berbew | f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Size

72KB
MD5

575664ac4ff1385bde63dbcf29d06560
SHA1

ef135a465fb8eb9fcf7d63ab3fac035675181fe3
SHA256

f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07
SHA512

ea6e5028d732fc6f7f00473e826b08e9c0d8c3b7884ab7a6b5a7a8d20259cd856a45ac3db68cfe83cf08733a8b4811a41c371b5416b01ad96394b04fda46fd7b
SSDEEP

1536:WaX9hA1uHLu2GYPCixadX6uZ4XnB4VAIIdAbhcAN/:WpuHUixah6G2C+d8/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
3780	Cagobalc.exe
2620	Chagok32.exe
2340	Cjpckf32.exe
3728	Cmnpgb32.exe
3212	Cdhhdlid.exe
4012	Cffdpghg.exe
1444	Cmqmma32.exe
324	Cegdnopg.exe
836	Dhfajjoj.exe
1032	Dopigd32.exe
2096	Dejacond.exe
3468	Dhhnpjmh.exe
2092	Dobfld32.exe
3808	Daqbip32.exe
684	Dhkjej32.exe
976	Dkifae32.exe
2948	Dodbbdbb.exe
1696	Deokon32.exe
2420	Dogogcpo.exe
3452	Dhocqigp.exe
3020	Dknpmdfc.exe
2696	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3408	2696	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 3780	1472	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe	83
PID 1472 wrote to memory of 3780	1472	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe	83
PID 1472 wrote to memory of 3780	1472	f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe	83
PID 3780 wrote to memory of 2620	3780	Cagobalc.exe	84
PID 3780 wrote to memory of 2620	3780	Cagobalc.exe	84
PID 3780 wrote to memory of 2620	3780	Cagobalc.exe	84
PID 2620 wrote to memory of 2340	2620	Chagok32.exe	85
PID 2620 wrote to memory of 2340	2620	Chagok32.exe	85
PID 2620 wrote to memory of 2340	2620	Chagok32.exe	85
PID 2340 wrote to memory of 3728	2340	Cjpckf32.exe	86
PID 2340 wrote to memory of 3728	2340	Cjpckf32.exe	86
PID 2340 wrote to memory of 3728	2340	Cjpckf32.exe	86
PID 3728 wrote to memory of 3212	3728	Cmnpgb32.exe	87
PID 3728 wrote to memory of 3212	3728	Cmnpgb32.exe	87
PID 3728 wrote to memory of 3212	3728	Cmnpgb32.exe	87
PID 3212 wrote to memory of 4012	3212	Cdhhdlid.exe	88
PID 3212 wrote to memory of 4012	3212	Cdhhdlid.exe	88
PID 3212 wrote to memory of 4012	3212	Cdhhdlid.exe	88
PID 4012 wrote to memory of 1444	4012	Cffdpghg.exe	89
PID 4012 wrote to memory of 1444	4012	Cffdpghg.exe	89
PID 4012 wrote to memory of 1444	4012	Cffdpghg.exe	89
PID 1444 wrote to memory of 324	1444	Cmqmma32.exe	90
PID 1444 wrote to memory of 324	1444	Cmqmma32.exe	90
PID 1444 wrote to memory of 324	1444	Cmqmma32.exe	90
PID 324 wrote to memory of 836	324	Cegdnopg.exe	91
PID 324 wrote to memory of 836	324	Cegdnopg.exe	91
PID 324 wrote to memory of 836	324	Cegdnopg.exe	91
PID 836 wrote to memory of 1032	836	Dhfajjoj.exe	92
PID 836 wrote to memory of 1032	836	Dhfajjoj.exe	92
PID 836 wrote to memory of 1032	836	Dhfajjoj.exe	92
PID 1032 wrote to memory of 2096	1032	Dopigd32.exe	93
PID 1032 wrote to memory of 2096	1032	Dopigd32.exe	93
PID 1032 wrote to memory of 2096	1032	Dopigd32.exe	93
PID 2096 wrote to memory of 3468	2096	Dejacond.exe	94
PID 2096 wrote to memory of 3468	2096	Dejacond.exe	94
PID 2096 wrote to memory of 3468	2096	Dejacond.exe	94
PID 3468 wrote to memory of 2092	3468	Dhhnpjmh.exe	95
PID 3468 wrote to memory of 2092	3468	Dhhnpjmh.exe	95
PID 3468 wrote to memory of 2092	3468	Dhhnpjmh.exe	95
PID 2092 wrote to memory of 3808	2092	Dobfld32.exe	96
PID 2092 wrote to memory of 3808	2092	Dobfld32.exe	96
PID 2092 wrote to memory of 3808	2092	Dobfld32.exe	96
PID 3808 wrote to memory of 684	3808	Daqbip32.exe	97
PID 3808 wrote to memory of 684	3808	Daqbip32.exe	97
PID 3808 wrote to memory of 684	3808	Daqbip32.exe	97
PID 684 wrote to memory of 976	684	Dhkjej32.exe	98
PID 684 wrote to memory of 976	684	Dhkjej32.exe	98
PID 684 wrote to memory of 976	684	Dhkjej32.exe	98
PID 976 wrote to memory of 2948	976	Dkifae32.exe	99
PID 976 wrote to memory of 2948	976	Dkifae32.exe	99
PID 976 wrote to memory of 2948	976	Dkifae32.exe	99
PID 2948 wrote to memory of 1696	2948	Dodbbdbb.exe	100
PID 2948 wrote to memory of 1696	2948	Dodbbdbb.exe	100
PID 2948 wrote to memory of 1696	2948	Dodbbdbb.exe	100
PID 1696 wrote to memory of 2420	1696	Deokon32.exe	101
PID 1696 wrote to memory of 2420	1696	Deokon32.exe	101
PID 1696 wrote to memory of 2420	1696	Deokon32.exe	101
PID 2420 wrote to memory of 3452	2420	Dogogcpo.exe	102
PID 2420 wrote to memory of 3452	2420	Dogogcpo.exe	102
PID 2420 wrote to memory of 3452	2420	Dogogcpo.exe	102
PID 3452 wrote to memory of 3020	3452	Dhocqigp.exe	103
PID 3452 wrote to memory of 3020	3452	Dhocqigp.exe	103
PID 3452 wrote to memory of 3020	3452	Dhocqigp.exe	103
PID 3020 wrote to memory of 2696	3020	Dknpmdfc.exe	104

C:\Users\Admin\AppData\Local\Temp\f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe
"C:\Users\Admin\AppData\Local\Temp\f481276de9dedb6863dd1c37f6ff4b16470d49dcea3db626d1c3d5b628cddf07N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\Cagobalc.exe
  C:\Windows\system32\Cagobalc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\Chagok32.exe
    C:\Windows\system32\Chagok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\Cjpckf32.exe
      C:\Windows\system32\Cjpckf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 220
        24⤵
        Program crash
        
        PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2696 -ip 2696
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
72KB

MD5
2d924123b8e900f85a788f875e85085d

SHA1
0b96d9e2f9a12446c52da7e65254dd1448e8222d

SHA256
e391f97807c2500559ba6b9922a11fb48a161ac277a8b002ab53a9efd153e630

SHA512
6c22b781268173a93d96fa614220a094903f1f428ae91b064dd529e1d209e0c0d9deae98f02587e4b50dd1d4ada4d85cfdf29f5fe6bb66a49db6e58706d60a04

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
72KB

MD5
6a0ec1c55db6b301bce843449c516a3b

SHA1
0aa87b1a071561aac25fcda1b2a60e9c966aad10

SHA256
20d62a2678675c62e35f39937736656a965651ee83d1c471ccc1f210234dada4

SHA512
e82042f82e037581e074636512c29e2f439af66baeb5499fbe06aa858b13e65a5545392ac93d301db2845c713cf81d8e63d7ef1ac8b097b696d2b98e15f49b54

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
72KB

MD5
b460ca5a3f0c53b8e24f87d2ae841661

SHA1
8ac5ad95562554368056df3f648f89ff0b560e70

SHA256
ba9314769b652ced87020f06b58858d6c643dfdf16fd31e2aec0b2738116a6b1

SHA512
b5044680806479b57d8189e0c46b55acf0162db86ae80cfbb0d2a464031f4f19e41d77a0d970c1c58a4afb9b48fdb09b54a92371320f714fef53085ba369e9f9

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
72KB

MD5
ab32aac68842af6fd6a8a2dd089939a5

SHA1
e595232dd7a3186b52b07e1bc4e38e0ca8a61e91

SHA256
1511dc9556427c111703132772d8d5d17bab1490af9e88cff8f26fe0ae5d3239

SHA512
5b33633da7c806405b281cd081f112c8b5ac27112a33cac1ac51c206e27bda20ee9ec315d11f3785312c0d5a63db959a32b203090eaf1304c1338f4188f61216

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
72KB

MD5
86a6a17485461de8bff6fd266a7b1981

SHA1
52f5c3afd9b93ae8bc393c42ef1f5d366adc3b73

SHA256
5ae9f27b99aaeed7f4cfad4a61b2210aba21e0f885b77aa71238943a377307f0

SHA512
098cb2709067b7c6953cb116cd5c1a543b42a0b60499de4bc6d2f83b7e08bec5b55ce8391afcb2b5539acfed0657f27da632b0be806941e7700f9fcc5a5011f0

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
72KB

MD5
23117c6794f03cb677ecb4010e6d1c97

SHA1
6f3be21d4da2ef2058fff59755afa36897fd9df9

SHA256
58468ba1eafbba9f873a63f002dd2ae6bdff81b1e8bbb08d790e3e736aa5f6be

SHA512
30a6e8b7a10c98d7d859fc118be5fd0ac2561639e3a4b4442d82884dae8115abc959b92915176f6f02985b82b60df6f7059c28cbba5bf1d476841420134ba3c2

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
72KB

MD5
e53e59aa94ff093c6e742bc3f74e092c

SHA1
9df02c4917f32c6cfa025ae992090c43492e221f

SHA256
576bcb49824521818a29e84dcc226340301c653d0d7e3927af1369e14d20e044

SHA512
7b80d56a5b1d6e57f6a37fb2eb9e3c02577853baedcbef20d7df1e51ee1bfedb0d85e8490ac5c12074f1d569dae6082a15fa27ceadcf392c07fae5f9c35ec246

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
72KB

MD5
35eb9b822e6afe7fb0fd7f6e5a4ae3f1

SHA1
31b1d337ac2881645de034341554dd2323cf521f

SHA256
a424ae5c5304d12e132806bf8d4fe848e1dcd72244d56bd36f3344faaa2f889c

SHA512
7e88ae8d80b73a41a75d631e5a2646e81f6ec26084f38dfc06e0e2f1d47d63af9823639e0b554a83a60f610dfe4e6842dcf75b787123839609099cc5f94d4176

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
72KB

MD5
109124a15d9370e259daacfb3d335a74

SHA1
79472db874d2106468d075e43204f400b2da7963

SHA256
0735ecfee9faae981fc7109d55fe073bdbbcee09216147b6ddd96ed67e47caaa

SHA512
e050ee97089f8c835652c15fb3017169f0f026dbe1ad30084246ae023141f1b5b79e17c1e807b1699ccee9f909f2a274d37bb7e5955341e22cad10818d94964a

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
72KB

MD5
5ce2711a71b42025eec9531f5a021263

SHA1
3170c701f33c0d3c69e779707a40cc7b2f2a64ba

SHA256
2d9ef005d3685945beb7173be369ee287ad8f6c9548b50bb127011362f53f743

SHA512
122feda0431a9d8593a5ac42b2e3de14fc4fdf3037893bc9c13d75b6e8a7b117838e48c204bf3fd85ca8a61c065416a9b4b21c07b0c26021e79b438d6506c3dc

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
72KB

MD5
b19eb994190f73370cf3bb9811f0f94f

SHA1
7ca2b87c17823da6d96401a0aa425e975bb5f71e

SHA256
98b3308325f0a251ee78e49d920c89dfdef40c432a859c7ceb4fd36f5e884719

SHA512
ada6b28568c26ecdfb8ac631abf7854e4e47d94b961b99aa6eeb4d370347d5755eb5ed75a1e61576ac77db820f41c780557b2a66da5094a9711c2d53354d24e0

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
72KB

MD5
e96cd707b07f02aad0bc114d2a190aab

SHA1
816af013d188b3d4de87e6b3d1d46386dc678358

SHA256
e52e825ff1c9348a66c8376b4025315ae9bb03e7bf115b5eefebb5c22f59d229

SHA512
980662366e278ea8c61a64859030832ba32a47f03aeffe8c16830744f815a2653caa951d2a5fa14bc2ff3ef868b9e345c404841adc019c7681e94e0385716698

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
72KB

MD5
843cdda43b4eeb038b2e135943dba5ad

SHA1
ba7ff577c2304aa5e0c7c830ff4df8da7f8197bc

SHA256
c33067765d9d5ea8a69d5934640258d82fa5239de792ce28fd64b686f32ca9f5

SHA512
c4fed499ec59d1ed9618408072c9405b4662332b2d192de455f4d19f93ece699ba1a42b10140611ed30f5c004f026ca1496cd96630d578eb3881434e534e372c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
72KB

MD5
cc27d72d1623a6bebb270e706cdf8753

SHA1
d61608a35903e67b6bfcce7ce976b9ee66e495e4

SHA256
0ffd6a0ee75130ef7e7b74bae68e75ec34b553414f4a9d6fe9b8e3fc4d403b75

SHA512
f89ecc391bb13af906b6701e66c41da07763bb745977e74e6b462006c1a581ad1fbd0ef7a69485cf2cc57764f44adaa147e626538c7a5fae4a99a5f5972e678d

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
72KB

MD5
2266a53edc16d2c5ad1e4f885306dcda

SHA1
f6adb079d6958c42ef7851f450c8379418fa9ced

SHA256
cb2609807b32b411fb69b8b0cfe98ea8aa97c0d845f8f627f5f6af5305f4dedb

SHA512
b0774b1800c04691272c7e9646f3e368611b514169df02e4ad08d00752871907f2316e5308330f1cc41670a8e34167da2f3257ed6e6dbfd43de66065e7f419ef

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
72KB

MD5
3372d3aaee7c5a5d5be088bfad42b358

SHA1
da9870bd4030f91d974649d7e57f77d96205d6b2

SHA256
8d158ce6b607bb1a4548bbe30c633ccd70a4229931f426ede14fcf30f7d90a6a

SHA512
8a40b1b600866ecda61a386d2167c482d5fc50b87b1feff78331d29c55a7dc871ffc287acdc10b34b4168c16fd01271a2e38a30214697d43d0a39ab4d5952d76

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
72KB

MD5
b6e1e80c779a53a631c63d64f62a2770

SHA1
4076807406a373b3c765082f3e9e4de65b9eb714

SHA256
87975d58c216f741d9d2c2bcd756d45045f50334900f3d9472c6a2c82fb1d57a

SHA512
f86a7a8c93e6818dc6d2e0a85ff0fb6a3e84957c959927516c5f0c9be80312f7402e0ca981e8e592d8b9b6710c559f3d71a3c03409e1cf910f61b64a93f0cd6d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
72KB

MD5
891a2cde7409e1a4da409f571e419776

SHA1
c0c5db98136174a8df3075ae0e2479e64d573070

SHA256
cb51c76acfeff6a9aa99f90368030bd6188d247f4fda89d405acbdaa2a4ea26e

SHA512
9b0ff94ee2ca6ca97bd11d9f300b9ab5f3e56a71017e946097621bff37362611a42844cfdf302b1046f705f63c0df7fcf1e8702aec02de706a5e199370aa1766

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
72KB

MD5
77e4b361bec0717f2f86e1390569a24f

SHA1
e99a0c0019b9fe887dcc9ac0de30ceb686dca8de

SHA256
58357440a2bfab684cc9264d5a5430d369a02edf35e14c45240c2256ec9f5dbc

SHA512
35f1b4eb5a9c5c77953fcca4afa728aa50768c39e1eb03e306a34dda15d49a9d80a98278b5b8ba6f2710da03d6365cee486f16c259e54cec66dc864267d73438

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
72KB

MD5
6fcc41d272de7454118c535391a773a0

SHA1
5f053defdaf14e419d8944943bd5024af30c5d3d

SHA256
7785a6ea1af4fdb97a1a5a5e5004246af5477d49320bc7b705202c60112d9a00

SHA512
92f2911911fe644a6f8ca3e14dfe2776bec595af895cd820d98afb13a08e29a4b58ba7f456e5bebfd27116e3d049f7e19dad05459ac8c6d872ff0f092b83a1eb

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
72KB

MD5
87890750d39ebeaa4b55ce2aaed275d6

SHA1
10412d3c04f89d1f4b040d20dbd2fe3555e06ae5

SHA256
13b024304777629a8613653fb4b534e1c5d7cec86e15d9e98614c8239be2cab8

SHA512
cf42ad896f3a814f170eb9777646a8b71fb505d80dc113f47d8a95c386a12e663a20faeb4d9723444a8557d16e5750ecb1c495ebf47c737a9d3f4f16dd2aa6c2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
72KB

MD5
0f8c578dca5908add84c1f08488f3947

SHA1
d041b5c56a5343a5e1ab4af07214dec69c846afe

SHA256
c491933e2f4484b6b9d3d20d8112154fd57a0b5f4478c7b1050d8faf3f9ea9ba

SHA512
1619d1d8ef7b0c87587fbb8b0fe6ff32159784645fcab3f5a3379e3694a1ee3a1a046f0341d157ffe6fa11288d4976d17cf2159be728383fad7df86fba47809f

Download Submit
C:\Windows\SysWOW64\Lpggmhkg.dll

Filesize
7KB

MD5
f226c9f920a3dfbe25ec580aca9828e4

SHA1
8bde29da7d5c49231eb682d31d9919485820d235

SHA256
e92256c7aa9cafb5a579294a817c59d1d3286895699865ef48c8ee25fbd8294d

SHA512
dea466a8df1e2cac9c7d6f53822179f54b54455ea1481edbea222498d5d823abfd4ef175c110ab366aa08a4e910547a742e67f70fe50fea15fbb93de0651fada

Download Submit
memory/324-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads