berbew | e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Size

512KB
MD5

fc26fe5e0c353bc21b67fd6aa41525ba
SHA1

c4d6c054d855d02ceb7faa99f4a930506b980fa0
SHA256

e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b
SHA512

4e69bb7b051c5683031615807ccc3be6d7ba89b575077da61c67b6be98b168e668e6c1e9a6d4bab6ed80aa99b28cc1397c1077a382ef682dddf640107d76f8a7
SSDEEP

6144:pCldkq5UZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:EiUG5t1sI5yl48pArv8o4L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 21 IoCs

pid	Process
3832	Cjinkg32.exe
3480	Cabfga32.exe
5032	Chmndlge.exe
4924	Ceqnmpfo.exe
3092	Cnicfe32.exe
468	Cdfkolkf.exe
3772	Cmnpgb32.exe
1056	Chcddk32.exe
3540	Cnnlaehj.exe
2652	Dhfajjoj.exe
3116	Dmcibama.exe
1624	Dhhnpjmh.exe
4144	Dmefhako.exe
4188	Ddonekbl.exe
4676	Daconoae.exe
4880	Dhmgki32.exe
3660	Dkkcge32.exe
2548	Dmjocp32.exe
1204	Deagdn32.exe
4108	Dgbdlf32.exe
2680	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	2680	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 3832	3672	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe	83
PID 3672 wrote to memory of 3832	3672	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe	83
PID 3672 wrote to memory of 3832	3672	e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe	83
PID 3832 wrote to memory of 3480	3832	Cjinkg32.exe	84
PID 3832 wrote to memory of 3480	3832	Cjinkg32.exe	84
PID 3832 wrote to memory of 3480	3832	Cjinkg32.exe	84
PID 3480 wrote to memory of 5032	3480	Cabfga32.exe	85
PID 3480 wrote to memory of 5032	3480	Cabfga32.exe	85
PID 3480 wrote to memory of 5032	3480	Cabfga32.exe	85
PID 5032 wrote to memory of 4924	5032	Chmndlge.exe	86
PID 5032 wrote to memory of 4924	5032	Chmndlge.exe	86
PID 5032 wrote to memory of 4924	5032	Chmndlge.exe	86
PID 4924 wrote to memory of 3092	4924	Ceqnmpfo.exe	87
PID 4924 wrote to memory of 3092	4924	Ceqnmpfo.exe	87
PID 4924 wrote to memory of 3092	4924	Ceqnmpfo.exe	87
PID 3092 wrote to memory of 468	3092	Cnicfe32.exe	88
PID 3092 wrote to memory of 468	3092	Cnicfe32.exe	88
PID 3092 wrote to memory of 468	3092	Cnicfe32.exe	88
PID 468 wrote to memory of 3772	468	Cdfkolkf.exe	89
PID 468 wrote to memory of 3772	468	Cdfkolkf.exe	89
PID 468 wrote to memory of 3772	468	Cdfkolkf.exe	89
PID 3772 wrote to memory of 1056	3772	Cmnpgb32.exe	90
PID 3772 wrote to memory of 1056	3772	Cmnpgb32.exe	90
PID 3772 wrote to memory of 1056	3772	Cmnpgb32.exe	90
PID 1056 wrote to memory of 3540	1056	Chcddk32.exe	91
PID 1056 wrote to memory of 3540	1056	Chcddk32.exe	91
PID 1056 wrote to memory of 3540	1056	Chcddk32.exe	91
PID 3540 wrote to memory of 2652	3540	Cnnlaehj.exe	92
PID 3540 wrote to memory of 2652	3540	Cnnlaehj.exe	92
PID 3540 wrote to memory of 2652	3540	Cnnlaehj.exe	92
PID 2652 wrote to memory of 3116	2652	Dhfajjoj.exe	93
PID 2652 wrote to memory of 3116	2652	Dhfajjoj.exe	93
PID 2652 wrote to memory of 3116	2652	Dhfajjoj.exe	93
PID 3116 wrote to memory of 1624	3116	Dmcibama.exe	94
PID 3116 wrote to memory of 1624	3116	Dmcibama.exe	94
PID 3116 wrote to memory of 1624	3116	Dmcibama.exe	94
PID 1624 wrote to memory of 4144	1624	Dhhnpjmh.exe	95
PID 1624 wrote to memory of 4144	1624	Dhhnpjmh.exe	95
PID 1624 wrote to memory of 4144	1624	Dhhnpjmh.exe	95
PID 4144 wrote to memory of 4188	4144	Dmefhako.exe	96
PID 4144 wrote to memory of 4188	4144	Dmefhako.exe	96
PID 4144 wrote to memory of 4188	4144	Dmefhako.exe	96
PID 4188 wrote to memory of 4676	4188	Ddonekbl.exe	97
PID 4188 wrote to memory of 4676	4188	Ddonekbl.exe	97
PID 4188 wrote to memory of 4676	4188	Ddonekbl.exe	97
PID 4676 wrote to memory of 4880	4676	Daconoae.exe	98
PID 4676 wrote to memory of 4880	4676	Daconoae.exe	98
PID 4676 wrote to memory of 4880	4676	Daconoae.exe	98
PID 4880 wrote to memory of 3660	4880	Dhmgki32.exe	99
PID 4880 wrote to memory of 3660	4880	Dhmgki32.exe	99
PID 4880 wrote to memory of 3660	4880	Dhmgki32.exe	99
PID 3660 wrote to memory of 2548	3660	Dkkcge32.exe	100
PID 3660 wrote to memory of 2548	3660	Dkkcge32.exe	100
PID 3660 wrote to memory of 2548	3660	Dkkcge32.exe	100
PID 2548 wrote to memory of 1204	2548	Dmjocp32.exe	101
PID 2548 wrote to memory of 1204	2548	Dmjocp32.exe	101
PID 2548 wrote to memory of 1204	2548	Dmjocp32.exe	101
PID 1204 wrote to memory of 4108	1204	Deagdn32.exe	102
PID 1204 wrote to memory of 4108	1204	Deagdn32.exe	102
PID 1204 wrote to memory of 4108	1204	Deagdn32.exe	102
PID 4108 wrote to memory of 2680	4108	Dgbdlf32.exe	103
PID 4108 wrote to memory of 2680	4108	Dgbdlf32.exe	103
PID 4108 wrote to memory of 2680	4108	Dgbdlf32.exe	103

C:\Users\Admin\AppData\Local\Temp\e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe
"C:\Users\Admin\AppData\Local\Temp\e9e8b4526195470ed8d47677f4f404c8b3fda8547115a5419203d82a18a1b32b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\Cjinkg32.exe
  C:\Windows\system32\Cjinkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\Cabfga32.exe
    C:\Windows\system32\Cabfga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\SysWOW64\Chmndlge.exe
      C:\Windows\system32\Chmndlge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 396
        23⤵
        Program crash
        
        PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2680 -ip 2680
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
512KB

MD5
0af58c740f253242203b24a39d1c3010

SHA1
689d88c4a734cc9dc3584c5084c676c40433beb7

SHA256
7d470156bb852e943ea7c2a48d70b2ec6ab482d80803c176a0a230d2da0247a5

SHA512
13ef1ad08d95de61564bc08e12c4585a76521a47a39a7ddde4076859937198cc6e5b223ac25ed53aa489b94af5d6bc5e9f0b26fbfe6b38145cffd03b5342395d

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
512KB

MD5
9636fe683b7bcc656575e548601effdc

SHA1
87e26ab823f165eb4c233038fbce8e0570a7d7e0

SHA256
6b0354574e452997bcd3d09e9993108a49585723827d9b3d88172656e65aeb85

SHA512
9c1319f7bb7e92b87c7f5359de1f74a4c998216134d4484cb931d889c3a161118d85e628d7c63f641320bacc3cf66f7f7b1fcae0612b2bec204955a2e378d777

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
512KB

MD5
d50b61ff76119ad5b89ec4635638b69c

SHA1
b68094422372813fcbbf519a693ef4971ca8253d

SHA256
76444975d620502dcf6afd6f84949def2d3f3a4fb2daf3e363c7559ec6617374

SHA512
9d7917d4528e12ab2ad36f3291373866cc883a44851644f9507b3d7ff1b79954bfe09a179b66c439bd44d5a26799a29b69d4b28305bb143e968b508640bbe401

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
512KB

MD5
8ba0ac25e332dd9afe15f9680a0397b5

SHA1
8bf470c27c53de422d084a74e3c2b4fe77bd298a

SHA256
901d0063744073fae4a264fc674ccee3cada337aa112607a9fb81ee524212057

SHA512
e107253ae5bed77f4eea79061214dfc81e3ac30f151298e82178cf568c04d72c576415fc835d7eb8905bca194e4b1beb5c67c413433fbe8250afe449808a2746

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
512KB

MD5
e7f2b80c78cad9e6e2b6305ab38d875b

SHA1
6307f09d2d1fca4a61cbc8cc5aad90d2f6dd5193

SHA256
2a8b95e1e6e0c2abb3efcd147a709995ddd47cc5a952eb7894712f27520060d3

SHA512
d636e2ea74ebffa539a0a46ddc1798f556748786741fb51c260e31a294aec44df71246e083c2f3b99dbfa50e8437662139a5732e374b656aa0dda8d218d2ec96

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
512KB

MD5
89426e635ef6e3f859eb5d7f0054f42b

SHA1
1dd7fe1937d65a99ef822c458c1085e91a2cbaca

SHA256
3725d9b0a2897a5d92184b51db6206bee1477799547a9571b2cdcfe6044eea36

SHA512
9393375eac99254a5cb45c1bfd196c5b654b240a32f38d15025fea5df7fe4730953380a168a0c8adcb5cace54bbda785dd373d9b0fe2262acfc85bc73a04fc94

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
512KB

MD5
cea5f0723fd96dfd55f51dc3b6822317

SHA1
106676e42abdcccdbf52a7203b7d8a9763f8f52a

SHA256
5a3a892b1fb954e315253f88f3b1f310d90a3621b8c0571c1cd5a0f9601ef871

SHA512
8d1f2a4f3d7d35c2e48a3cd13f2ed4befc05ed446ac3f2b6768d26321ece574fee000c585466b8a254265dce46083b7fbc63e0df52f14c631b7b139f5ff4d737

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
512KB

MD5
eaffef5492534e01c1e9533e52dfe585

SHA1
8510c6ffb2449b7ca6d371562196e55139b1167d

SHA256
6d48a6e4b1694ed67d5def88f8be401719c4b00f3b32a6dcb888805a14b2fe9e

SHA512
256acb08b05a880f7c9f40ad40f4e8f8546d3d43b90596a3f30ed9a041415d5cc16286534a688786419ff907e8f2fcd203f16a05bcbf93d735b47bde07d7b73f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
512KB

MD5
7a7a3819c53bb10566c74522b7ec240e

SHA1
15d814dee1097b7b05afb9a837fb7beba273fc8f

SHA256
393a1c2ea8ac612072e6f585e447e517eaf581565587f15b1f09b4a86e34dd2a

SHA512
3d5e843b60e6aff57c4b8a903a4e1725a0ad1e3b3565c341758f48b1ad77dc97e260dad21489a5a8482916aaa646d07cc1f0517c0b19c143a679fd1d21132a3b

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
512KB

MD5
f8f499872e07b81f8283f986a5a93230

SHA1
147c900f5de26140e2668cc083c48ff90cd7b666

SHA256
2c3db7a93a33b586bc4ad33ce254db93260fd76a8d039a017f65919bf0171bac

SHA512
006cce472cffcc773e74698c096529daf918d9adcbff19c42632c92ea87013d13ae78cf1efca146d5f03e636a70744845ca9f1dbea56bea2575ba50d10519273

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
512KB

MD5
bd648fb9850ef23e0af733a9edfc6d6e

SHA1
59f5d1c4b3637ce5216cc2db8f3d60482743350b

SHA256
3da61fbee62e1d4a3f859d9a61b74d1b9c2694bc667697fe0624730b1ba3f456

SHA512
1884cb02cda6cb5b14c6b9f93b24f852d057b015e2b19fa15e7433115a4e01fe434dfec0fc3ab2d87cce99d9e8e5195a24e62f61d29a6847201e942bef11db5d

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
512KB

MD5
4bb443a6804ed2d4a04a05367b925b0a

SHA1
c1bce00c6545a6ef8bd2684d4256dfa68ee7ea49

SHA256
2f43840d62124e06a1d6fb5266e4ae76d7952b39147df0168c7ec4ef49e055f9

SHA512
e27ab7aa8dbdf872b066f0e5f31bcdc01159e8ce6d6ecc5c0f581f65b3e8b22701fdb33861c1bf3498e479ef590f57d7adc53e926f6cb3bb86efed2e7909ada3

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
512KB

MD5
19d66788a15bdabda1f8957f9e1e5b1f

SHA1
0a81c58f528a6b049e2c96273eb3eb24da0f70dd

SHA256
11d5175b634225628effa467cba414196f5bebbec6f3b0b1c7d3d0666cee7ffb

SHA512
113566552019d9918e92cf0c488c4cfdaf4de537a273dfb4932cdb43d72c1dd8e7f50468d6b805ea1775b6bfb312530f79ee4330d37fceaed38c9cf92f430960

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
512KB

MD5
8f94d7d1665ed36da0f2426b660b9956

SHA1
45779f92962c6f3115379186ccb52df6c49ad9fd

SHA256
1f14257244edf238cb1217cabab674b2d050d31a14c62b2ee33492d4d5b472a5

SHA512
5449be8b20c2ee3b730081a8f6b48255ae8b79b8174d8daac19115e4f64e350cb63d4d18631265d4998d95b10c2a24a0051dda30e9f5224e81736d5e3c97d241

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
512KB

MD5
12f7a6d7fdf7a801f5ac45e120d791b5

SHA1
26da848878952de5176dd3ea79fd9602aff8a020

SHA256
cabbb1b7c2b54def432749486c3d9316ebcdfe8f3710343904b9685d5669a343

SHA512
efd42164d26e85f4386a1a5cf93c3ea4c19e140af7d718ea36206caf7639f7c78e989cc54c2e618abcf03140858e04e615914ff1d7e607cc1f153a79c5c292dc

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
512KB

MD5
097d0d49daf41033c62481631fd02c39

SHA1
59e2e921a1f3a86cc8469b821b68ee0de90d1809

SHA256
ce4cb386b89038331b972fc169fbac90872666deae1613e91d22b98e25f39885

SHA512
02f81a51858fe39206792baeda521f406b992dfcc48bb52859a9aa2884f6eb864f4aec7db74085464514a6be08cadfb2e35f04a1bf39c801a0578d07afb193a9

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
512KB

MD5
ac38fbce6620230b6336bf1918d29d30

SHA1
3ddd821705dc94243a4c6487b5de9aa0ae311c3d

SHA256
9945eafa5c6c97dcf1767a83ef76a2bf6b8b8ced0a98b05a370776a4e7e2ef0f

SHA512
fc52ddb10601031ff9f2d35af031383948ad31b145e0745a8892b7a35507e218efb132c9456487195357b6c9647e64679b8b7000b51a645d6803d128eb311ea2

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
512KB

MD5
39d3ecbb704f01a988166d77e69bbe8e

SHA1
909e100bae0462df4ee157bce106bfe1ac74cabc

SHA256
e1c8e7721362279d131d41ebc73381005d6d93cb21e879a0a2c7b1c37b710376

SHA512
52e1c8dac6a914b9a6d99c9740b7acdc1312f4c4093f4f97a0d9b094a186e2097acf72273ed9d833adce78c3bd1512c4257c07c1403df4d2d2940ce2e565e430

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
512KB

MD5
c90926d4ec1e825bce3d6a2f26976177

SHA1
5fdb78f43e5badda141459593d2223f124aa12d5

SHA256
287d0651f3fc2a8300cefa2f7a5ccc825918c692b55274a59e87f754ba3f8f8b

SHA512
df687bb9dc7b9142943d0ac0e7a3dae37d5c0a7ff7cfb2d44de06c3a64ae9e221647c5c076f193baab4d55f346e3eb861348dd9b5471e563ad3b60a18fcc7646

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
512KB

MD5
2f0bce29ea6cec07eda4eb33864bc089

SHA1
4e25b89a4be767e5534d7ba1a20395e79c350d46

SHA256
86a42bad9b35d3ebd5a96def05108e9c824baf9790343c3bf7cdd4ffd4cccc23

SHA512
76b243a11b3d204fc23aba930503ee42091d9e7a024e0527f17399fef73f9c0d32ea58694373ec004c3858910126a4d0a1ef3f35e6dfa613f59294c3a89d8f97

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
512KB

MD5
6ce26a487d494d1dbe0a90c652886348

SHA1
bf55ebe957bc2b01c76b4dc6580a52af38ff6360

SHA256
e8e78a591721d9a2f12b985724b24f644ad7d32b3f15113f0c79c8170ab2cc0e

SHA512
c630468f514c0c772793c21ed25b154f862f6398299fcfb1c133cd238168f75feef1922160f59517a05003a06ebf61dcf017eb1350ac75a85783993d40052f5c

Download Submit
memory/468-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3832-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3832-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads