berbew | 4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043e

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 03:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Size

320KB
MD5

9adcd52acf41d6b19ffeba4c935dfc30
SHA1

80b2a1aa388ac7f9fc41526681b63c177bfa0f94
SHA256

4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043e
SHA512

6d383d0ed67ac430479f32d2e44df59af9f56ec02235f243e7293d2330c1d86a0e01bea3b39f5bfd94c48137a4b2832ba23ced395f578bd5845a0ab48c21f067
SSDEEP

6144:/AZj6nQ4DikkEGyZ6YugQdjGG1wsKm06D4:/gwDikRGyXu1jGG1ws54

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
1160	Bcoenmao.exe
3168	Cabfga32.exe
3916	Chmndlge.exe
3872	Cmiflbel.exe
1920	Cjmgfgdf.exe
1612	Cdfkolkf.exe
2744	Cjpckf32.exe
1004	Ceehho32.exe
3932	Cnnlaehj.exe
1624	Ddjejl32.exe
2444	Dmcibama.exe
2272	Dejacond.exe
2576	Dfknkg32.exe
1700	Delnin32.exe
5052	Dfnjafap.exe
5080	Dodbbdbb.exe
216	Dkkcge32.exe
4080	Dmjocp32.exe
1556	Dhocqigp.exe
4224	Dknpmdfc.exe
4476	Doilmc32.exe
1724	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe

Program crash 1 IoCs

pid	pid_target	Process
3848	1724	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 1160	3908	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe	82
PID 3908 wrote to memory of 1160	3908	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe	82
PID 3908 wrote to memory of 1160	3908	4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe	82
PID 1160 wrote to memory of 3168	1160	Bcoenmao.exe	83
PID 1160 wrote to memory of 3168	1160	Bcoenmao.exe	83
PID 1160 wrote to memory of 3168	1160	Bcoenmao.exe	83
PID 3168 wrote to memory of 3916	3168	Cabfga32.exe	84
PID 3168 wrote to memory of 3916	3168	Cabfga32.exe	84
PID 3168 wrote to memory of 3916	3168	Cabfga32.exe	84
PID 3916 wrote to memory of 3872	3916	Chmndlge.exe	85
PID 3916 wrote to memory of 3872	3916	Chmndlge.exe	85
PID 3916 wrote to memory of 3872	3916	Chmndlge.exe	85
PID 3872 wrote to memory of 1920	3872	Cmiflbel.exe	86
PID 3872 wrote to memory of 1920	3872	Cmiflbel.exe	86
PID 3872 wrote to memory of 1920	3872	Cmiflbel.exe	86
PID 1920 wrote to memory of 1612	1920	Cjmgfgdf.exe	87
PID 1920 wrote to memory of 1612	1920	Cjmgfgdf.exe	87
PID 1920 wrote to memory of 1612	1920	Cjmgfgdf.exe	87
PID 1612 wrote to memory of 2744	1612	Cdfkolkf.exe	88
PID 1612 wrote to memory of 2744	1612	Cdfkolkf.exe	88
PID 1612 wrote to memory of 2744	1612	Cdfkolkf.exe	88
PID 2744 wrote to memory of 1004	2744	Cjpckf32.exe	89
PID 2744 wrote to memory of 1004	2744	Cjpckf32.exe	89
PID 2744 wrote to memory of 1004	2744	Cjpckf32.exe	89
PID 1004 wrote to memory of 3932	1004	Ceehho32.exe	90
PID 1004 wrote to memory of 3932	1004	Ceehho32.exe	90
PID 1004 wrote to memory of 3932	1004	Ceehho32.exe	90
PID 3932 wrote to memory of 1624	3932	Cnnlaehj.exe	91
PID 3932 wrote to memory of 1624	3932	Cnnlaehj.exe	91
PID 3932 wrote to memory of 1624	3932	Cnnlaehj.exe	91
PID 1624 wrote to memory of 2444	1624	Ddjejl32.exe	92
PID 1624 wrote to memory of 2444	1624	Ddjejl32.exe	92
PID 1624 wrote to memory of 2444	1624	Ddjejl32.exe	92
PID 2444 wrote to memory of 2272	2444	Dmcibama.exe	93
PID 2444 wrote to memory of 2272	2444	Dmcibama.exe	93
PID 2444 wrote to memory of 2272	2444	Dmcibama.exe	93
PID 2272 wrote to memory of 2576	2272	Dejacond.exe	94
PID 2272 wrote to memory of 2576	2272	Dejacond.exe	94
PID 2272 wrote to memory of 2576	2272	Dejacond.exe	94
PID 2576 wrote to memory of 1700	2576	Dfknkg32.exe	95
PID 2576 wrote to memory of 1700	2576	Dfknkg32.exe	95
PID 2576 wrote to memory of 1700	2576	Dfknkg32.exe	95
PID 1700 wrote to memory of 5052	1700	Delnin32.exe	96
PID 1700 wrote to memory of 5052	1700	Delnin32.exe	96
PID 1700 wrote to memory of 5052	1700	Delnin32.exe	96
PID 5052 wrote to memory of 5080	5052	Dfnjafap.exe	97
PID 5052 wrote to memory of 5080	5052	Dfnjafap.exe	97
PID 5052 wrote to memory of 5080	5052	Dfnjafap.exe	97
PID 5080 wrote to memory of 216	5080	Dodbbdbb.exe	98
PID 5080 wrote to memory of 216	5080	Dodbbdbb.exe	98
PID 5080 wrote to memory of 216	5080	Dodbbdbb.exe	98
PID 216 wrote to memory of 4080	216	Dkkcge32.exe	99
PID 216 wrote to memory of 4080	216	Dkkcge32.exe	99
PID 216 wrote to memory of 4080	216	Dkkcge32.exe	99
PID 4080 wrote to memory of 1556	4080	Dmjocp32.exe	100
PID 4080 wrote to memory of 1556	4080	Dmjocp32.exe	100
PID 4080 wrote to memory of 1556	4080	Dmjocp32.exe	100
PID 1556 wrote to memory of 4224	1556	Dhocqigp.exe	101
PID 1556 wrote to memory of 4224	1556	Dhocqigp.exe	101
PID 1556 wrote to memory of 4224	1556	Dhocqigp.exe	101
PID 4224 wrote to memory of 4476	4224	Dknpmdfc.exe	102
PID 4224 wrote to memory of 4476	4224	Dknpmdfc.exe	102
PID 4224 wrote to memory of 4476	4224	Dknpmdfc.exe	102
PID 4476 wrote to memory of 1724	4476	Doilmc32.exe	103

C:\Users\Admin\AppData\Local\Temp\4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe
"C:\Users\Admin\AppData\Local\Temp\4f785ef1a8e87d30992971bddb90476b4fdd8cdc5b68cc392f07c355d8c1043eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\Cabfga32.exe
    C:\Windows\system32\Cabfga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\Chmndlge.exe
      C:\Windows\system32\Chmndlge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 408
        24⤵
        Program crash
        
        PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1724 -ip 1724
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
320KB

MD5
aa4332d510e112d1014a079c6e28ac0c

SHA1
ad6b4b84b8cb92568d9b946d98b6f0d176567194

SHA256
f495eeb0ba066f15be1a1648621124145c9db6bd63e112204fa97c8b2fb5e2ac

SHA512
b73b06d8fe6aeb64096fefe2477afa7da6e0467813395dda899b273bb31c5f36935ed6da8c1e054daf1d6de1e8c01a565dfe45a4c91aba908f6c2b4cc97f189d

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
320KB

MD5
d041e622cbc24da61cc96732086bfe36

SHA1
c004e61d78af156e585a4e9753b8bec2541c7d60

SHA256
79925cdd47a45ec620310d924a6f33674661703e54c3262ca41aae4ee22884ff

SHA512
10c12d9234419c091430c78e9835e3e46d34ef86526426dbca543b6207ca0db0ec52c61e21964dd3c678ede677bc3838626b99af3bc17f6e85a25c1efec009af

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
320KB

MD5
ea231c612dd464b3b936bc3476356a8d

SHA1
71069deb5549a98e9d665b908e4626ad1184caa3

SHA256
63de5129f67176206c4b1d28501a5f4619c34ec27926e9f14ccebd079b47a1a9

SHA512
9c61326a4e40006a8cbd8f023919e2e3bdf117f4a64a930acf3a6b59f1c95aab965577e6528d190d66666083a276ac6f75c0ed38a19711edb5cd5adbbc05c423

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
320KB

MD5
4fdeee03bb3f4a710bb0b5365d8322b7

SHA1
30aeacc8a1db8eea6a9affe9c39cf8b1fd77c31d

SHA256
4ee289c0b764b2327f4007ddfd57eea5505dc0f6501b33ef38b9a147e3f3e058

SHA512
15325d4980d2bf4de9eb096517baca74163473297b34406e17f21fb9725277b3b2551e89bcbc02495a858c898c199ce0cc59fba1fe7de03e5038641447a1e732

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
320KB

MD5
1e74280e06fd592ebc052bf886eb4e36

SHA1
6a8ce160aa8f4292c38912df3a184c2622cf3942

SHA256
74ef9e8556d1d3c91c1ae7032e23f2e10dfd86e375c205148a090f13dd363c9b

SHA512
68b8d035886ba904ca86c70976de4bdb700e19ddd3622b8b6c42839ff4a414967a98626c80cd02884486c2a65d1d093d49a7ac11a23f39ed080be4600a4bcc0a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
320KB

MD5
7fd5deb46dddcbafdb45074a630f6f46

SHA1
02b77419dae697aac876f4841bcefd99bfaf8af1

SHA256
c48bc699d15b9ce993b417a6af534a7fd3bfe1f67b07b4e2439a9e22ebe8615c

SHA512
b16e063a1a31aaa2a59693c9a67c548ce0581355a231ffecf5b20a0a6aeb5c9075cd51568aff4b64c5750c7aa365f89ae048dabca8fba91e080111721fbacc4d

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
320KB

MD5
370b4d410bff11cfab29032da29666a8

SHA1
3ce3fc41c16e80964268fb6fd0e6ba5c654df99d

SHA256
7adfead1fe68f5123d7c53ed1ec4b0a966658a396ce1edefe90a423c282e6b77

SHA512
1de09b3caa0654d2bf47ffd0a7689a2c45877dc6513ee565de0fb8d8211f36f9af2db24d92d0f8694d7e4bd654fc188a12cceebd5e2931f60e48543d176444c9

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
320KB

MD5
63d663681a57074c85fcc77fabb1c19d

SHA1
5a009e27f794b72244472dc62fb20914ff831b86

SHA256
57105b72584424acedb4ab4f5f89af868c528cad62ec4e127ce714683e54cc42

SHA512
b797bd845dd889ac5859bbcf8216b94d683dfecbb8d2883820880aa3bc8a24e92900c8e819e6f0f46eefe3b196819c905f07d01c9ba38642129a9fc9d0b5c650

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
320KB

MD5
c5ca2fbf764db15448ab77f31f1d4a4e

SHA1
2be955b38fdf078c011b1053a13499964dff0f37

SHA256
40f5d37d6391c3c477f262036939acb3b9cc9db2517929e480b42a33abefb6e7

SHA512
74e86835e3effd9f38ff0569667f9ff91e070b62096a4a23b1e3e0762aa177894dc932a11531c1709f492397bc3d4423f2f3c8e0c1ad23442c6653dbc20a519c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
320KB

MD5
52f385f30cd8e866bc9d6a4268400131

SHA1
080326799d52f11e9db8ded912befccd4dc36ad1

SHA256
9c132965571af09d0bb5de43526120555d9360ffec889c4e462a8e699e8a0261

SHA512
71e5d7db64037ce13a3634a440d60c2b7a952a4758d68a24d36d250253e30838bdcf47c3e9c0722ecc8fd83fcee63765830727ab4f8365d3e70d03d96747ac70

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
320KB

MD5
59973bdc7f549be9a60811a8c7348e4a

SHA1
d621a5a86254e2a30f8a1b9c40956fd0aeb6f224

SHA256
6f42f2de3a52dbdf7ef13c2e23cf0411a99d6ea84f10c523b7b2a3f8285c38c2

SHA512
986d3954f63428463c3aec578438a4da4345100831e47df4a27454e97d6179be8945f4a1ce26e14db9a384bd9920cd8aed532fbae4e191768211d914bc02f43f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
320KB

MD5
a95fea6686f057bc985380d86c5a46f5

SHA1
17c5a0a117db0fccad12b1e27304046a3517ec69

SHA256
81b4ae31c80d672918752448d8c6dfa48b102bbcb710f9ed57304bfa9b33f164

SHA512
ab2b3068ca7fe688fe170ddace4a5fdab83d9571a44fe8bcfb2325e1c849e46781a5b1d426235a0b8a1262e1f4a766ab6710edb8ba3728bde827917302a4625d

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
320KB

MD5
9afc2fb947cad9cf06d31ce51a3350fa

SHA1
9669a7d5ea92d9f857c08a0e95dfef154cb7d00f

SHA256
d9b14ad6466f8b8ef8388169854bcbb492fa1921b78b56bd7ef47d6736e17c76

SHA512
521b607390f2a6dff3719b7e2e496be493f5ca52520fee3b04ba75f50a7c54bf6925d91ebc54d60f34ca7007cc8108f81ff4c7519a75825894f20d354e0e32bc

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
320KB

MD5
0aea89cacf0bdc4d9367ab98e9a18b3b

SHA1
d316277a410b21fe85932f6a31d95211377ce2b9

SHA256
e23df2735d86b22b93def4f43d9b5c7e55dfc2d275927e5d6cff5d2ec3978cd1

SHA512
b94726bc722837329a9d3b5c132e3590de8a0e6c04d205e77e52ebe321a0ffd6a6462e0aa51612e4f07811708c6a6b286de12bf4112e9d8894a1cce70b645180

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
320KB

MD5
464033e4563ffaa58ad1dd7fb73fb34f

SHA1
31f9d59b681ae5524ad9143bacf6d5bb1a4b60c3

SHA256
317721172cb38c45abddae1add20d47b65a8be66933bc4845a0e87b2d83f0cb2

SHA512
50f57271dc81a78350ab0f3f00006e0a7501ff97a1969a4b634a3d19c1978bddda500106415dfcbe53287719ccdbb7d7bf9fc2dc91f03b18e189746fb34b2bac

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
320KB

MD5
4e142c96156bcca94c053500b70e597c

SHA1
dd241f99728c553892e4a4bbaf96d2594ec54b89

SHA256
377ca9ee2a165c9f8c5f87740c2b2eb17c9c98c0a5734a023ad9ba985e9fcd5d

SHA512
ea9ca223efb76374174de249166fad2dbd5cc29a5d107034fc7980ec44b777ebcaf7d8c4538affe4a914bc9be7333b6a11f85606578df6113e2122c489462325

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
320KB

MD5
8366ae5689d004587de9e313048b66e9

SHA1
ab8b61b10fe0d5a3eeb54f7d099bf0915247e49c

SHA256
feaec1aa971e8f8af07c63c4fe570f1734822f0ffd65c9034a9515c5148fa471

SHA512
5fc9c87da3b06a7b4a29192514ba534abf77194ccd40fde141171a94aaf7bbb3ec39000fbbe0db0badb9cd661ee3d2e89c31de27a38ef2072afcb080580d50f7

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
320KB

MD5
a83de52f2ebda20e645dfcd0cad72040

SHA1
a1d5d4d6558a35466c07003581092bd0261ce4a1

SHA256
0e42aecf558b95e880300f8a80f549b1265a988e29b6368ed1ce9dd602835714

SHA512
76299eeb4ede3e339447c7826cb28e6e936ade5ff110e9f060caa6c80eb0cce0f15ee4fab320999bb71047021b37968a73fa3f52c172776ff2906b90c7288dbe

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
320KB

MD5
d0b28e863f2a1702dc2ee94b2d16a4f7

SHA1
e2a3b13a4e266a448fc2ad8f4b324dd84a172f80

SHA256
f4f4598752e3322448e0ada4148029dd4fd830376e1ae7cfd0785c2869ef4a87

SHA512
b97a01f33432476cc20637afaeb01d7617e0ab85c613b08034a7555474c3858b1e90bfd81e7a519ad9d7605fda670edfa2f65b5fa63347510e3cb5661d5ceba8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
db0ff368d1232b34220ea2b51a54b52a

SHA1
45dac1f48b33191f0d92c436c5411feae0cc1ecf

SHA256
1f968bb875e9ba1bfa6e7ceb7378d293ec1794c5a01fb001b62e4e7097455f93

SHA512
8c71e6f9df7bbbffb6b9ae5fdf69b52e959ff7d05b5f839c90ab7df13085e9ee98fb890a10f0973bbfd4787005f93fc8d366b04aa97cc0923a70de9c0a411a2f

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
320KB

MD5
a04483af28da6ac3d406dca9b78fd0c9

SHA1
7e6d046c79f3bcb801047109a8426d4af5ebc818

SHA256
37b37ba210b9f599d7b9f02ca4296279bb25b4c84ab4a826a2ca18d531e6e9b6

SHA512
19a9a939e70d00239ccb78276b3cc5a6552f53fc6bef8e17dfdf2be5754ba9a65cf4ee4e0060e8edb73e785f77868160bbb7ab4eaebb57597520fa850aebc638

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
320KB

MD5
8b1132ae82de16a847825da773825aa6

SHA1
1b7b3ba22ae9629e97bd89e80bd081ed16aa8cbb

SHA256
7322ad51ce4b8c9d0de32f20236c3147b7d782b049e0ec3259bdd19078945446

SHA512
eed0d0a9da543a96192369ece3d8a5db67be892b58a243f999b55e0248c45d17b2892258eac1af904c11eaf75d41a852162493cc2dfc934f146c1fbbff8b2255

Download Submit
C:\Windows\SysWOW64\Maickled.dll

Filesize
7KB

MD5
6abb442e0cd84c5079408169bc7fd5f3

SHA1
1418c8d9fd8956f77ed8b39897d6d1c4fef46e0b

SHA256
663e157e9689df8fe50e640d3a4e4f6d7c3d4b3378b43d7927ad19a6dcb0eb12

SHA512
66142fa0584438f8c17afe0058d645fd398feec7091c469f148e0ca0ea83017493bf2bda9454cd4cfca3e1d6bba4aa81ddfeb352e728f4c0a6c39eb5778580fd

Download Submit
memory/216-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads