berbew | 616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625af

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Size

207KB
MD5

9acc9d9655d33b989e01220309773d70
SHA1

272b7fd4e808ea7b1a634a991f9151d847802928
SHA256

616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625af
SHA512

ca829f7d5118ed2136fd1e5abc25c71bc2f8a4b329b0807eecc709205d27f04facaa9b4fe733ded96e47fa54bf06229e3f49f00a2f79e25cb46b8e7357008559
SSDEEP

3072:4270CK2pBRC1Z26L1VjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:BZBRe1Vjj+VPj92d62ASOwj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2044	Cndikf32.exe
4432	Cenahpha.exe
3724	Cdabcm32.exe
3816	Chmndlge.exe
3308	Cjkjpgfi.exe
1444	Cnicfe32.exe
2580	Cagobalc.exe
3712	Chagok32.exe
2500	Cmnpgb32.exe
4132	Ceehho32.exe
3128	Cnnlaehj.exe
712	Ddjejl32.exe
4796	Dopigd32.exe
2204	Dmcibama.exe
4340	Dejacond.exe
4984	Dobfld32.exe
3248	Daqbip32.exe
756	Dodbbdbb.exe
344	Deokon32.exe
1740	Dogogcpo.exe
1088	Deagdn32.exe
872	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4232	872	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2044	4804	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe	83
PID 4804 wrote to memory of 2044	4804	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe	83
PID 4804 wrote to memory of 2044	4804	616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe	83
PID 2044 wrote to memory of 4432	2044	Cndikf32.exe	84
PID 2044 wrote to memory of 4432	2044	Cndikf32.exe	84
PID 2044 wrote to memory of 4432	2044	Cndikf32.exe	84
PID 4432 wrote to memory of 3724	4432	Cenahpha.exe	85
PID 4432 wrote to memory of 3724	4432	Cenahpha.exe	85
PID 4432 wrote to memory of 3724	4432	Cenahpha.exe	85
PID 3724 wrote to memory of 3816	3724	Cdabcm32.exe	86
PID 3724 wrote to memory of 3816	3724	Cdabcm32.exe	86
PID 3724 wrote to memory of 3816	3724	Cdabcm32.exe	86
PID 3816 wrote to memory of 3308	3816	Chmndlge.exe	87
PID 3816 wrote to memory of 3308	3816	Chmndlge.exe	87
PID 3816 wrote to memory of 3308	3816	Chmndlge.exe	87
PID 3308 wrote to memory of 1444	3308	Cjkjpgfi.exe	88
PID 3308 wrote to memory of 1444	3308	Cjkjpgfi.exe	88
PID 3308 wrote to memory of 1444	3308	Cjkjpgfi.exe	88
PID 1444 wrote to memory of 2580	1444	Cnicfe32.exe	89
PID 1444 wrote to memory of 2580	1444	Cnicfe32.exe	89
PID 1444 wrote to memory of 2580	1444	Cnicfe32.exe	89
PID 2580 wrote to memory of 3712	2580	Cagobalc.exe	90
PID 2580 wrote to memory of 3712	2580	Cagobalc.exe	90
PID 2580 wrote to memory of 3712	2580	Cagobalc.exe	90
PID 3712 wrote to memory of 2500	3712	Chagok32.exe	91
PID 3712 wrote to memory of 2500	3712	Chagok32.exe	91
PID 3712 wrote to memory of 2500	3712	Chagok32.exe	91
PID 2500 wrote to memory of 4132	2500	Cmnpgb32.exe	92
PID 2500 wrote to memory of 4132	2500	Cmnpgb32.exe	92
PID 2500 wrote to memory of 4132	2500	Cmnpgb32.exe	92
PID 4132 wrote to memory of 3128	4132	Ceehho32.exe	93
PID 4132 wrote to memory of 3128	4132	Ceehho32.exe	93
PID 4132 wrote to memory of 3128	4132	Ceehho32.exe	93
PID 3128 wrote to memory of 712	3128	Cnnlaehj.exe	94
PID 3128 wrote to memory of 712	3128	Cnnlaehj.exe	94
PID 3128 wrote to memory of 712	3128	Cnnlaehj.exe	94
PID 712 wrote to memory of 4796	712	Ddjejl32.exe	95
PID 712 wrote to memory of 4796	712	Ddjejl32.exe	95
PID 712 wrote to memory of 4796	712	Ddjejl32.exe	95
PID 4796 wrote to memory of 2204	4796	Dopigd32.exe	96
PID 4796 wrote to memory of 2204	4796	Dopigd32.exe	96
PID 4796 wrote to memory of 2204	4796	Dopigd32.exe	96
PID 2204 wrote to memory of 4340	2204	Dmcibama.exe	97
PID 2204 wrote to memory of 4340	2204	Dmcibama.exe	97
PID 2204 wrote to memory of 4340	2204	Dmcibama.exe	97
PID 4340 wrote to memory of 4984	4340	Dejacond.exe	98
PID 4340 wrote to memory of 4984	4340	Dejacond.exe	98
PID 4340 wrote to memory of 4984	4340	Dejacond.exe	98
PID 4984 wrote to memory of 3248	4984	Dobfld32.exe	99
PID 4984 wrote to memory of 3248	4984	Dobfld32.exe	99
PID 4984 wrote to memory of 3248	4984	Dobfld32.exe	99
PID 3248 wrote to memory of 756	3248	Daqbip32.exe	100
PID 3248 wrote to memory of 756	3248	Daqbip32.exe	100
PID 3248 wrote to memory of 756	3248	Daqbip32.exe	100
PID 756 wrote to memory of 344	756	Dodbbdbb.exe	101
PID 756 wrote to memory of 344	756	Dodbbdbb.exe	101
PID 756 wrote to memory of 344	756	Dodbbdbb.exe	101
PID 344 wrote to memory of 1740	344	Deokon32.exe	102
PID 344 wrote to memory of 1740	344	Deokon32.exe	102
PID 344 wrote to memory of 1740	344	Deokon32.exe	102
PID 1740 wrote to memory of 1088	1740	Dogogcpo.exe	103
PID 1740 wrote to memory of 1088	1740	Dogogcpo.exe	103
PID 1740 wrote to memory of 1088	1740	Dogogcpo.exe	103
PID 1088 wrote to memory of 872	1088	Deagdn32.exe	104

C:\Users\Admin\AppData\Local\Temp\616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe
"C:\Users\Admin\AppData\Local\Temp\616766395aa9537d5cab721e0b22907270f92773762ad94b0a1eefb2df4625afN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\Cndikf32.exe
  C:\Windows\system32\Cndikf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\Cenahpha.exe
    C:\Windows\system32\Cenahpha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\Cdabcm32.exe
      C:\Windows\system32\Cdabcm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 408
        24⤵
        Program crash
        
        PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 872 -ip 872
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
207KB

MD5
08271caa6a6708e068e441507bc51e74

SHA1
3f1fbfe5ee2247d1d391787fc96b28a1373e1280

SHA256
a75e82bc909925d8fb07228e4d87ad23659491a29686036464d2e0bb73d174c8

SHA512
90c7ec41a6908be00515345c6ea586476428564771dae91616341ca80fde7ee2ee2e4061c550a4352fdad06149df2dc2f36ca7c5a8bd8574fb1eeb570d943762

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
207KB

MD5
3cfa4a45dcdaea296e4ab126566b33dd

SHA1
fc9fb7c802877b083e78e8bf9efa11886f87c456

SHA256
8e8c300a7c540155feef7e107733fc639754f6ba13b7cafa75c601465d711d7e

SHA512
9c9e931873cf1b0ccad62e0e6a4a87a7bbd0b7b66ae0f9c16a7fecf84347d7741d3b9f06473f961a64f11876015a06b59296971d9692532639dff0f6950bdb5c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
207KB

MD5
2da9bed657358e12556f5268367c9123

SHA1
482647215302093a258df6428f4bb2933af7a563

SHA256
d1dad0b7c4c101459779afcb41bfc2ca7979d5b6ff1f7fe0b48047ce8cb0ea68

SHA512
49d4490a882b1903b08a7d65537d4947fb791112acc91d142f1a83d2854254aa4ebdc4089b88c9e4b866f4315e7de0399c53656d70d485283919d9bdf44863bb

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
207KB

MD5
fbd4f3aa243f3c47fb2394f655df1cbe

SHA1
6aff04fa89adc823abd748da9fdf6634f52863d1

SHA256
a325e31a48a705c43b51419f903aa9210ed50db0b57589e93f02a0a00a8edb94

SHA512
8db8c4474fef19a27b448ae98e9d926f3125a5ad9f28d54b9854ba4fda3a320d53277d76bfb276e67c8fc74575dc009ede1a7b31d56ddb96f8e3fd669f6fe7cf

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
207KB

MD5
f04aee4225a7397ac159e9370b80e874

SHA1
b663f8a24e97736ee9270512311e54fbab3c00c9

SHA256
1c50507433888b794c616eb31b17ec4373dd4cb66bed6aaa0ff120553586f154

SHA512
709ec6135ffbe544a7d48759b7a12f217e082180e67ea76af841cfca714de2c11cc326a417b4e5406d3072996844c0bbcf16e0e4d7cda3019bd95f59e5f4dd90

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
207KB

MD5
0eac3db81e466706daa54b8a139d519c

SHA1
8527755bed2f8412168031a7ce1c9bb837de7ddc

SHA256
eb362da8f4b83fbedfccdb1f3cbcc2978d0d23fe164c7e71bf46f3a57576518c

SHA512
34a2df7bb27c9de0bdf195d483a6850b771ac9867d2b370982f9692ff381c7065f94b5dbeeed3384203a4ea96b682f6844e77962ff2307ffcb05d67abba00df2

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
207KB

MD5
5e8293ab4ba5436da9f9bfc72bd6e3b0

SHA1
36608af2feb2dab65d4f9c661c881ebc4b74d935

SHA256
a62562968dfc480c993e1f8170fec1f8c113280f6adc3ebbed70196dc06475fb

SHA512
98e411f6049e6f6f3bc60d71744c6347a0259599140ee0e8d17498fa31af45d309f43f9f64f603d4b2d006709f2e058ff444339b5670a347cb92177db22d3ec5

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
207KB

MD5
bd7defa6374e7a9ee6529d79a3fe52bb

SHA1
00c129897336d228f9df04e8e88f6004cfbda4ad

SHA256
d841ab1f48b1a7511ff20fa4fcf1d107f01a6996d44c2f2536864b528549159e

SHA512
5dc45b5c1062ca2bd67968171dbc5321cb96816669df455a68371e19c72e0d76630dd1cb30f7b0985eeed03744e35c50f480de986c8341f2d3e4589d653c3799

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
207KB

MD5
5fc43cb9e90d2ed065fac93cf1b1f824

SHA1
8c033cf89a5bcf917a46ef445214ba076475b2f2

SHA256
2fb15d6de4886b33486bd154ded88cf90330a1bb7cce0eeb698b057353c699b0

SHA512
d6ed3d5f083c0a31cef564a46481b03f11bbe4168d9c8dd36076f775189887a9e53399117196fb22340b446042e385063b7168effa33588ea37c1adf88f966de

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
207KB

MD5
90dc1761d9aa308d93e8b97a9fa83253

SHA1
2d97cb7e769119224a51cee570e8cbfa5a7d4efb

SHA256
14bc338c2b392c162232fb0e25d400662cfff6f49088de4434e51a0297b32694

SHA512
5025558aed7d62ee227ff2dabc47fba814bd7decd5ee8435e0a888cb849a6b731bce69ecc4a4112a6423bc56dccfd6997084bc97fe9743ce62853681068915b1

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
207KB

MD5
e671fe2fffcb2c9ca959bc32d8b36137

SHA1
2aa1c3e67c193be7a41725e1c64780ffb0d55dd2

SHA256
437117def2895909402f3311abf4c3d4d60b392dbaacf78e6ae5c933bae20d69

SHA512
7de2d8e018ee9f59be526ff5bc8971575f0b5ba73157279ea8613c19bb8a9c942591a840e8c9532bb83baa7f7769e165d0b6ad3f8dbf44264c7ae1ccb279c898

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
207KB

MD5
45bca1d3ac2af15f3c9e35d8cd4a81b2

SHA1
6c4c2e987d8735a78eb8c5d02ea8648cdbace4d9

SHA256
0839751e2d3e35b0f9deb5249f743540874f9c7d0705c9cbc44feb611880786f

SHA512
09563b40b1cb94f4fa51e17a616021181bafa451d1fb9900a5dbdc5eee085dc866e4dcdbef2deb92ed7f25f64345c0aec7506414cd27b019d94dccb52f03e70a

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
207KB

MD5
90ffdaf141184c04839841d9cb030d72

SHA1
9ea9db3d63c163dc5ebb0ccdfedee09a3ac3d096

SHA256
db1351f2662ec2be0934b976fbfe1ac7b3251658ed950741473737aa8018fd5e

SHA512
1d11eea9c8e20fe594c794b5aa12f71c674da682f4a5d064f8833901b0cb4a5be3583d0aab4315cc05f2d24cf241444d9c6d513529384e3a138399806d7d99b3

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
207KB

MD5
5774b200a0914da011ce47094cf2dcb6

SHA1
bb97ec2bf94974d0ddbecaf6e9191dffc55aca89

SHA256
b0383b48ef9133921672c9c6a466d58dc42c4051f0aace47afab2971279c52ac

SHA512
7d50e9f3068d695e435cb08b711f7a4a7f68e03de6fefa835ca957d34e86de2ece39f2cae835ec7990ed07b97ff9e3b6c072df8b858c7145cefa668174b99342

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
207KB

MD5
d85182ddfb3591a9ca3584f68c4d7624

SHA1
7caaba3f2c67c639473bc6d22d734315f11a868a

SHA256
69bab4cab21bb346d41471dbd9f84419260b2bd2d269ac057e73f7a02ca3829a

SHA512
6c18b5bf10ae970d86500641fd705fe01312fc1e79cf3e7cd0dc92af8f97b4bd5be37e72928136fe916173b4d1284990c6e5b8184a696ef6382f21fe6184040c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
207KB

MD5
5769cbe3d152965c5f56cc6ebbeae15c

SHA1
f328a2bce3a733e34065b0f052106b8f347f6410

SHA256
16884a7c2286a06b6eb6ab00bec13d149454586447e43692092ce0af949f8178

SHA512
0aa6f978140e017ac33ff9ed66139a78b8835a3915a867b10b0937c2d234707c16c449759f31e1f39beedbb70188e9eeaca336b65fa22529656a0786531a9276

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
207KB

MD5
2d6ca6782b8bcad6048e8f51fe5ea400

SHA1
2448a39987b48bb973f020e95773439aa645ca87

SHA256
a51ce13c395864bac87d8b7d5efc6fd28a3fcc7f70a2ed98e668e07e835f6206

SHA512
e1916055f9be0ec9a51eb3bfc169ece1c5a9865d186ce63f788510457174a99686924e7179860e86c5bbc4511a50514a76f851fb6b2378738538aaf044da8b8e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
207KB

MD5
547f0844fe25791bc6524626ad623775

SHA1
2b00da2f4ca63ff28eb16ebc6668e62e91b3aee7

SHA256
abd114db20f3d6bf6d5ffa182599c9fd7d1c1fa4008e7f6c237bb4e3563d3ffd

SHA512
79abf80a975c9845999b0aea22d30fa294942d66780b7c75b58674e7441f3549fdc15ae2034edc52677f706ca9df20bc1806dca862e24a363c8b8b00942140ab

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
207KB

MD5
8af5a9a45b16c5596c11f4050b009ce0

SHA1
254d661afcca7234b99248ca22738e7f113b57e7

SHA256
50754f062326e877d97bba9cd84cb5cc419b6ced1c26968e4dc47ffc781091ae

SHA512
a1329f802c2d5cc0d59354f5b022311b400303cb29d3ef426335fd907c23282b98b6b8a17b1634905de4738f0480cf684454d35e3cec0d41002e1b9b5c62eae9

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
207KB

MD5
18945ff82fc11efe1af0ca096c85fd2f

SHA1
09925fc2e33ee7ba83cf146173449c2ff46009e6

SHA256
bace93d4efb6eb4759c46f7ac1ee0110aeb1d701cd60ab2716536dbfc7f12236

SHA512
33237ed5b25ad211d204297cbf1bad1195bee1254437c0f046edd50dc0e5dbfe1109df8cce183bae076485bac6fb99bfac877bc59c3cfc9e136386da45c09ba4

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
207KB

MD5
c96f588b3fe077cbee3f6ec67693f3ce

SHA1
463ecd1e0f1b4f9d412f271ab1bb44bf47599191

SHA256
e420d9991e35083e73e08b2a005d27f2a1f9514cb6459dee39cd80c0f1e3b3e4

SHA512
8c081d9910bfa144c52f9817cfbe44cc2e46a76798cef181d1270ddba985b305a9a8876ee39e2a2a037507d97eb69a8f303b467f781659e79e9f3a6d1b6b84cf

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
207KB

MD5
58a3cc431e261ff9f35b5f4747b1eab0

SHA1
4232e41178587c7fd06fffca26b736ff2b6970e2

SHA256
2740011b12d0b00564ad8f601c206bfac40b63e1ba6bea2e53b82ebef101f52a

SHA512
0ef95dc4e9fb8cb497f2eea687540ae2f85dacc523be71612c292c34b20b3ec94d39095dbf2bc300c875c8a051b0e67c6b0303989f57e8f4eacd9c06dbc73842

Download Submit
C:\Windows\SysWOW64\Omocan32.dll

Filesize
7KB

MD5
6a663cee1185b6d6be32f63bbdaf0a99

SHA1
fe779fa201f28ce615679e33762c38d3a6aa75af

SHA256
61ae1e8bcdb82dee5fa5e516486b5f84dd9c0d2219f5c08e74641ace4ec582cc

SHA512
acde4ee9ca1ca4f29a5e24a6b7d2389f8efe9ab5cfd5ad24bae4d72c571a7b6409ca218182a4f04b8dcb89afb6a28054013aecadbb840e6c5289654525d47e7e

Download Submit
memory/344-151-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/344-184-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/712-197-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/712-96-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/756-222-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/756-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/872-180-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/872-175-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1088-179-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1088-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1444-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1444-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1740-183-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1740-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2044-219-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2044-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-193-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-112-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2500-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2500-203-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2580-207-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2580-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3128-199-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3128-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3248-136-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3248-187-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3308-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3308-211-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3712-205-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3712-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3724-215-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3724-28-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3816-213-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3816-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4132-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4132-201-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4340-191-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4340-119-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4432-217-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4432-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4796-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4796-195-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4804-221-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4804-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4984-189-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4984-127-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads