
2bd1877832332064b88e537b2cff13ae2630867e4aee6adb4a786ff8d9ba51fe

SHA512
a49e3822d2992fb7ff9471ef61cbe274745f858a396981f74bad4ac6b87873efda018986fc664054899031a46936aa91712f87c3bcc0ff1db7225adbfa519a76

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
95KB

MD5
e70c971e32f083e4dc4d5c56312d3e92

SHA1
f39c17dc0f29ffb0ce0366d16c41d8f365f2f9f2

SHA256
ca00315169c67487e2c73f6fea7ab35470ce157be07ae34e74542061df6bfce3

SHA512
479adbde07f27dacc1f049c99846b96ae72db0fe47cc3908145b73b81c6dc63f807d126713db7db99be48f8e20484506df715161536f824d4db068a81e17a87f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
95KB

MD5
d1f10580278da0002b676e0674db5327

SHA1
dc2fb5f29733f79df7846150f52d2180e254744e

SHA256
c9e0c77bde5296905b907df348ac799755594618d4ce14641c649777c92c9a9d

SHA512
b409eea89ae2f26295a164a926e6224c34fbac2fadaaf19c9b83a2e89b917ae70547b1d0304734b6d109a4127f5936cd7e56bc11effb5972d56a5c8f17985217

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
95KB

MD5
4ddd4f9d518f1de2c876f4ae5a326f5e

SHA1
31f41b2be77ba90f38f8980e8701636acdc61730

SHA256
2ae5e3ab9ba0e3b4e571a79a5e761410ee9ee0ccd8c8f0e861f25649370b297f

SHA512
5a87113a810022276eeb213ad6299bea7abd1a719fd3d7eccc21d9daefc7ddde65bd48d3caa3fbf432d9cc5281a58db538c6b8da127b58bd301123f570c78f77

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
95KB

MD5
c41a5ece4c65247f9c98aa2aaf39ba8a

SHA1
3fcd8f7fd0d1593c3a9cb7ee6dcca7ca1821bb5c

SHA256
4146256919228787a6f8a3ab83c8fe8d551c22d8d0589ac58765bf5782a5d083

SHA512
afbfef21b96d113251a588641b10a2206b3ce3ba0dd589f6a9e945b242f944cbca4af26dd031efbcb0eb8bfe85960035806873ff301d892c72f95ddcfccf789d

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
95KB

MD5
1667adc89f699aed0eb0df1ddc9d4efe

SHA1
4da4d5dd00ff211cfc5c1e9b5ef1fc2aa5506e6f

SHA256
19cf54ea6255954163170ed4fb18b735e4b20476e487e01d254a504207ba879b

SHA512
df168ce2d15ae422e9b9608e9ecc6eba74c63fc0a34eca80183b8c3493b39d977179a252d9236bb88e2dcb460008ff9b02ea8b0dcdbeca98491452e6c08424ce

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
95KB

MD5
a5e9dc9297505d9800b0fe5ea1c2761b

SHA1
98fb51157d5405380d3be59802eccb3f0a114a89

SHA256
158cefae71b5f5fff7457f179022eafd9e2d152352172603a50c76c245865b59

SHA512
2b4a75f85546029666e7938f20af6c1355deedd7274e8b073c729c44b4fb14f7ba317d80eb6b8a24740a49f195614158a64f5c7e3365b073648e4629b32f937c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
95KB

MD5
36e771902d3f3a004d8bc3b57f18e66b

SHA1
fde9ecf0a79eaa3b324cd2f91672234427a33a28

SHA256
78c0c33f5921878c80890040bb8c9789029973d4c519d0a41eb5e617e7c19bd3

SHA512
b33f39c1759b7dd9cf0d10bf7919a45be2e5854be05559e9cc6e8c833c97715845dffea40341e48d79f371010447edebab57900f4765941141743ce005598f3d

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
95KB

MD5
74b45aec9ddeac9a3d926caffd9905e8

SHA1
bb2fbdabb8859c3dfd2cb5a2027fb3bb53f8b3f6

SHA256
c4b425ca936d9d106c896e79915b413eabfad818c9156d1c25f255511aa3f644

SHA512
7b4d47ca130df79581bd3846520ca2e39d1064301332405a684584ba45c3d3870208098aed63da419ed730d2004c97e65c6e2169404472013d5b809661d8161e

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
95KB

MD5
67ac25f38b00c22047ccf5618303ab8b

SHA1
c9340c386e2c09701352aad98d1f899137064d48

SHA256
6fdb6c779fa1541d289535488e623a82ba69f1ed22bb444289bbcdd1d75b1f89

SHA512
015351cd3abc4cc23d06f2d01feab9c973783fffb0ac6b6fab7cf429675ffdd3f662eee5489a352071a07706b588767f534d325ad9eac81fb455690461d6c4cf

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
95KB

MD5
44f133d9d673fddd24edc2bd2599b1ff

SHA1
4945936be1c5da88831b7c6fb199b06b9c37bf14

SHA256
cf1f57a2c6956351d43c6594efb8ab520395dbe1ddf1ca7253ac6a3f2be800ff

SHA512
e99a9ace0f1feff482f0c50cec69ff1cbd6c0827092222ab653df0d32a4f85af34b9cb396df517c4a9506b15cf294dcfc5e963aebf6b8be282b8fd7bd464c830

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
95KB

MD5
6f0e5572488deae6e11918a798bb3221

SHA1
ba5a823c5edb52189b231518ef5ae5ca714770ca

SHA256
af3dfd1935c66fafa84e13fa35ca5e8503c12f0c4d7a03138df43fec1fa7fa92

SHA512
c7e4fe2c2b9442cf5c85463d4c83f5ccd755bdb15d2bd5ddd902c0b07aa544a79b67e801bf471d39cf1b16012725739fb0e215d1da497ab658aba4a1e42ecfc7

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
95KB

MD5
711e19cc097b431e7ebe3af67d7934bb

SHA1
b4286463180860f86ef079f462680b1e7a5b6e62

SHA256
641b40cfd5140a9b920d73ba4017854e4697e510c179685385cf7d22a7cd7a08

SHA512
8140dafd64d6abac8dc841b05ed1f4ca4d24af4477555bc97ed78d67ffb8f6c62968a4e9440cccbbe9c34638cc2cb81d993137b5168986c4aef8f143dcd05136

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
95KB

MD5
2dd4e9f817638b32906fc37c09080546

SHA1
891f3c312a8209954f4b115d720b3ae37f596fc3

SHA256
6c144d1778722c3047e5599237951c2d20ff97820768a8b9f7468eb1aeb07855

SHA512
f4b7d8fe9bb60eb73b9a721456625faaf350c64da780d093aee5d44f92680aee10248dc9f798f25a835ffe31015b8437f3aa133fe8f84c5c5c414df0e9c96444

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
95KB

MD5
fe2a1cf9b6aa7e2681acc2f210d24257

SHA1
0032eea7aaa9b8ccb98ffff4a48583380e746587

SHA256
b1cc35406f5d422aa3c0179a0281e91b694f94efb3fd004209568e7135106bc4

SHA512
7c5591a53d66e8bbef184c10a9f07acc33baf3554b8cc2cde06263e4141fb288cefac9cf4985ae4ca2c24e18458e08dc0844d74ffbda2fdb168cfcf2b9e41bf2

Download Submit
C:\Windows\SysWOW64\Pjngmo32.dll

Filesize
7KB

MD5
69fb2935880a26581e6f6d1885763c15

SHA1
791db7736a508ae9dd48f5d36b65171ca466da16

SHA256
b6598cbc2e90f17b1511a83254d95ded21e1a96c154dadc2ffde5f1a104ea306

SHA512
47077bc1ddcf3b0d75a5923baae559c5867770e6c759dd78926be4c1b849dfa9993dba074cbd7e4d5f7e66292fd57e2fe0022cea83ca8cf5c1b0cdc83d5efdd9

Download Submit
memory/60-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/376-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/376-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4256-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4256-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads