berbew | 53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Size

1.1MB
MD5

fd499db63d854167237523c0c3a5dd30
SHA1

7e2ce1ad9504365f236faa9a67e5dfc4232ae3b8
SHA256

53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232
SHA512

c3bfcff2cd78d5b298bac3c3d2bebbb1e0e19e05e3f3d84e9d1a384ac50a511092278abcef29983240363c449b0bafa722be62ad7faefe6a4749224ed1d942d5
SSDEEP

12288:nC5XgFHRFbeteBFHRFbeWFHRFbeteBFHRFbeN:n4QBR7BRjBR7BRE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
3632	Belebq32.exe
1180	Cjinkg32.exe
2228	Cabfga32.exe
1264	Caebma32.exe
3092	Ceqnmpfo.exe
468	Cdfkolkf.exe
4008	Cjpckf32.exe
1748	Cajlhqjp.exe
528	Cjbpaf32.exe
3364	Dmcibama.exe
3116	Dejacond.exe
1624	Dfknkg32.exe
4624	Dobfld32.exe
4012	Ddonekbl.exe
4092	Dmgbnq32.exe
4880	Ddakjkqi.exe
3660	Dogogcpo.exe
4292	Dmjocp32.exe
1808	Deagdn32.exe
3192	Dddhpjof.exe
2680	Dgbdlf32.exe
3420	Dknpmdfc.exe
1000	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe

Program crash 1 IoCs

pid	pid_target	Process
1352	1000	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3632	4308	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe	83
PID 4308 wrote to memory of 3632	4308	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe	83
PID 4308 wrote to memory of 3632	4308	53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe	83
PID 3632 wrote to memory of 1180	3632	Belebq32.exe	84
PID 3632 wrote to memory of 1180	3632	Belebq32.exe	84
PID 3632 wrote to memory of 1180	3632	Belebq32.exe	84
PID 1180 wrote to memory of 2228	1180	Cjinkg32.exe	85
PID 1180 wrote to memory of 2228	1180	Cjinkg32.exe	85
PID 1180 wrote to memory of 2228	1180	Cjinkg32.exe	85
PID 2228 wrote to memory of 1264	2228	Cabfga32.exe	86
PID 2228 wrote to memory of 1264	2228	Cabfga32.exe	86
PID 2228 wrote to memory of 1264	2228	Cabfga32.exe	86
PID 1264 wrote to memory of 3092	1264	Caebma32.exe	87
PID 1264 wrote to memory of 3092	1264	Caebma32.exe	87
PID 1264 wrote to memory of 3092	1264	Caebma32.exe	87
PID 3092 wrote to memory of 468	3092	Ceqnmpfo.exe	88
PID 3092 wrote to memory of 468	3092	Ceqnmpfo.exe	88
PID 3092 wrote to memory of 468	3092	Ceqnmpfo.exe	88
PID 468 wrote to memory of 4008	468	Cdfkolkf.exe	89
PID 468 wrote to memory of 4008	468	Cdfkolkf.exe	89
PID 468 wrote to memory of 4008	468	Cdfkolkf.exe	89
PID 4008 wrote to memory of 1748	4008	Cjpckf32.exe	90
PID 4008 wrote to memory of 1748	4008	Cjpckf32.exe	90
PID 4008 wrote to memory of 1748	4008	Cjpckf32.exe	90
PID 1748 wrote to memory of 528	1748	Cajlhqjp.exe	91
PID 1748 wrote to memory of 528	1748	Cajlhqjp.exe	91
PID 1748 wrote to memory of 528	1748	Cajlhqjp.exe	91
PID 528 wrote to memory of 3364	528	Cjbpaf32.exe	92
PID 528 wrote to memory of 3364	528	Cjbpaf32.exe	92
PID 528 wrote to memory of 3364	528	Cjbpaf32.exe	92
PID 3364 wrote to memory of 3116	3364	Dmcibama.exe	93
PID 3364 wrote to memory of 3116	3364	Dmcibama.exe	93
PID 3364 wrote to memory of 3116	3364	Dmcibama.exe	93
PID 3116 wrote to memory of 1624	3116	Dejacond.exe	94
PID 3116 wrote to memory of 1624	3116	Dejacond.exe	94
PID 3116 wrote to memory of 1624	3116	Dejacond.exe	94
PID 1624 wrote to memory of 4624	1624	Dfknkg32.exe	95
PID 1624 wrote to memory of 4624	1624	Dfknkg32.exe	95
PID 1624 wrote to memory of 4624	1624	Dfknkg32.exe	95
PID 4624 wrote to memory of 4012	4624	Dobfld32.exe	96
PID 4624 wrote to memory of 4012	4624	Dobfld32.exe	96
PID 4624 wrote to memory of 4012	4624	Dobfld32.exe	96
PID 4012 wrote to memory of 4092	4012	Ddonekbl.exe	97
PID 4012 wrote to memory of 4092	4012	Ddonekbl.exe	97
PID 4012 wrote to memory of 4092	4012	Ddonekbl.exe	97
PID 4092 wrote to memory of 4880	4092	Dmgbnq32.exe	98
PID 4092 wrote to memory of 4880	4092	Dmgbnq32.exe	98
PID 4092 wrote to memory of 4880	4092	Dmgbnq32.exe	98
PID 4880 wrote to memory of 3660	4880	Ddakjkqi.exe	99
PID 4880 wrote to memory of 3660	4880	Ddakjkqi.exe	99
PID 4880 wrote to memory of 3660	4880	Ddakjkqi.exe	99
PID 3660 wrote to memory of 4292	3660	Dogogcpo.exe	100
PID 3660 wrote to memory of 4292	3660	Dogogcpo.exe	100
PID 3660 wrote to memory of 4292	3660	Dogogcpo.exe	100
PID 4292 wrote to memory of 1808	4292	Dmjocp32.exe	101
PID 4292 wrote to memory of 1808	4292	Dmjocp32.exe	101
PID 4292 wrote to memory of 1808	4292	Dmjocp32.exe	101
PID 1808 wrote to memory of 3192	1808	Deagdn32.exe	102
PID 1808 wrote to memory of 3192	1808	Deagdn32.exe	102
PID 1808 wrote to memory of 3192	1808	Deagdn32.exe	102
PID 3192 wrote to memory of 2680	3192	Dddhpjof.exe	103
PID 3192 wrote to memory of 2680	3192	Dddhpjof.exe	103
PID 3192 wrote to memory of 2680	3192	Dddhpjof.exe	103
PID 2680 wrote to memory of 3420	2680	Dgbdlf32.exe	104

C:\Users\Admin\AppData\Local\Temp\53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe
"C:\Users\Admin\AppData\Local\Temp\53c39fe8cc6de48a1a889ccb03635300e2d54b27295913e56b7f33584a296232N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\Belebq32.exe
  C:\Windows\system32\Belebq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\Cjinkg32.exe
    C:\Windows\system32\Cjinkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\Cabfga32.exe
      C:\Windows\system32\Cabfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 396
        25⤵
        Program crash
        
        PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1000 -ip 1000
1⤵
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
1.1MB

MD5
4ed0e0675d8908115e1b4234846ba7f7

SHA1
a9fb13856fe03fc4e2d4c1751146a062d2e67ec5

SHA256
25445dbb238dae558596ffa626f7da3c78322bacb409006a092cf5e0999bd0cb

SHA512
cf1de6b550403686db5c5219aa95cb5a01da6b73cf305170cdb4f92cded3434447541ab4f06d8e96ffcb4899e4587da63d430ac61f6d917be7b64f95280f7193

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
1.1MB

MD5
a25363481b25310356fa44ebaccab9a8

SHA1
2f9ecf2603b5997e7647a11081b5ec85025831d7

SHA256
716f3b9cc3749c87df9083001c2e045114b9d743c60ff59befe9c42ee67cce62

SHA512
684e264ee16fdabfa60a7094929844271e0a66cbe0ef6a3819e361b55d01610289c12cce790c612343ff5a99612bc90dd30bbd8448673ce9bd22719f5bb3c147

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
1.1MB

MD5
35d9096df61dc9c41837221230295070

SHA1
013c8fe21aa212dd8e1d62c4f7f5ff2b69125c63

SHA256
1d23902d9fce770fa21a520216eaf8e096752850ef8915a90972268149ab923a

SHA512
4451a3b793eafe7409ef9c369d81c7e5aba293525a9169a43ed689bef6200893bb3c5dbfabb5bc5c222c754027bd28dc3e55d79674ff6054b7681b8e125da30d

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
1.1MB

MD5
ad489351b10405b0a3de9b3665997319

SHA1
8cc4659f689b7db6e6dc0a9eb8524da6e96a6e85

SHA256
edf556561f5915dd58b86e4768d398706376483aab738cea3b90601abd9236cc

SHA512
a0084d07e7a21c54cf6f62faef788be32d1f1533c053e736dc2ef9033d8541fe7deb87b8f81204c67148c1d051e8fb1966a32b304c24711b87dbf80d3f54a88e

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
1.1MB

MD5
410317ce08b44e1c55f00361f390ac6c

SHA1
672afe38a1fb99fc2c7c6e620384568494666296

SHA256
4740091b0e4e2b277f66e0c8924b1d201b90eda46a879f3794a598fce2251624

SHA512
62ec6afe8d5ceac7338f1e3b40be35cd02f3f820fa74160f33a5f4100f3d6eb37838c1db770be1b61465368d8f3c208cb6119c310874f7e5b95962bc012475e8

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
1.1MB

MD5
18090a7c0c16241034469977e1266648

SHA1
c613d7fe78ca54e9ebaf7f8785e7617f86d3544f

SHA256
d1fd94421f1d73ab19298a9852e72637dfc404c3c045b2c08919b97d83ed5c42

SHA512
51ad96706c941f5aeddf0f784fab98e7b640fa8d97301dc227abc4e79c6372fc5a3cdf7fc2973c7dd897d67b23d75a155d975202ddbfd8681edb8d14b4257a96

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
1.1MB

MD5
20ccca36eb7350335222f0948e7cd59c

SHA1
853f1e47d8c01ce6de6197a974d255d84c9fffbb

SHA256
12f1ec081d409c767d9dbb9409424358ad60580f7968d59f32bedf6af7a252c4

SHA512
c853832eee6573dd11c703e7c1ce9456e9e95b13014d11bc09073d987ae17cf4b87e8dab6144e1e39fa7709cedfdaf48b2af80dd3720d974acc62cdb98545d1f

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
1.1MB

MD5
fe07209651822a780edaa21ee220a25a

SHA1
3b5e6b03a3e035909d8b95b61d12924bc0094ade

SHA256
2ee43476933ae4d6d067e61fb47a064b78d453e3f77743ddf50f5fa587d39828

SHA512
c86834a31e7fecb40f31c2b1977b7c8c7b80a6654950e5824633d3034710f3491ed3c9eddcb879573efa1150b2f35e0512ce265f9fdee3f4a70acb6de6ce5420

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
1.1MB

MD5
452594279dac7d0fa8c32789d7b28f7b

SHA1
c3fadc0b6ed448925a98688d32bdd20fb1f7647e

SHA256
0a2e936de8c0c909945506c99cad880162fbf83dcb2095ecfc589a94c5d05929

SHA512
99b065f0933506df24694cfddf85ed43a45e7d39dd6228a5e846ea127af3d9caf37a301e525dfed59832e580d15b91dec956a2960ccb3b26df3911ac2ee1d72c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
1.1MB

MD5
c9448b35ce6947d2fa0efcf341cb4957

SHA1
a02d8726fdd61a4ddac245421fd1a0283e6a8eff

SHA256
14d42196b3ae9c2722952992127d1c167247a6e4ace8e5d650b75dc2f9311129

SHA512
7974823178eb1e25ffcba05ffb36dd069639ebaa3ddd5ef2efa010feae087e200baad653ae39a4b086c6cc6630e1694239d8b9f1da6d919c1b93ba15c588d61d

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
1.1MB

MD5
b85474dc0248ac2b2817de7d93ee44c2

SHA1
a0eda395348539272799f8ff72228efcd0ee2f58

SHA256
f7dd0a3b0b4baf188ba4630e9549774b7e07b9977df864c3d5ede6b58a195f9b

SHA512
9adc1ba9b67456bf4af433b5090d39580afc183a06b000f80be7e0a3945c50122a5d9cd51f5c4c75b779c57afd1117df7c826e5398931a70a9a03b4b193bee17

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
1.1MB

MD5
6d0dd05092218766010959463297ab9e

SHA1
f510b1d32f3d48ecf5096a03267c7d2aa0631642

SHA256
1c71ca67969bab3c0275f4e58c02bbc2fc839cf8141f1225dc82083a775ceb5a

SHA512
8c6dc9d63ee3c5f4aaadfe7aa8b6c42fe65c3520760ab13f010a5fbd4db78874c5f348e511140e6d87b83edfeb5513312fe337b0168715c9ac51fd000b31b6d8

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
1.1MB

MD5
5d8195fbd4d3bc3abb417c535510ed18

SHA1
18576ae6bb41f510e6eae32875a4f74f24965c21

SHA256
0599066080a82dcfd839721442a71e4e3e18a0f14b0985e860b2eb2c041c3abd

SHA512
052cf39db8718be66153c070c7fc063808e992224945725c3951ae565698d6ece53c4f054ef787baeef79d1b84c3d561ade36e3b7f394efdc8e2b9ec555f9ab0

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
1.1MB

MD5
01e309fb82a161a3f5ff01f692fe5901

SHA1
4b59a0967860c6301c3c958108a8653f2b2177fc

SHA256
76108e636a89edae95637428e4716b6e3211a01b3ac8488953738c08c86eeca6

SHA512
6c324babc941858798479fc3eebfcc286e15e47014ae3de4152a16a532cb35aabdf15f7223d059530fbcc491701c1dbf0d58fdadc648d012371df0878eac01f3

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
1.1MB

MD5
32aed7e4947e301159fbcd1911338df9

SHA1
ac167a63e2447b40965f8616a7dc4f1dafef7d15

SHA256
0f34335500741a7c32a4376ab6d68ceeb1d9b1752547403eacdbe1fd36fe13b1

SHA512
d9bc25403a13da3101962a9d8d9993d90db77fa12d272cd90f5051accf1651d414f563555fda33dd7c0cff5992335cb721e4c9bdcf30348cc48cfdfecad72873

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
1.1MB

MD5
150413eccb8b81c9daaa765612f08680

SHA1
7597898357a6d31959e936b8879d0dc5b95a93ce

SHA256
c85183b2da8498783838f80b8f8fcfda63fb2210f3d0bebadcd18e6f6fa7be33

SHA512
6c0ccd66546926c35c992b413aefa12649a3e13978be15d9ac80c2a1710fb68788fee5f3840656a396c2ab719ff47a51f3509a2b506c06909cd7c5e951b4d33d

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
1.1MB

MD5
c9f1c73eedfce2b22175a94cb82e0dd6

SHA1
8be649643b4a596aaa1e6e8e7e5706e38269bf40

SHA256
aa0e115379ba3e32119c0c4a0a3b1912f016b38284bf35d97529be3f2703b1df

SHA512
0d55dcec7090caab11c5207ffcfb30a03b8266d171b048d20b7070cc570f6e10dc42598a32fe8b136458eee1add97572c322c3b8aea1c8eb8feceb8fbce3abef

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
1.1MB

MD5
e673ca7c53e6d6b43f66d349d9129d55

SHA1
2421e04b390c508ff25153cf041523a809a932f2

SHA256
b2a185f49fcaa632a1fe1934416fd332ab17936fc1cfba70dbf35a7527041d8c

SHA512
21ee3992bef44df626394d43188f7692a8cb3b99df2aeb2d5bc1c6f2a30b8054ee0d8e00eaa84d7a3a68844141053e798778f13a07324a22970de7042086056f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
1.1MB

MD5
4403243fc92a0a521608e9e731aef42d

SHA1
3395975e0910fc78820f1e98a41e81829caaa303

SHA256
62be46272dcb08e47ae9363ae98661e83eebb4878c4c79e8f74cc029c62e716a

SHA512
77ad87d7bbab6745c378273dd53c5fee46a35f9376fe829c2deeffbb7d90bbcc4626a398fabc399e6a33702d4ea9aa3d009785718e147df0d797294fc09ebff2

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
1.1MB

MD5
1911ea2868bf6901871d3326d58aa377

SHA1
abbb01588c5539140491e43d3bae3a2485fc12dd

SHA256
9023fcc2e0f803e32814ef257d576bd87b92ec6f76a48b564735de91e21d862e

SHA512
2974e31e8c51ae4fe3e3a0cd09918e666fe58e794435fee7bd7943ec096ba0dac1f0217c854ac3ab8bc55d46f6bcf3ec154465575d91526235a94c3e33c5fe0c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.1MB

MD5
bcd77a1c784186acf8acfc3f7a34ba2d

SHA1
bdd016ff690be0ad2752b01bc5e15cceaad99a63

SHA256
6373d337cef998348f562c6aa89e699ead922b1f1a2b1bfe4d9a9ec62342ecae

SHA512
19fc0100723d43ac612dc151041442a3e15ed80c9161eb80ec93996b0c9da33bb599b3c6ceb4e94dd9c2e7a96e7d39331e780c41dec3981cea4cc97ed906b7f7

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
1.1MB

MD5
0b304da7fe4a8e43de8667cbf4eb170f

SHA1
9e9d3ed34493e9954607bea58a8b9e64d87b977b

SHA256
a647f0cf8f808bbfd0fbf799fb0d898bfc6a4a8d0a4cdafbc5cc1d245fc0ccbd

SHA512
a291485aea3cd84926e4c2fda0c82ac523c8a67e2e2696248be3e515821e344fca0a3b4a4238d5e5ac06251d1029f49778447fa20effc88264d891cb6417ea7e

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
1.1MB

MD5
618386fe39859e4586d19dcc309941e2

SHA1
37cdf66bfa8e5adc3ef0593eb9487ff3aed45529

SHA256
24967d49e265d2159be87ead8a2a46657c5c2d243ecd147ec6ed4a0d7a0cc5f1

SHA512
ec31823be567ae84887525b57e36b4ddf65aef9f2accdb6c41c2ee2a73555820a863e3c428dcde49a0e9255b6aaa5893c02c0e4ef8a8a9cff61bf0f3f331e2d4

Download Submit
memory/468-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4308-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads