berbew | 451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252

Analysis

max time kernel
95s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Size

89KB
MD5

eae64caa7782812fdc579cca22e78237
SHA1

78e26ef79cb3482c4a9502cf0375fa8836d3bd5c
SHA256

451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252
SHA512

fb2b5ef4ce8c0db023c4a33113464189f41cadf73f2313e20c8b1932df50b74b121c29776ea907cb8401139c9f9d52dc0cc4539284c88d5c6b07733dcba97b45
SSDEEP

1536:kEJccFEG44lc1gaOfhnrwbmsCIK282c8CPGCECa9bC7e3iaqWpOBMD:vNaUBwbmhD28Qxnd9GMHqW/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
4352	Bhhdil32.exe
3084	Belebq32.exe
4088	Cjinkg32.exe
1136	Cenahpha.exe
3032	Cjkjpgfi.exe
2724	Cdcoim32.exe
3616	Cnicfe32.exe
1660	Cdfkolkf.exe
2868	Cjpckf32.exe
452	Cdhhdlid.exe
4284	Cjbpaf32.exe
708	Ddjejl32.exe
4472	Dopigd32.exe
3088	Dhhnpjmh.exe
1844	Dmefhako.exe
4712	Dhkjej32.exe
1596	Dkifae32.exe
2096	Dmgbnq32.exe
1428	Deokon32.exe
4328	Ddakjkqi.exe
4892	Dddhpjof.exe
888	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4076	888	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 4352	692	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe	82
PID 692 wrote to memory of 4352	692	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe	82
PID 692 wrote to memory of 4352	692	451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe	82
PID 4352 wrote to memory of 3084	4352	Bhhdil32.exe	83
PID 4352 wrote to memory of 3084	4352	Bhhdil32.exe	83
PID 4352 wrote to memory of 3084	4352	Bhhdil32.exe	83
PID 3084 wrote to memory of 4088	3084	Belebq32.exe	84
PID 3084 wrote to memory of 4088	3084	Belebq32.exe	84
PID 3084 wrote to memory of 4088	3084	Belebq32.exe	84
PID 4088 wrote to memory of 1136	4088	Cjinkg32.exe	85
PID 4088 wrote to memory of 1136	4088	Cjinkg32.exe	85
PID 4088 wrote to memory of 1136	4088	Cjinkg32.exe	85
PID 1136 wrote to memory of 3032	1136	Cenahpha.exe	86
PID 1136 wrote to memory of 3032	1136	Cenahpha.exe	86
PID 1136 wrote to memory of 3032	1136	Cenahpha.exe	86
PID 3032 wrote to memory of 2724	3032	Cjkjpgfi.exe	87
PID 3032 wrote to memory of 2724	3032	Cjkjpgfi.exe	87
PID 3032 wrote to memory of 2724	3032	Cjkjpgfi.exe	87
PID 2724 wrote to memory of 3616	2724	Cdcoim32.exe	88
PID 2724 wrote to memory of 3616	2724	Cdcoim32.exe	88
PID 2724 wrote to memory of 3616	2724	Cdcoim32.exe	88
PID 3616 wrote to memory of 1660	3616	Cnicfe32.exe	89
PID 3616 wrote to memory of 1660	3616	Cnicfe32.exe	89
PID 3616 wrote to memory of 1660	3616	Cnicfe32.exe	89
PID 1660 wrote to memory of 2868	1660	Cdfkolkf.exe	90
PID 1660 wrote to memory of 2868	1660	Cdfkolkf.exe	90
PID 1660 wrote to memory of 2868	1660	Cdfkolkf.exe	90
PID 2868 wrote to memory of 452	2868	Cjpckf32.exe	91
PID 2868 wrote to memory of 452	2868	Cjpckf32.exe	91
PID 2868 wrote to memory of 452	2868	Cjpckf32.exe	91
PID 452 wrote to memory of 4284	452	Cdhhdlid.exe	92
PID 452 wrote to memory of 4284	452	Cdhhdlid.exe	92
PID 452 wrote to memory of 4284	452	Cdhhdlid.exe	92
PID 4284 wrote to memory of 708	4284	Cjbpaf32.exe	93
PID 4284 wrote to memory of 708	4284	Cjbpaf32.exe	93
PID 4284 wrote to memory of 708	4284	Cjbpaf32.exe	93
PID 708 wrote to memory of 4472	708	Ddjejl32.exe	94
PID 708 wrote to memory of 4472	708	Ddjejl32.exe	94
PID 708 wrote to memory of 4472	708	Ddjejl32.exe	94
PID 4472 wrote to memory of 3088	4472	Dopigd32.exe	95
PID 4472 wrote to memory of 3088	4472	Dopigd32.exe	95
PID 4472 wrote to memory of 3088	4472	Dopigd32.exe	95
PID 3088 wrote to memory of 1844	3088	Dhhnpjmh.exe	96
PID 3088 wrote to memory of 1844	3088	Dhhnpjmh.exe	96
PID 3088 wrote to memory of 1844	3088	Dhhnpjmh.exe	96
PID 1844 wrote to memory of 4712	1844	Dmefhako.exe	97
PID 1844 wrote to memory of 4712	1844	Dmefhako.exe	97
PID 1844 wrote to memory of 4712	1844	Dmefhako.exe	97
PID 4712 wrote to memory of 1596	4712	Dhkjej32.exe	98
PID 4712 wrote to memory of 1596	4712	Dhkjej32.exe	98
PID 4712 wrote to memory of 1596	4712	Dhkjej32.exe	98
PID 1596 wrote to memory of 2096	1596	Dkifae32.exe	99
PID 1596 wrote to memory of 2096	1596	Dkifae32.exe	99
PID 1596 wrote to memory of 2096	1596	Dkifae32.exe	99
PID 2096 wrote to memory of 1428	2096	Dmgbnq32.exe	100
PID 2096 wrote to memory of 1428	2096	Dmgbnq32.exe	100
PID 2096 wrote to memory of 1428	2096	Dmgbnq32.exe	100
PID 1428 wrote to memory of 4328	1428	Deokon32.exe	101
PID 1428 wrote to memory of 4328	1428	Deokon32.exe	101
PID 1428 wrote to memory of 4328	1428	Deokon32.exe	101
PID 4328 wrote to memory of 4892	4328	Ddakjkqi.exe	102
PID 4328 wrote to memory of 4892	4328	Ddakjkqi.exe	102
PID 4328 wrote to memory of 4892	4328	Ddakjkqi.exe	102
PID 4892 wrote to memory of 888	4892	Dddhpjof.exe	103

C:\Users\Admin\AppData\Local\Temp\451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe
"C:\Users\Admin\AppData\Local\Temp\451d969a685c2326e6b18ecf56dac77c3d2d3a226f331ae5f1f6cb46c01a9252.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\SysWOW64\Bhhdil32.exe
  C:\Windows\system32\Bhhdil32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\Belebq32.exe
    C:\Windows\system32\Belebq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\Cjinkg32.exe
      C:\Windows\system32\Cjinkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 404
        24⤵
        Program crash
        
        PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 888 -ip 888
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
89KB

MD5
4e9fdf58ecf1a0ace70f94e3b3728c9a

SHA1
4807a5c7f5077f27eb9e2468b9bb4a2ff1d77abb

SHA256
7bdfcf8ad2917073cf26325dde98b54e08abb4e7078596eaefa2523e55ea7c10

SHA512
f72ac594dd51894e6b9177f40083169fdbe5bba635804e10782fef8eb78a350ddfbfed894a897e72300ed14f92ecddb1040b0da20816f059011f70c6e87bd8d5

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
89KB

MD5
a46ebca7ea8c40905ce14d3e801d3606

SHA1
5749afbe5bb04a16b2651e5b293dfb60fb6cb2cb

SHA256
7fb3973f3cbb7102eba92268c2c0819cf27f3609f5d9562d20d776c25d900a13

SHA512
7eeb926c487110312c53a91cf6bd229f832b796d274ba570a91889ec316568095170e80fd040fb32b2882ba77ec72b5af8c7aab0a26216ac91163975459a9778

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
89KB

MD5
39ba71cfcfb9fd0c91179c97dd76c23a

SHA1
b453eb21e30042ab3c563f938f2c633cc4889cbe

SHA256
076a6a97548bba134a4c0b9b9d7abfd83b51a2b8fe5c58d3d7ffd6b098d9ce96

SHA512
e0958acd2f407fe87da1fc1b5612844f5bbaa0274e100c87c0c83761c601c4fb626f3e2db827e4ac6fa4e190e7c6d72c217ae19e15a19a3b11df06573ac6222c

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
89KB

MD5
d876755da29cc7ecddfc94d9de1298f9

SHA1
1b6a53f724ad81f1d503282af31d53f38cdef0d5

SHA256
681e841a42faa5a326c97747097bf1807084c6ca2ee6568fc756978c22397724

SHA512
7983de56bd330a7a59e9201876606b479a17107e8ca244397c18a95c326c84f016b5cfefddea346e949cd8fb4a8f924b760b6882d6729d36d66601466e00b182

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
89KB

MD5
6b88fa8e8d79b9f67eb4cfe68049291d

SHA1
e4e498198de6460149b4f283f553bb895509a477

SHA256
4d26a8500e17e6f9f0d2167ec70678f6fd4056f1e6502ec086aaca1a6b4489fd

SHA512
135e7c0837cf7c370ff5690b20079a872d7dd722ff6a5b9a1a1152283171fa01df7873bb210e23163d089286a90f7b856bfddead2c148762a9c20b38d425c87c

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
925a971745a88307ea37d9d43fa5a229

SHA1
03c6f181399eddd107ce8a568f03bd7b46a4e29d

SHA256
53e6a443d28007cf7126262cd3357ba125f4ab284ae34f58961d038371b92e38

SHA512
6ed245fbdf848f1ec3337f27f774245b5d3e7229d3f56badc92914f3b4e742b976a06390f6e7affd45a35b32c480b6de2e07e7063a8995ab83e2864cf2242118

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
89KB

MD5
78f6409a0a2b77d2e37857094c2121d2

SHA1
9ae7f5278028627d4fc3d2c1a278f4cd294814a5

SHA256
257c680472d3be57a85376f3b932cd11aa08128757b4836249723305d5282edf

SHA512
23f486237e2f593d0c12c8ae788d9748791c72da0596cf2dfe90c3bcffce2b38499cd5d4d8f78388ed7e59436b900dd08d18951a719cf890a9f594ad827e81dc

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
89KB

MD5
8569d38065397ecfc430ea8d4c254e42

SHA1
bb7a045de4a1b0870f4787734d8e296872549ff8

SHA256
07af9feb8dc21765342917b112c0e31169560d130ed7c43b0a696f9af107a37b

SHA512
05451f4e240d52580f3705293ad95fa76d08d07bec50192e71aa1689e86c51e443876c1b71ba8e298c87abfb36223dfaf5ce2472f5d2b2311a9037ed01880fac

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
89KB

MD5
c4e4222f7b601f71866c229f478f82a3

SHA1
a60e398214af19f78b3cd1a7430ef74206cf4c4f

SHA256
3fbdcf6e1ce1d264b0c5f667560dd65c024dda89fe10223cdeeca4276a6742e3

SHA512
7da7bc307a6ac51bb6da8ac23f4835873b6f95ca55487ce976ad20696b3e65ba50fd14ef10767fc49a8ba2b6b5bbd872ba8eed16ca7167de78b6ee24ebbe4796

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
89KB

MD5
b2962df073036975e069dc01c20b2aef

SHA1
7f775cbdd887c5bf05ddc518d60b94e0c627da30

SHA256
b436693f1871d9321474dcdb880b2f043ba64bc75541a09e75ff42b8d6e1696f

SHA512
f11dec834458e69720e1c79802035a7b4bf9ca26206e3265c38c8cd8195dd9c998f2f627b41ffa841acf0140d2b6fd66d36ab5c32a51b230cd4c1df00ed13395

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
89KB

MD5
1cc14bc77c101a892ef09048b0b4ad3a

SHA1
acf92ec016496710924b0f87506b165918c4c9e5

SHA256
305670520964160c05af59a30bc5288b14f4e0855613e95160aaef809115cf8c

SHA512
0f4da689bd573af2e317982a48aa6663e0ee3bc5b5a1b517921ea9b478b6b986c7412fd69ad21f3cb5fc4a0b33fdcf20a520791f8e22c059a4aef8d4d6e03dd9

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
89KB

MD5
112fdb1c62e3efcb5926ea3c9dc97405

SHA1
d385af1110361f2309951be6381bb0ae8420dd58

SHA256
c7bfe08a31b367c7a0f60a22162d1289ef9e4cc5d9ab790f77facbf49cb90123

SHA512
d2b894714c94efc14eb107975f27f4286eb3f767f6b544a071acd66ef3a4593ac1c7c5a784835dee2b848ff67761224f06f47c2fe466149bd9ac4302c9702c55

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
89KB

MD5
4b835cbeda3c19a2a80a4aa5afce4751

SHA1
8111d7cb86f33d648adffb6ae29e00a18e3c7188

SHA256
55a03c2a132775e7a969e43b096b2fa156d8be7186e9a4a404d57e486d7ef203

SHA512
3ce9f65564d80a3ad55d64e5b69911e1df3b65a9046027081c80cd469db89c66380b32724e021594b474dd5290d2aee8019d35aa41882fc14e3023c609d32360

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
89KB

MD5
6f186d19f6103c11ed068b24366903f9

SHA1
f49cc1c34b3e676d9f05f4c2ab13a3349a731d2d

SHA256
aef111faa6b3272c23267ff1d6b8597eb3551f77bd3367205fcd38c0e58233dd

SHA512
c2a4467518ef0cd19cde33f5eca93d90d7f417ddd84c71b1d850ce0d8581b34874016e57c2a1cf329e868bfcb093cf1b947b09f00f6e531602a379e41d49e722

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
89KB

MD5
7987fe64c1b91049d75131888e12ad32

SHA1
dd5cad7a66f75967841b2fe04c3a054d9c0890f7

SHA256
7e232a363b4c09428d1cbd8d505423048493b262c6932b04a7b59cf0f2e45e8a

SHA512
0623b18cca799f03e7a685ee1f6610f06c6e09208937505ed568e20bc1330fbab20af6def12db2430b811e158a4f4b0f3520dfec08b1363b19c3962d495149ce

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
89KB

MD5
e3b09e60d73f32bb08b9218a0359932b

SHA1
00312b2a9082e6fd3e64a4ac11f1b959def8f8ea

SHA256
fcd4386518bb26da56d0604c508313c618116dc0f1341cb7f2d906fdad3fe868

SHA512
40ff9ade9805eb04a39fa0f5e7cd0300bf6cbc85b1ce03d9dec63b728c790be96d9b4b8695366c5e6a5f08a4f85dc9971fc6a911c6621b03f0858a541c15ad83

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
89KB

MD5
51b36f8218b1a8e499ee44709ed7eaa8

SHA1
4cfe214a647980dd559272b765d814fe0ad1a9c0

SHA256
c4a1f9b5851fcc907ea019d964452a257da914f77e498fec293c602179135d7c

SHA512
130e0d5f757ef21719e939abdd23b143ccaa458a8078bd858ef5b4d319d28937e48d481826258a06d1b0f6a299b4c387381b9bec122ef8f6a915a3fa5a131277

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
89KB

MD5
0f6d4278338fa5817cd23fe99bd867a3

SHA1
20330f78ab89a02bb8fe4e49e268224789ef0ff6

SHA256
5b7994a2ba8b6e95465bc13107b54455181982c541071f138a303b426d502f14

SHA512
5ace10d33c258b2480cba9f6238757eaa202040c2d332f77994f32d20fd90d83011e0fea27b322f4d39bffca8dcfa8312039bf120c5908dd2ad8973acfa301e7

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
89KB

MD5
6146dd0e91b1360cfcdec078811fab6e

SHA1
dd4081a828d2e12d1396ea5b69005638e062968e

SHA256
4ac5bc673060cf1795c6474bd6237536da5281fa9b5421b4835655ab7808890c

SHA512
13512601a8210de715b2f33cf461e39051a0247e02804c94afc2b979ab35510485ed00537bb15e806608caf99141b6e4fac39d65ba90accae57ea833bf5fb465

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
89KB

MD5
1885ab4898f8e2a6ac2392a677709786

SHA1
ffcb9c7360592845ae9ceca7a89f5ef6830aee86

SHA256
e2cc7122192f936912a38c464baa20c22f9a28067062b9caec66946efbab4710

SHA512
2584a27a4fb7b41eca3b211275848ff61cbf5f62dc800a968ec8a3d59f287113b9ca2b8584c4ced6a386f37f3cea6d941af3589eda288089c187d8c46d5b75ee

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
89KB

MD5
caa663be9ba99bbe2ede4c42b5365b4d

SHA1
d098c8f1e07ed4cf72687dfe6a46e7746135d963

SHA256
317225880b451798f2489381c665e93e08e2faa0e8eb6ee4fea8a0810eb807c2

SHA512
cc97cecaf727d87affaf4c32c722ba1a277c9ccdec97b4b1e6f47c840e0dc1ebde4059ba80e66c5f3cbd00d2ea54ccbdf30eab9c5898f686a16c2d853108cb7e

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
89KB

MD5
0597493e7db665b5f606568971e608a6

SHA1
7d36cf7d26e71ff600c6003314a2608ddb7b7213

SHA256
a18316d326f8ea5dc2fffd69bd034e1bbb841c31928834577be898f672da954d

SHA512
dbc49e68773e2e79038b7443740ff5dc53e62ea05121433f80b4661362fce01a13bd4712bd5afe103ca40bd54f4859ad8ca049ada8d290faa8572ea0ffb58ce4

Download Submit
memory/452-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/692-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/692-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/692-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/708-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/708-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1136-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1136-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3088-182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3088-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads