berbew | 445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Size

96KB
MD5

bc4c64012423e31589cb717af25c0096
SHA1

79a1d02c24347a5e9f271bf0edde5c2bb72fc7f8
SHA256

445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58
SHA512

35c5057e6a6837f87621f495b4745ce492587847c3ae1836d7f953a525e431303d5a303ebfc23185983b75b7549cdc3c3b263aebc2317e18246f457dd9f508bf
SSDEEP

1536:25ogCE970OXAPHf6fN4ba2LX7RZObZUUWaegPYAi:uogCEiHifWzXClUUWae3

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023bdb-95.dat	family_bruteratel

Executes dropped EXE 20 IoCs

pid	Process
4880	Chagok32.exe
2968	Cnkplejl.exe
1504	Ceehho32.exe
2448	Cdhhdlid.exe
5056	Cffdpghg.exe
4224	Cmqmma32.exe
4468	Ddjejl32.exe
1844	Djdmffnn.exe
1120	Danecp32.exe
3276	Dhhnpjmh.exe
2360	Dmefhako.exe
2688	Ddonekbl.exe
2180	Dkifae32.exe
460	Daconoae.exe
2904	Ddakjkqi.exe
112	Dfpgffpm.exe
3824	Dogogcpo.exe
3856	Deagdn32.exe
1948	Dknpmdfc.exe
2384	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chagok32.exe	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2896	2384	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4880	4516	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe	83
PID 4516 wrote to memory of 4880	4516	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe	83
PID 4516 wrote to memory of 4880	4516	445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe	83
PID 4880 wrote to memory of 2968	4880	Chagok32.exe	84
PID 4880 wrote to memory of 2968	4880	Chagok32.exe	84
PID 4880 wrote to memory of 2968	4880	Chagok32.exe	84
PID 2968 wrote to memory of 1504	2968	Cnkplejl.exe	85
PID 2968 wrote to memory of 1504	2968	Cnkplejl.exe	85
PID 2968 wrote to memory of 1504	2968	Cnkplejl.exe	85
PID 1504 wrote to memory of 2448	1504	Ceehho32.exe	86
PID 1504 wrote to memory of 2448	1504	Ceehho32.exe	86
PID 1504 wrote to memory of 2448	1504	Ceehho32.exe	86
PID 2448 wrote to memory of 5056	2448	Cdhhdlid.exe	87
PID 2448 wrote to memory of 5056	2448	Cdhhdlid.exe	87
PID 2448 wrote to memory of 5056	2448	Cdhhdlid.exe	87
PID 5056 wrote to memory of 4224	5056	Cffdpghg.exe	88
PID 5056 wrote to memory of 4224	5056	Cffdpghg.exe	88
PID 5056 wrote to memory of 4224	5056	Cffdpghg.exe	88
PID 4224 wrote to memory of 4468	4224	Cmqmma32.exe	89
PID 4224 wrote to memory of 4468	4224	Cmqmma32.exe	89
PID 4224 wrote to memory of 4468	4224	Cmqmma32.exe	89
PID 4468 wrote to memory of 1844	4468	Ddjejl32.exe	90
PID 4468 wrote to memory of 1844	4468	Ddjejl32.exe	90
PID 4468 wrote to memory of 1844	4468	Ddjejl32.exe	90
PID 1844 wrote to memory of 1120	1844	Djdmffnn.exe	91
PID 1844 wrote to memory of 1120	1844	Djdmffnn.exe	91
PID 1844 wrote to memory of 1120	1844	Djdmffnn.exe	91
PID 1120 wrote to memory of 3276	1120	Danecp32.exe	92
PID 1120 wrote to memory of 3276	1120	Danecp32.exe	92
PID 1120 wrote to memory of 3276	1120	Danecp32.exe	92
PID 3276 wrote to memory of 2360	3276	Dhhnpjmh.exe	93
PID 3276 wrote to memory of 2360	3276	Dhhnpjmh.exe	93
PID 3276 wrote to memory of 2360	3276	Dhhnpjmh.exe	93
PID 2360 wrote to memory of 2688	2360	Dmefhako.exe	94
PID 2360 wrote to memory of 2688	2360	Dmefhako.exe	94
PID 2360 wrote to memory of 2688	2360	Dmefhako.exe	94
PID 2688 wrote to memory of 2180	2688	Ddonekbl.exe	95
PID 2688 wrote to memory of 2180	2688	Ddonekbl.exe	95
PID 2688 wrote to memory of 2180	2688	Ddonekbl.exe	95
PID 2180 wrote to memory of 460	2180	Dkifae32.exe	96
PID 2180 wrote to memory of 460	2180	Dkifae32.exe	96
PID 2180 wrote to memory of 460	2180	Dkifae32.exe	96
PID 460 wrote to memory of 2904	460	Daconoae.exe	97
PID 460 wrote to memory of 2904	460	Daconoae.exe	97
PID 460 wrote to memory of 2904	460	Daconoae.exe	97
PID 2904 wrote to memory of 112	2904	Ddakjkqi.exe	98
PID 2904 wrote to memory of 112	2904	Ddakjkqi.exe	98
PID 2904 wrote to memory of 112	2904	Ddakjkqi.exe	98
PID 112 wrote to memory of 3824	112	Dfpgffpm.exe	99
PID 112 wrote to memory of 3824	112	Dfpgffpm.exe	99
PID 112 wrote to memory of 3824	112	Dfpgffpm.exe	99
PID 3824 wrote to memory of 3856	3824	Dogogcpo.exe	100
PID 3824 wrote to memory of 3856	3824	Dogogcpo.exe	100
PID 3824 wrote to memory of 3856	3824	Dogogcpo.exe	100
PID 3856 wrote to memory of 1948	3856	Deagdn32.exe	101
PID 3856 wrote to memory of 1948	3856	Deagdn32.exe	101
PID 3856 wrote to memory of 1948	3856	Deagdn32.exe	101
PID 1948 wrote to memory of 2384	1948	Dknpmdfc.exe	102
PID 1948 wrote to memory of 2384	1948	Dknpmdfc.exe	102
PID 1948 wrote to memory of 2384	1948	Dknpmdfc.exe	102

C:\Users\Admin\AppData\Local\Temp\445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe
"C:\Users\Admin\AppData\Local\Temp\445e51d7c1123e24f3d92e233c37da645fa3d6be08907a377412bd35f5333c58.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\Cnkplejl.exe
    C:\Windows\system32\Cnkplejl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Ceehho32.exe
      C:\Windows\system32\Ceehho32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 404
        22⤵
        Program crash
        
        PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2384 -ip 2384
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
ccd44b345001cc06ce6a8da2c1a4cbe1

SHA1
a51b2eff51612b149f91f422d99c98ec9c16a633

SHA256
20e52aa49f3ef507dd3861ff7c79d2342e535707d81e8a689df8c7cbb0125b2f

SHA512
0b496643d7f2f5d17e799065e805a6c5e8ccedb8b50afb2499d7686e86f432dd2c95caee472666e168c641ff7a3514f039fee87c9b144082638c316dd9ba6b43

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
276f26aeb289be1fce3a90bdf6c05652

SHA1
3ec355092e0eeeb15ac90cc5e3ec45cc1e52ac17

SHA256
bd78dce85cbadf5f3cea3c2cb4f01629128d91d1e7e2c8028b3dd5bc0c11fb1c

SHA512
27d837bb55eaae3721023f62dea5b8f2d5d8faf7be82deac70232fc88cedaad4bd43dcef7c6afdc01b92e04debad42e746c1d4b0d257d0a94d992f38de8298c9

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
86c3e2524010c66452c9d2879f63ce24

SHA1
b9c5a649d38369e3bd40099ea23fa2fef00f701d

SHA256
b9dfe8a2984e389efbabc78cf74b699563f7e117245b0966d225b51c0f9de811

SHA512
e547d22678589243c740ea8cf0d24cdfd116a5b53f55f865d1de8ad2e9221b002284ff09bb65ff1f155b1cc2ecde0c73144acb5a308add4452250885f4d1f93c

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
f817e9bce2264af241ddbb1fdf786ae1

SHA1
89035098a33edf5518f66861a4c99d8ca535cd5c

SHA256
7b98bf946c176d55b2e82813f70319be0d09746a5b8094e8a6f47a2d03e7370d

SHA512
2bc2a56333d9ac9bad35a8cca7d7c94923f3142da141cf780a4d23ec136cbe673b73976fd81dba8b8590dda274f9413d0652ee9f7d5f3da354182bc087f694e0

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
c70973ccd42ec75f8656c7e4d8125579

SHA1
5c21cc5ea4f0c6c719f30dd08a1636bd3653101b

SHA256
80b0ab2e810a018cc09875e4178840960b17936250eca158c04826afc1f7073d

SHA512
15df8c4b758372e43d2b59a79335995c75a18390a1f49b37a6f2c3e42870383250c97a9973288c79bcf7a5fde6994181e2fb65c0426ba2f81f8a9b5eb907fa5e

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
349b843547a42e59f697469b7d1d025e

SHA1
51df0a110e2cd390d32d9691c2e9e4779d407000

SHA256
49bbcf705e4d5ddac7c6863c79c5c086eb5654f9604cf12536263ee00d8cae62

SHA512
bec9a311f55edf6f008aea3a075fb6a1afc8bc3eecccfd88d19f8edcee31cf57e7d77932823e9f5d735edc9cc06efa8c7b467231f6f3c98c60b5c16459fdb147

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
b5d5438853610c1a96ecc43c6b5aee17

SHA1
8c0047e6f74dd9bc36f22d50242c94e7c836325a

SHA256
4ad8754d59c38d7c37151da4d2acd6cf3b4c3e633b9f5ffdc1cdad10aa9c476a

SHA512
89fcea6ac7594e468a0aa0eaebdc07af9c118936a99f2fb7288567681a4a8986ed557ef7aac233a5a1b47c6e67f9112c195c214da1e6f11bf4986dcabd4814fe

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
0e7b01ac714dc22a082a61c6da32b3fa

SHA1
106dcc5bf468f591c4748709b3fa12531b8f519e

SHA256
d1869cc95e39542cbbe327bec9cc4f416141c79586717102daed0599f7b7fbfd

SHA512
3dda888fc0da0bf7f94b6e1d64b80729cd782782a0255bc7691bc6381bf28d313ee6f1edd940abd1563f65ac3de321917f6e83e67fb2a151d48921e8d7b5023e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
4a84a708fdb876d11d1c234d5a58bea2

SHA1
2fc052faffdf814de06d3ad5a58431138458a6f5

SHA256
87a1e1bbc6810c6447eb8dca1d6859efd86316672f9e70e77f949546fedeca74

SHA512
144c37c8a220b8b61fb82f64291a755bfa02d1526f046fba32f78e28cabe123c0bf85d01d177c005ab2f956267a766129ad079dc847bc7a17de5c513f4f304c0

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
07f4c40d4ad5e47092f3073c339c250e

SHA1
a2d0530769dd5de53cd7778592f754f04ecb4001

SHA256
226df876637be834035b015b2f415516a63232a1cee0c2a7e111fff922ce87be

SHA512
edee229037a7d29bb98eb7ab314b0bac68ef82dfd8adab83bdbaa90eb31f36c99fda8e0824762f0c450ae96acbe7147aec6454600b623ff7c6f05ce2bc072d28

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
ab264ded0fd83a25f1652da6ef8c8867

SHA1
8d703bbc2e1422d4f63894391031ecce1863cefa

SHA256
9bd3a3a5045da0d1b399756e24d227fc8cfd94d1c3a77c4a5d7b7ee0df7d90c3

SHA512
9076d21fb719317d3a5c93657e965cc4eee27bfdcafff43a65ce6c360a28c3e22dac31eac123e7b7e017cbc0420f02d6cce2905bed40caa434203b4c346f2279

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
3319a8c06adfbe39c61debfde5c19056

SHA1
3fab1a115abdea69407836606bcfe81099ac5f84

SHA256
f8dd054c19a28d619f39ea4a071bcf14957680b692fbcb77b14a9fa3520ebafd

SHA512
3edeea03f07820b3c63e26d64bd63049cd47cf10860e6793c166c3f376433dabac0b6969bc8fb0f044414f9476480fb8907ad9a9e5ec0a9c95a99823827ea94a

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
d62612033a1625e13207420e8b48edc7

SHA1
4ffda027a373bbd24d3efbf3c869522366765e21

SHA256
881b523a06a8801f81e679191415e86dd4eed162fb496181fc41da623c8a3bf1

SHA512
11bd1a281ed3b18cb6e70316489ac47cf2a15d8f1897cdbde2371131942521bca677d610678a0e1b339dcf280d57527b9974520155c95b6e8d6ddb78566e00be

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
a604877b17ebbb38f8b3aba7de16d893

SHA1
837add4ab7ba3bd9baa6ba80ca42b34c5b122d80

SHA256
9456d64465f6adf5e1ab0eb631342dab0d877cd6fc7b45990ab778dac769b68f

SHA512
5797fac3f6bfba689fff8ea867ce76a7ee233e4882fd0c8abd246ed74f678fd7b50a59ccf4c816fe7ee2f03ff60c6c3dc093fd335898b30f576c2eef566ca58a

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
b71c5249d7eca65acfaf96468bceec20

SHA1
6cb8bc7c15bab491bf341de81070b5595ce53abd

SHA256
687097634561b6ffdf2830d206253c0b10e9db735a64a56a8158b4e8948a6957

SHA512
56d7bb3293954ab075fc1b8b6f7f5ee8b954e5651844c83efdf6cade828db343c28afa5dd07c67d26c1afcce1e3bcd5726359877f9de08e91243ca54d759cba8

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
2e46f1c8153085280b9b4b461b1e885a

SHA1
19495cfa91f7ab38c944448355223fa1554b9c80

SHA256
8eecfe851825d713324ec5371f932ddfd9c4f464fa899916d636a3bee7fdb7e7

SHA512
25a47881d10a33e037b6d406f94c1647b13136dda661210c9aecb0eab5de53bec915d56911734aa887ea56a9090a40df266a45a2f0eb8fe6d1d9dd6fb7012fe2

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
78996865a4158ad537e540275b8309d8

SHA1
9cdc457d55b28e8aaa95dc3b18e2d3541f2353a8

SHA256
29486bc244498d67f8a7f0bff13130b3b0a405b94a9fb238dd755d3b61786c4a

SHA512
dc83fc7c44efdfd546f804b223cbadc1a8b51c99ade6d4249fe52fcac578982a7fa2c3db3e7d32d71ace3382461bce4a9dde6519d5b10e7b02f485aee1173147

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
4d103762ed1ab50d130ea18b592777e3

SHA1
d08f893dc520962bdc55c891b2019e7755eb2f86

SHA256
39b645d957ad8ef5d3dee8ce6f0dfdd609b81eee87b790a9091ccecd4a698d66

SHA512
d0592c9c0bf4757814ae5941a5afdc821360e73182b1d03bfea9e8e1bf7a2c557da77df3aa03d3df15e53a0aa5b854bf1cc178786dd9476836923fa456e6fcc5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
347c958f887adfd1671209dfc6458f0f

SHA1
39fa9dc3abc39ad377bb744d0dae48a718d2eb17

SHA256
cf9e1b450999d51df6dce09782d3037d236de83f4bcd930f5912ec224398eeef

SHA512
b25d83b1712f1416710ea957dcc62782e40e3f39583ae2087776318deb028479ca16dc476e87b083fbdce6751cab4d7186eae9b9801cab4287de003bb62fee06

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
68d6e6bd81e74846e6a8f1a7df02e2e9

SHA1
c1516dd86055bfbd5605ae82982620e1373a06a2

SHA256
3fe22375510c83dadf1155b1987991e3c94c5dce9a332deaba6d4b3eda3dfd57

SHA512
7af8d4d2a338fb1695fd1f48faf54dbc3a4a68d03b5e8d879e165844d4722d9f4a1a2e83aa719fb6ba1e2ca6ffe98b9b4ea0cce6a3151563a926ff8a8e98b1c9

Download Submit
memory/112-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4516-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads