berbew | 58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290ac

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Size

302KB
MD5

92ab894291630a2541415dc94da581a0
SHA1

0dc6974c5bd30a1f4780df54b0251aafbe362918
SHA256

58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290ac
SHA512

47f2143a4cb766ba796e1d639ec90a361db44c7dbdc21fadd18076a2786e7a28c9c42e237e0196be12304f8cd18f768b2cbbce684562ccc55ceb13ae9bf3ae43
SSDEEP

6144:c4/OuMM3FF7fPtcsw6UJZqktbOUqCTGepXgbWHB:7WuD3FF7fFcsw6UJZqktbDqCTGepXgbo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
3044	Bmbplc32.exe
2476	Bclhhnca.exe
1616	Belebq32.exe
2584	Bcoenmao.exe
1948	Cdabcm32.exe
4828	Ceqnmpfo.exe
2000	Cnicfe32.exe
3612	Chagok32.exe
2580	Ceehho32.exe
4916	Cmqmma32.exe
2556	Dhfajjoj.exe
5032	Dmcibama.exe
1148	Dobfld32.exe
1612	Ddonekbl.exe
4248	Dfnjafap.exe
4768	Dmgbnq32.exe
1008	Daconoae.exe
3472	Dfpgffpm.exe
3244	Deagdn32.exe
3344	Dddhpjof.exe
1736	Dgbdlf32.exe
3920	Doilmc32.exe
2088	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	2088	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 3044	3876	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe	83
PID 3876 wrote to memory of 3044	3876	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe	83
PID 3876 wrote to memory of 3044	3876	58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe	83
PID 3044 wrote to memory of 2476	3044	Bmbplc32.exe	84
PID 3044 wrote to memory of 2476	3044	Bmbplc32.exe	84
PID 3044 wrote to memory of 2476	3044	Bmbplc32.exe	84
PID 2476 wrote to memory of 1616	2476	Bclhhnca.exe	85
PID 2476 wrote to memory of 1616	2476	Bclhhnca.exe	85
PID 2476 wrote to memory of 1616	2476	Bclhhnca.exe	85
PID 1616 wrote to memory of 2584	1616	Belebq32.exe	86
PID 1616 wrote to memory of 2584	1616	Belebq32.exe	86
PID 1616 wrote to memory of 2584	1616	Belebq32.exe	86
PID 2584 wrote to memory of 1948	2584	Bcoenmao.exe	87
PID 2584 wrote to memory of 1948	2584	Bcoenmao.exe	87
PID 2584 wrote to memory of 1948	2584	Bcoenmao.exe	87
PID 1948 wrote to memory of 4828	1948	Cdabcm32.exe	88
PID 1948 wrote to memory of 4828	1948	Cdabcm32.exe	88
PID 1948 wrote to memory of 4828	1948	Cdabcm32.exe	88
PID 4828 wrote to memory of 2000	4828	Ceqnmpfo.exe	89
PID 4828 wrote to memory of 2000	4828	Ceqnmpfo.exe	89
PID 4828 wrote to memory of 2000	4828	Ceqnmpfo.exe	89
PID 2000 wrote to memory of 3612	2000	Cnicfe32.exe	90
PID 2000 wrote to memory of 3612	2000	Cnicfe32.exe	90
PID 2000 wrote to memory of 3612	2000	Cnicfe32.exe	90
PID 3612 wrote to memory of 2580	3612	Chagok32.exe	91
PID 3612 wrote to memory of 2580	3612	Chagok32.exe	91
PID 3612 wrote to memory of 2580	3612	Chagok32.exe	91
PID 2580 wrote to memory of 4916	2580	Ceehho32.exe	92
PID 2580 wrote to memory of 4916	2580	Ceehho32.exe	92
PID 2580 wrote to memory of 4916	2580	Ceehho32.exe	92
PID 4916 wrote to memory of 2556	4916	Cmqmma32.exe	93
PID 4916 wrote to memory of 2556	4916	Cmqmma32.exe	93
PID 4916 wrote to memory of 2556	4916	Cmqmma32.exe	93
PID 2556 wrote to memory of 5032	2556	Dhfajjoj.exe	94
PID 2556 wrote to memory of 5032	2556	Dhfajjoj.exe	94
PID 2556 wrote to memory of 5032	2556	Dhfajjoj.exe	94
PID 5032 wrote to memory of 1148	5032	Dmcibama.exe	95
PID 5032 wrote to memory of 1148	5032	Dmcibama.exe	95
PID 5032 wrote to memory of 1148	5032	Dmcibama.exe	95
PID 1148 wrote to memory of 1612	1148	Dobfld32.exe	96
PID 1148 wrote to memory of 1612	1148	Dobfld32.exe	96
PID 1148 wrote to memory of 1612	1148	Dobfld32.exe	96
PID 1612 wrote to memory of 4248	1612	Ddonekbl.exe	97
PID 1612 wrote to memory of 4248	1612	Ddonekbl.exe	97
PID 1612 wrote to memory of 4248	1612	Ddonekbl.exe	97
PID 4248 wrote to memory of 4768	4248	Dfnjafap.exe	98
PID 4248 wrote to memory of 4768	4248	Dfnjafap.exe	98
PID 4248 wrote to memory of 4768	4248	Dfnjafap.exe	98
PID 4768 wrote to memory of 1008	4768	Dmgbnq32.exe	99
PID 4768 wrote to memory of 1008	4768	Dmgbnq32.exe	99
PID 4768 wrote to memory of 1008	4768	Dmgbnq32.exe	99
PID 1008 wrote to memory of 3472	1008	Daconoae.exe	100
PID 1008 wrote to memory of 3472	1008	Daconoae.exe	100
PID 1008 wrote to memory of 3472	1008	Daconoae.exe	100
PID 3472 wrote to memory of 3244	3472	Dfpgffpm.exe	101
PID 3472 wrote to memory of 3244	3472	Dfpgffpm.exe	101
PID 3472 wrote to memory of 3244	3472	Dfpgffpm.exe	101
PID 3244 wrote to memory of 3344	3244	Deagdn32.exe	102
PID 3244 wrote to memory of 3344	3244	Deagdn32.exe	102
PID 3244 wrote to memory of 3344	3244	Deagdn32.exe	102
PID 3344 wrote to memory of 1736	3344	Dddhpjof.exe	103
PID 3344 wrote to memory of 1736	3344	Dddhpjof.exe	103
PID 3344 wrote to memory of 1736	3344	Dddhpjof.exe	103
PID 1736 wrote to memory of 3920	1736	Dgbdlf32.exe	104

C:\Users\Admin\AppData\Local\Temp\58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe
"C:\Users\Admin\AppData\Local\Temp\58f7a226661ef1e4b36ebd7d3c6902ab51e741b95928af70df18f9c442a290acN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Belebq32.exe
      C:\Windows\system32\Belebq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 408
        25⤵
        Program crash
        
        PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2088 -ip 2088
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
302KB

MD5
08d13262d4d369b15e3ebd88ddf2f23b

SHA1
7ab32122ed4497cd6fcbe94abad1563a39eb658c

SHA256
a80e99aa5ad3a754820b486bdff5551ceb80d08db77259cf496901ed43437a28

SHA512
6d2ce73b66595613e3e2984bedef4a529dd71ac2bada433a8d4ab8fb2b04730c2eb1eda8d4c45aed71ee212b2f110ae8ba2257acc2c03ac72585eedf4efb17d0

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
302KB

MD5
ee34c6af949a6914eaa41e7d0c89b619

SHA1
99cc2795057113889c12d10ddcbbb7a51ee1e3f4

SHA256
25932abefe4bd2c45bac1591a011645e476be7a84ffec6f4206d7a6a3e002451

SHA512
6ccfa4d9ff102dafecf871889a63493faefb10eb7f4632fe4aaf2be27aa32ce33e03c85a1cecca91c8b3a45b9266327e79a8e27aed49a6c558644540fe93eed5

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
302KB

MD5
75f671cebcc870b1bdda75b021d74f83

SHA1
68446b18791d4757b090daeed7ed51962c1308a9

SHA256
f75f3432e8379a4a1eebf97e3d7f8b5b3123e21e09fdfc5dfe3ff294fcd12524

SHA512
48c735ba4f6c91578d326d4d8cdd62250d9961577594e5f0cfaf68c84385475877af6e6585a194250d5b3ac2e85597100e39811375fc8bfc81961484bb717546

Download Submit
C:\Windows\SysWOW64\Bhicommo.dll

Filesize
7KB

MD5
86524d4ffbb55056edc941a3111c917c

SHA1
9ac349406a05216a4a39e11b6e6e12292dd858e0

SHA256
e08c723ce7c65ad651c6cd5ab513be1e2013e7dcfdd2caf1c98a347ab26b5bb7

SHA512
c7ccb193f3bdb834b99c6ed07f8182bdb61a868027b96859f87771ab30d85cf33d06b9c5924cafd96e3ac9d0113898d0986ee1c98460f472e3a08c5a5de18390

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
302KB

MD5
aa407a87acb7449e21bc31d9b5a6096e

SHA1
344601bc02da57360c4c69dc8e76a0ea323a00bb

SHA256
85033ec4078223e30a4d94dabfbf4af1d33ca8be04b420acdd4adf6ebcb64dc0

SHA512
b80c82b47f5dc50461e6f8f98fcd5ecef9c5af26b1459afc0d5ce3bd0b659dab47f872e9bd351fe49730488b6509f0c297330a4c1fc08ddc6a57d92336bd6af5

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
302KB

MD5
4ee667ef6a6e08383b48428e98f3c5b0

SHA1
aca37ef20e8373cbdfc877a4df27f24f7944f614

SHA256
5ea731c31d82e0ce1f0de040b99aac60c9aa115e28a61febf39eaddd2085992f

SHA512
8d1a7115b6a9024d5f4482553878e82fc36a3092372bc7aa5357964d6914ffc10ebcf35e0671777cbdcf673d7e841d63815df333745eeb7557004cd1aa3b4b19

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
302KB

MD5
79f354273f506e42225c605e19512133

SHA1
1776888e4130ddcf30f37aae98dc7dc4302172b1

SHA256
796039a671e5dcac171545b92934ced83246a359c6585d77151b51cca63db3af

SHA512
9b82eaf622e3054be98e94607f45cab44f19f49457442268bcb17729b16e0383c408c72d7c68ee06627ad213be579f5df3029f470022d9d940b22142e4d9170a

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
302KB

MD5
9ed8bf49893b595e3232eb3443ca4821

SHA1
193d39da8de0af03661e3e3d002a65c7a7b80233

SHA256
2d990a916f2b841c715b892842d69528d57891fd428868cce05e98d347a75d45

SHA512
e00f22e7f21774f403391478af4e1258632473a6b83b75022a2785a58dbe6bbc1779839bf60b68fccc5e8d6ca57f5b99a3cb8b79b3e4df51af8102ecc75262b4

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
302KB

MD5
fdbd630da53db3a1d4f990ca2a69c5b6

SHA1
9f8fa00da71a213bd7f7b093f9e4fb3ca41d8b0e

SHA256
12b155786d68409a10c6b1ec2640164dfabf59a91dee12d59bc00472ad16ca87

SHA512
4097ce86b7bbfee268111b1102fb665af8af16770241a26d6dc49db7ebd92117e4f927bd6b41824aaa507d4cf9701a08ecc16f7132626c73c64ba5a717b6c60f

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
302KB

MD5
2deed0dcd1ebca0d36e346496d645936

SHA1
39eaa9dc5ee441acdca6e60cecec6c6aeaa3dc76

SHA256
b4af04d2cafcf8f1f6a48dca3d5481f1478e2cd8aac626608d77028cbaccc22e

SHA512
abcaf7a8dbca62ddaae437fcf9414e4eb07429d23b300bbc18913251a380bae97503174d9cd487bbda8f31b7e1087d90ef7e67d600b1d409b476a30404074339

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
302KB

MD5
32db1319e4edac4f3926ff53a00fa734

SHA1
71badddc5859652640689e7052dbe8990f5ddf71

SHA256
caff4f56b66b4a759ad05a15c2815e2344fa70577325c09883d80a02999c1892

SHA512
2ee2cb6911de7d4c8ba2f3ed915806f92f8a45d96e34414e15de4e1392349537a41a7069507fd875f91a7cf6ca6f5242f812bed2f7d5d7d95186b016761edbc6

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
302KB

MD5
094b9795938d02af7110e322ce1882b3

SHA1
8ed7bb4020039e074be19f88c7985a3bbb21b16e

SHA256
7375f881d319f1945f463f170e748fad6d7366d5fb35bd54a59eb019fe4fe8b2

SHA512
024aa036f94b41996773343ab3f5db4aeb02ab3de86ec78cbd514c3e4e8c1bf33942f19c82c5f93d4a8a27b4dfd58955b4c8513f8a1a78ad8cec014084ba3944

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
302KB

MD5
ac8cc997f2fcce45d5fcb237c3a3a59e

SHA1
eee9343910dc37c5f9e69d8c3337746df565e0c4

SHA256
b6fcc9df3658bec432cb41dd7f6d69801a4ed14056fe1a77a73896b3e8103dea

SHA512
c694badadb1fd2cb49c00ae6ff98b438a9223b3af2ec64ed2a044365685686c6ae1707440eef2c151217e81e8d0e665bbd27b46d8b911c61db5eee09ee9d85e7

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
302KB

MD5
516072e93cebf70401553a4360e34207

SHA1
366038331d46a38e6f58ee9f43a6bb3025a53584

SHA256
7d361a231e2cb5adeede867e842a157efde6c46d779e131be7de66a179eef08b

SHA512
f93c7dc6a760aa25d7ff9ae98eecfd8f54908d569d63da4bb54e2a6e2415f701871d640e5d1437b9ef43739638fffb085a1cbcdce1cc2de0727ba3b0dff0133b

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
302KB

MD5
a7d0c5ac01cc0f636c54d0804b43e7e8

SHA1
bc85aa3fcd40720f817f45aad1a8a7166672e59c

SHA256
541f3d00cf4f31a2752d4c22587c1b07d14f7474b29712666a65d2e20650d750

SHA512
1cf2c16b3371100c1e746683904e44127e8fd92dd044a6e39133e2b7847d5e42ae5977bbbebbd97c36361f33cd7c74dec42374770d609c3b87edbf6b9651428c

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
302KB

MD5
d12359d411a9153ddf67464303e0725b

SHA1
5eaeca6ed957f2854e87dcefe81234e89ea16e20

SHA256
96ae8de5aa6ec3ba18fc7ddaca759e4a0f75ea83a6ef88e9093c505e8605f058

SHA512
c69ff31627d33220f04370ff88792902d849c21b6d1ee50c913cf0271c33aee8cfda53d6b006fa15e5912822f0adbceb9580e03b50a7815f9fd0c5c7f27ef606

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
302KB

MD5
eb39527bbcae570ae51b2a3f9dc8d89a

SHA1
64281dc871efa5897215d426ed37a7bc2a5f9410

SHA256
e52453a0e055c612079b72d8ca851668b741c9c3312a55976550fb6c74a694f7

SHA512
166d6c549e2459edf2d74a5c3494eab2c7aac82fb39da592a501788ce21dc8cf6142d32285b427ad95224b2362e3178e7a58ad747dec2b57ecf6562e5645e46c

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
302KB

MD5
0372d6bc0203b3c408d632cdc29afa70

SHA1
96fbf4fae9b1af7e206a8dc7e65af28eb948941f

SHA256
0866916325ed4677e7fa98a64c199a38d0cdfbc3ba3acf5f672353d476b97e82

SHA512
e5b78528204d3fdaf5fbd796876680aa29631b64ee25b36ae63e350365a96a71fc3a31e085438b3b41db3f683439fb97ca725f4c1bdffba13a9a7d8e0ab39c14

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
302KB

MD5
8ffddfb95bda6ab302256165cc2e3a3a

SHA1
904e86cc3a2a650a29d4476e71b7d32cee49b39d

SHA256
7eedc7a933aeb9e6e0e895c94587091f68a687c98145814392c20f2c1ebb394b

SHA512
674f5f0cc8f315e0d9888cb0f5333e3bcb66764bb025027a13af96d5ce7a69d759ed2248843fb737656dd5c0686cfb132355e0456cb12b75066208e48c517171

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
302KB

MD5
b4aaa2767e4520e7b46bfa79848e4615

SHA1
52f29292f19abf925043567d0063cb3047113acd

SHA256
d08e7c86038695ae6f3ec5cbeb4ae0f470089f136dc80d7ff524d5aa055ff325

SHA512
5c1dbb2d00af39148a2924b7f9546291fa0bc695a784059f3d51b80e3d31a8413d4a69e9ca02d74fb14fb26840804811b2bc599a6460e7366bed73d16947b45d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
302KB

MD5
afd8311e124f97e241e8b0cd251244dd

SHA1
b1cf8e64b603ad2e8a8ee250683837b5bc6fbec3

SHA256
30f3324cbbb656cdca09d002cf0e16853c65036bb8bc9112f66ae17a45d35b39

SHA512
9c3b7a3bf9257dee298798d2677e8a85f71303bea0f602df382f369d3b01a130d8c1c530188dc990c6f4cf851172602a198a97031d3bb5c61f2ebc4047982cab

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
302KB

MD5
001bb3cb9524c91821db695a03387ba9

SHA1
edcd11afa07450b391d95484d2c25bbce8e75464

SHA256
d1e43148b2477f608d84dcd7f5d3bdd785188a0baa9ec147b958ada37f24539c

SHA512
3156263f45d9484fb869f2b37bf394a6bea333166f8c67428eb107644a57d95efaf80bad7c92a9c6a1f550a10a13631791dcf58b12cf059e0855d9a49aaee414

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
302KB

MD5
6ff0717fd494bcf0ab762612131b8217

SHA1
76d95471f01b7bccc681c5a83507d4e4912d8a40

SHA256
e75f16f77d545687c92f256c4c7dad4eecb0ae9c0985438868835d903e03880c

SHA512
cb9364acc10a880b074f05cfce79255635880863b5d7a1f4bab935fb83f54e4841575c4235d18c7e1cdd1b6eff7fd0560c6c6bfeddfe37a9211b832db75556ee

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
302KB

MD5
9afa84b5cbdbe42e0ec2d845dd0e45d2

SHA1
77a4e9999a9d57cff1030c26ff61de37a2144739

SHA256
28b5ebe7d69b844d7f9487739ce26a0c93278db966ec5b2c3153578ca4f705a3

SHA512
8c14df409c2b886c42e712f84f00e524c2c8544505d817e4e8fb356d25ee43d197720bd3763d79065ca969a229d29f7bb0b5a8779e3398d4d3ff501e355cf627

Download Submit
memory/1008-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads