berbew | 2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7

Analysis

max time kernel
94s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Size

93KB
MD5

6ba8d2cb58dd28e41c9dc9874b8548ab
SHA1

54bf19b5c1745ee05bd1e2987e691a6d9b8eb972
SHA256

2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7
SHA512

6759c7546a248569cf59894139316d69ced38f968915492d4cb4394c5bf49c4330b895c14ef985150740e418008233a53c1eb6bf63688bcb3802f0c630ee12bc
SSDEEP

1536:nfUtClJzJ/+KpAvxQnQPO5fNdD42PLkET1DaYfMZRWuLsV+1J:Zx1+K2yQPOxDZTgYfc0DV+1J

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 20 IoCs

pid	Process
4040	Cnkplejl.exe
2928	Ceehho32.exe
3604	Cffdpghg.exe
3632	Cmqmma32.exe
4768	Ddjejl32.exe
4952	Dhfajjoj.exe
924	Dmcibama.exe
2984	Dejacond.exe
4740	Dfknkg32.exe
4544	Dmefhako.exe
3660	Delnin32.exe
5048	Dhkjej32.exe
4884	Dmgbnq32.exe
1736	Deokon32.exe
3820	Dfpgffpm.exe
4744	Dogogcpo.exe
3600	Deagdn32.exe
1400	Dhocqigp.exe
2140	Doilmc32.exe
4164	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjngmo32.dll	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4404	4164	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4040	4676	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe	83
PID 4676 wrote to memory of 4040	4676	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe	83
PID 4676 wrote to memory of 4040	4676	2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe	83
PID 4040 wrote to memory of 2928	4040	Cnkplejl.exe	84
PID 4040 wrote to memory of 2928	4040	Cnkplejl.exe	84
PID 4040 wrote to memory of 2928	4040	Cnkplejl.exe	84
PID 2928 wrote to memory of 3604	2928	Ceehho32.exe	85
PID 2928 wrote to memory of 3604	2928	Ceehho32.exe	85
PID 2928 wrote to memory of 3604	2928	Ceehho32.exe	85
PID 3604 wrote to memory of 3632	3604	Cffdpghg.exe	86
PID 3604 wrote to memory of 3632	3604	Cffdpghg.exe	86
PID 3604 wrote to memory of 3632	3604	Cffdpghg.exe	86
PID 3632 wrote to memory of 4768	3632	Cmqmma32.exe	87
PID 3632 wrote to memory of 4768	3632	Cmqmma32.exe	87
PID 3632 wrote to memory of 4768	3632	Cmqmma32.exe	87
PID 4768 wrote to memory of 4952	4768	Ddjejl32.exe	88
PID 4768 wrote to memory of 4952	4768	Ddjejl32.exe	88
PID 4768 wrote to memory of 4952	4768	Ddjejl32.exe	88
PID 4952 wrote to memory of 924	4952	Dhfajjoj.exe	89
PID 4952 wrote to memory of 924	4952	Dhfajjoj.exe	89
PID 4952 wrote to memory of 924	4952	Dhfajjoj.exe	89
PID 924 wrote to memory of 2984	924	Dmcibama.exe	90
PID 924 wrote to memory of 2984	924	Dmcibama.exe	90
PID 924 wrote to memory of 2984	924	Dmcibama.exe	90
PID 2984 wrote to memory of 4740	2984	Dejacond.exe	91
PID 2984 wrote to memory of 4740	2984	Dejacond.exe	91
PID 2984 wrote to memory of 4740	2984	Dejacond.exe	91
PID 4740 wrote to memory of 4544	4740	Dfknkg32.exe	92
PID 4740 wrote to memory of 4544	4740	Dfknkg32.exe	92
PID 4740 wrote to memory of 4544	4740	Dfknkg32.exe	92
PID 4544 wrote to memory of 3660	4544	Dmefhako.exe	93
PID 4544 wrote to memory of 3660	4544	Dmefhako.exe	93
PID 4544 wrote to memory of 3660	4544	Dmefhako.exe	93
PID 3660 wrote to memory of 5048	3660	Delnin32.exe	94
PID 3660 wrote to memory of 5048	3660	Delnin32.exe	94
PID 3660 wrote to memory of 5048	3660	Delnin32.exe	94
PID 5048 wrote to memory of 4884	5048	Dhkjej32.exe	95
PID 5048 wrote to memory of 4884	5048	Dhkjej32.exe	95
PID 5048 wrote to memory of 4884	5048	Dhkjej32.exe	95
PID 4884 wrote to memory of 1736	4884	Dmgbnq32.exe	96
PID 4884 wrote to memory of 1736	4884	Dmgbnq32.exe	96
PID 4884 wrote to memory of 1736	4884	Dmgbnq32.exe	96
PID 1736 wrote to memory of 3820	1736	Deokon32.exe	97
PID 1736 wrote to memory of 3820	1736	Deokon32.exe	97
PID 1736 wrote to memory of 3820	1736	Deokon32.exe	97
PID 3820 wrote to memory of 4744	3820	Dfpgffpm.exe	98
PID 3820 wrote to memory of 4744	3820	Dfpgffpm.exe	98
PID 3820 wrote to memory of 4744	3820	Dfpgffpm.exe	98
PID 4744 wrote to memory of 3600	4744	Dogogcpo.exe	99
PID 4744 wrote to memory of 3600	4744	Dogogcpo.exe	99
PID 4744 wrote to memory of 3600	4744	Dogogcpo.exe	99
PID 3600 wrote to memory of 1400	3600	Deagdn32.exe	100
PID 3600 wrote to memory of 1400	3600	Deagdn32.exe	100
PID 3600 wrote to memory of 1400	3600	Deagdn32.exe	100
PID 1400 wrote to memory of 2140	1400	Dhocqigp.exe	101
PID 1400 wrote to memory of 2140	1400	Dhocqigp.exe	101
PID 1400 wrote to memory of 2140	1400	Dhocqigp.exe	101
PID 2140 wrote to memory of 4164	2140	Doilmc32.exe	102
PID 2140 wrote to memory of 4164	2140	Doilmc32.exe	102
PID 2140 wrote to memory of 4164	2140	Doilmc32.exe	102

C:\Users\Admin\AppData\Local\Temp\2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe
"C:\Users\Admin\AppData\Local\Temp\2f1cab99e1744a7c90dc44b4c27078d6139c72de875f587c53905e6b9a0ff3a7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\Cnkplejl.exe
  C:\Windows\system32\Cnkplejl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\Ceehho32.exe
    C:\Windows\system32\Ceehho32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\Cffdpghg.exe
      C:\Windows\system32\Cffdpghg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
      - C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 404
        22⤵
        Program crash
        
        PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4164 -ip 4164
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceehho32.exe

Filesize
93KB

MD5
69b9620f55800da9845a23c6822a8fe8

SHA1
b0bb988b8f4f49af3f7bd049a1cd86a36eac597d

SHA256
192b9fa865ba75767d93500906d93902237af10ab1fb6f87c11a68a0be1c20bb

SHA512
bac4765c62943c204193e2fd2a10eda03e47270fb46fc1b4eda67ff5a40242c79e7d6105d27c6675a8a2467cecb8aefcac6cd359051ae24448ec89e296729841

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
02e45e27460ffc059405e7f8d8f69cba

SHA1
b4d1521907b1cc0519c0098e51899e8f6f686da3

SHA256
230991c279990f8481e7cdb127e6677ecb22ab4e9be5d6b4e83954883604ce3b

SHA512
d0a47c7c040aa6c37a5a2820f1e35dcf0af6e5361baa75711938e122d3ddbb53a7365975cfeca5053e6fff9806e30085255e85e1ab4c90d065cfd6610cab851a

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
93KB

MD5
915854579abb47d2763bf9ce283143d3

SHA1
1ea12926bc68212c681e93e0e6bd5166188e3cc8

SHA256
a2a558a16911075bb8aa21459457b2574024c32e46a77a4a54f380c15c243c2a

SHA512
dc6c532c3c061a62cdb22193dd8440b7aa453850e3d76c212c0736b782250101862efc2a77a78298a82d5be8a20fb978d423584f7d0fc9fc765b0820c21faef0

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
93KB

MD5
49d96115cb4c85cec3eac4891a0ab281

SHA1
057651efe986071c4a7102e15fdfae5ae71363b5

SHA256
b096ed44d37fa0288d0508a4423c49cf111256954c845436b6e20701df62369c

SHA512
8d1ea0f95e05ea257e91445304bebeee2b13ce017d3caf9063b37fa63c9c33880f0b98ba97f2315d93b67483e6575ee76d7c9acf42006434d9d1f5071a08d5df

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
46f9d760e7f423aeb5b60098fcbab931

SHA1
cfd3ec96c8bc895ad6e4e619a8ee7a6b36f3259d

SHA256
cdd362e7e783e127f8e19a36bb6a9e2ce21030c48dd6ab618f98300ae3e0f46d

SHA512
d4bce4d71cc9a58e123cfb9371c2a50339323abfbc20e0127ea469d48a6f252a787e4d2cec6a29a8fd42af06c4572fd53703e1dd157fdb9317fc8e29ffbd6991

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
93KB

MD5
cf39fde989a116d5178ea5a8e034f936

SHA1
c4aa5e5dc862efbf06cbb6cf806dfdfde8c08cad

SHA256
e9152e703f52d9627a1c8125130e75c1b49b3799f48fbed98e280c7c4422b2d1

SHA512
72cfcc1601e5cf27713e0c96bbe36c9079a168c5f4499510e07d02ce5edc6a82a5f825841211d77ae0012e702cb5ef054c78c23300265633eb717f62fd89236c

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
93KB

MD5
9904bf2449c81b6238378ef9f989c13d

SHA1
35eed0c28c108d2e9b082f68738acbfba1519473

SHA256
5d9f276ab038bb5b5d5b8613cde8aa9a077758a0580a69fe190fd5302558952f

SHA512
fb040bca650ecc3383b4db36d5d32da130ea3cbdef14dcd500ca6317486fd04c6e92fa9f50897e84fac559438cd6057ab23d1db325dd936c9b0581f1873fdeb8

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
2241bf64ef25e0ad2a8235a1be36c5b2

SHA1
5c64b0dae736383c513d5aaa3d391e17580a3051

SHA256
787b68b438704000a0c0cd291a472d740553e89917ed59adbf9cd29fde32e3f5

SHA512
b3f16d725464377458bada28e14294aaa1c0d342911f11ceb264be9521290f91fd7284839ae7da2da2e5cd051ae0b4a0013b8a27d4b7b3d2627bd11e92734f5f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
391ea51da23cc2a475a434cabd09b231

SHA1
d482df18969f5fb1ea927402a1d884424a7626d8

SHA256
bb4d9d3f4c538c5e1689dbf57b85330da982d292d2d3ffeb4e791e10cea3ed2e

SHA512
bc8be54215f6ca7c242edb56545ce03b64a77ccd7ef40c0b7d3f2ffdb555079244dad41825711b08d3165d646d8d7829c2469e10d6cbf6b5527775a1f042ce4e

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
93KB

MD5
16955b79e3875eababf8d5800269a356

SHA1
d7228eaffb4b877598cb8cadd60bab7df7f0092a

SHA256
b40bf2fd48a87154d7728260bda821740968f69841e60ed09bded6741600cf5b

SHA512
d7ca382f0cf59a818f52a5940deafaf2fa676416b5012a8eaa9192b9d5c5c15e4a7f3ea9cc76100af5072507c7a455bf109cbac4db865463c23491b48697294d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
93KB

MD5
4deaf4026c76247bedaa2401b82ad4b7

SHA1
7ffcc538913f082d88381f9847dae74514eeb19b

SHA256
ec825429bd664b7f437bf40e59042dcba240f5f64edaa03bba905aac2bfcd358

SHA512
7e5ea3f10d0edc2a40c36476eadb3a885cb12b7819df7620ddf2faee76e4d493219d5328837e0bdb8ca5b571674db6005e4ed12de3d2e409f1ef60b0827c97cd

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
93KB

MD5
cf8b76f0e04ca0859b265a02a62cc3cd

SHA1
2bea59a0dbb8b23f360ba9c471dd6ac8228595f9

SHA256
0e16634f686d1524b0ff6022a884604a2830f51adc575dd7d70d34ef88810b8d

SHA512
3590a799153729b3e9eb000abe7c4ce729553c8ead6570a943df8b277dd885173309c825e0ea7932a5c0ea3808ebe9c42d2a1746672ae2449940b5e480713a62

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
b9f8435d2fe5ada21535df6ce599a47c

SHA1
7937dcfe6a286ee47ff41a6bf9b3e354169f9301

SHA256
5a7d224e7142ce1a55edbfaa31fc3448ee326f3c5a57765c6db55b926aa940d2

SHA512
b4aa5a01f2579059f23ce74221fe28b983b52a1ffdea6ab577469bf553b17cfaffbfce4a38203dde84b981bab7762c959e7050fd0ea10ff5a8257ca0a4223e7e

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
600fbb4d29015a583f23f8fa96f3ae0f

SHA1
7465d1cff8be29f85c3a171c75c1c428b90fa285

SHA256
31bbe57d9a7c467be1ceab7a389c8df7f6f7fdc99207de03b11adb5025d81c47

SHA512
6d09a8f7abdeab56d83f23fe972f72373c65142de57d340390ebf526d02b7c3a7a71402d748e88ce872a8ffd05531d244a2a405cde3e5a61e16938d9650afd66

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
fb3908759e5acd084db6fbdd59eeb36f

SHA1
24d420c793a13a7e585e92dc965e36aed33d8766

SHA256
811f4537c3fa78bc73e80b2afa6927ca7d1138713a98dccc1d8124cf2b8ba700

SHA512
455e58ddee7003851c724a2b44111dd268cc94c7ad2ef4ff9f509eb474c7a56a676cc879312ea4b7abdc8b0aa77435725cbd880255c10d93a45c85784a37953c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
0b8c3c20171167231b5bf3321a653235

SHA1
b37bbc8a9dcbab8d12e2d30d9fcac6e0a65d57ba

SHA256
2d636f05348811a28e875d07095bb64f231255f1a7cca1dbb73ad7506342b16e

SHA512
8a9cca64cc7c1baf8d26eb85ce143d6db67ffa3d8b74f185f1938e09ed009b0aa2382539fa794ac9b0f1c880e1dedc67c460ef7daeee7f372ad5676e8d43ffbe

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
fde0464126a8fc7bb514e7780bc769dc

SHA1
85e975399e0a9cfd132d9718875d568e75826f08

SHA256
dc3d105de51d183ef999e7046567b39911fffd29bd5133b78cb23c424e81db1f

SHA512
59fc427884903ada58c6d964af36065d08fabc817af2019b3c40f70ae5bfc51f6fbaffa9115a2f94996ed882aba49a227a4b45e2ec585755dd8718ba1b709a23

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
0baae176c9415b6524b429f46d95b157

SHA1
55e2462a0df2b64de24c2bc3e39a2a20ec18460f

SHA256
75f149d924e64a419abed617b0a920f908d370e3b3e4f94a4c396a172bbf83e3

SHA512
94486cd1f5fb1ece074247311c11b9334ef4d701bd3cef97adbbd9b6397429b92bfa785f72c424d7b05d6b8eb3d38ed6efeab5d52fd8094eb53d860515e2aeba

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
93KB

MD5
5a3a2f14788b2e9e232eeb59e7051191

SHA1
6cccad4c2f15ea032d27ab83b0b9e209073f2cdc

SHA256
63b210db2cdfa8549f30ce9a28832e5077e16a8228a83ca7e3683f0d7946fb0f

SHA512
0441dd9477f49e35403d9839d4c7ee6cf94c56f0c2a720cc07ce1107d40e70c013861a34809a71df4377dd32bf504cd618bde3a4a89e5e76dc24ac63797478f2

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
93KB

MD5
1817513209ce92d68ee3a9e40186839d

SHA1
c115184be6cdf51928dd00d7a6d671ce6b01fbe8

SHA256
6db20d6639d9e340e16f92a8e450870feaa4046693c076dd30c2d7f2758a86aa

SHA512
7eb5a1f3124a0d18b3bc96e2311de5f76da7d73180bef0dd416166a159dd237260f229eabbbfa1ff0d1a929fdf9265fe7b667222d7e95d8e5bbd39d8dac4a197

Download Submit
memory/924-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4676-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads