berbew | d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2b

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Size

276KB
MD5

9fd34d933465033f53f56d957f75cba0
SHA1

9c4a948ede6abb78e5ddfbe53a9037ca4ebf88e2
SHA256

d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2b
SHA512

28b5d05a5dff018a3747cf7f9c18950d2866cf540b192e310685decedb95c8b1e432947ef7c0ef6c9334832c07996f3f085404e6ed9e95e409b8d2944ceb2c48
SSDEEP

6144:M7trvDUJxMiPdZMGXF5ahdt3rM8d7TtLe:wvDUJxMYXFWtJ96

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 21 IoCs

pid	Process
3572	Bjfaeh32.exe
3900	Belebq32.exe
708	Cmgjgcgo.exe
676	Cenahpha.exe
724	Cmiflbel.exe
3360	Chokikeb.exe
4880	Cmlcbbcj.exe
3460	Cagobalc.exe
4280	Cmnpgb32.exe
2792	Cjbpaf32.exe
2980	Calhnpgn.exe
4912	Dfiafg32.exe
2876	Danecp32.exe
1700	Dmefhako.exe
5052	Dhkjej32.exe
2952	Daconoae.exe
216	Ddakjkqi.exe
3016	Dfpgffpm.exe
2420	Deagdn32.exe
1152	Dgbdlf32.exe
888	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4056	888	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3572	2844	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe	82
PID 2844 wrote to memory of 3572	2844	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe	82
PID 2844 wrote to memory of 3572	2844	d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe	82
PID 3572 wrote to memory of 3900	3572	Bjfaeh32.exe	83
PID 3572 wrote to memory of 3900	3572	Bjfaeh32.exe	83
PID 3572 wrote to memory of 3900	3572	Bjfaeh32.exe	83
PID 3900 wrote to memory of 708	3900	Belebq32.exe	84
PID 3900 wrote to memory of 708	3900	Belebq32.exe	84
PID 3900 wrote to memory of 708	3900	Belebq32.exe	84
PID 708 wrote to memory of 676	708	Cmgjgcgo.exe	85
PID 708 wrote to memory of 676	708	Cmgjgcgo.exe	85
PID 708 wrote to memory of 676	708	Cmgjgcgo.exe	85
PID 676 wrote to memory of 724	676	Cenahpha.exe	86
PID 676 wrote to memory of 724	676	Cenahpha.exe	86
PID 676 wrote to memory of 724	676	Cenahpha.exe	86
PID 724 wrote to memory of 3360	724	Cmiflbel.exe	87
PID 724 wrote to memory of 3360	724	Cmiflbel.exe	87
PID 724 wrote to memory of 3360	724	Cmiflbel.exe	87
PID 3360 wrote to memory of 4880	3360	Chokikeb.exe	88
PID 3360 wrote to memory of 4880	3360	Chokikeb.exe	88
PID 3360 wrote to memory of 4880	3360	Chokikeb.exe	88
PID 4880 wrote to memory of 3460	4880	Cmlcbbcj.exe	89
PID 4880 wrote to memory of 3460	4880	Cmlcbbcj.exe	89
PID 4880 wrote to memory of 3460	4880	Cmlcbbcj.exe	89
PID 3460 wrote to memory of 4280	3460	Cagobalc.exe	90
PID 3460 wrote to memory of 4280	3460	Cagobalc.exe	90
PID 3460 wrote to memory of 4280	3460	Cagobalc.exe	90
PID 4280 wrote to memory of 2792	4280	Cmnpgb32.exe	91
PID 4280 wrote to memory of 2792	4280	Cmnpgb32.exe	91
PID 4280 wrote to memory of 2792	4280	Cmnpgb32.exe	91
PID 2792 wrote to memory of 2980	2792	Cjbpaf32.exe	92
PID 2792 wrote to memory of 2980	2792	Cjbpaf32.exe	92
PID 2792 wrote to memory of 2980	2792	Cjbpaf32.exe	92
PID 2980 wrote to memory of 4912	2980	Calhnpgn.exe	93
PID 2980 wrote to memory of 4912	2980	Calhnpgn.exe	93
PID 2980 wrote to memory of 4912	2980	Calhnpgn.exe	93
PID 4912 wrote to memory of 2876	4912	Dfiafg32.exe	94
PID 4912 wrote to memory of 2876	4912	Dfiafg32.exe	94
PID 4912 wrote to memory of 2876	4912	Dfiafg32.exe	94
PID 2876 wrote to memory of 1700	2876	Danecp32.exe	95
PID 2876 wrote to memory of 1700	2876	Danecp32.exe	95
PID 2876 wrote to memory of 1700	2876	Danecp32.exe	95
PID 1700 wrote to memory of 5052	1700	Dmefhako.exe	96
PID 1700 wrote to memory of 5052	1700	Dmefhako.exe	96
PID 1700 wrote to memory of 5052	1700	Dmefhako.exe	96
PID 5052 wrote to memory of 2952	5052	Dhkjej32.exe	97
PID 5052 wrote to memory of 2952	5052	Dhkjej32.exe	97
PID 5052 wrote to memory of 2952	5052	Dhkjej32.exe	97
PID 2952 wrote to memory of 216	2952	Daconoae.exe	98
PID 2952 wrote to memory of 216	2952	Daconoae.exe	98
PID 2952 wrote to memory of 216	2952	Daconoae.exe	98
PID 216 wrote to memory of 3016	216	Ddakjkqi.exe	99
PID 216 wrote to memory of 3016	216	Ddakjkqi.exe	99
PID 216 wrote to memory of 3016	216	Ddakjkqi.exe	99
PID 3016 wrote to memory of 2420	3016	Dfpgffpm.exe	100
PID 3016 wrote to memory of 2420	3016	Dfpgffpm.exe	100
PID 3016 wrote to memory of 2420	3016	Dfpgffpm.exe	100
PID 2420 wrote to memory of 1152	2420	Deagdn32.exe	101
PID 2420 wrote to memory of 1152	2420	Deagdn32.exe	101
PID 2420 wrote to memory of 1152	2420	Deagdn32.exe	101
PID 1152 wrote to memory of 888	1152	Dgbdlf32.exe	102
PID 1152 wrote to memory of 888	1152	Dgbdlf32.exe	102
PID 1152 wrote to memory of 888	1152	Dgbdlf32.exe	102

C:\Users\Admin\AppData\Local\Temp\d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe
"C:\Users\Admin\AppData\Local\Temp\d4a7874f285da22f1751ee9d22d25b0a99246841a266162f820d24c873f80f2bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Bjfaeh32.exe
  C:\Windows\system32\Bjfaeh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\Belebq32.exe
    C:\Windows\system32\Belebq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\Cmgjgcgo.exe
      C:\Windows\system32\Cmgjgcgo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 416
        23⤵
        Program crash
        
        PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 888 -ip 888
1⤵
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbloam32.dll

Filesize
7KB

MD5
9f6fd0d46979ecca5bf4791134d3ae92

SHA1
4f5b0bfcc280d8a6bbcdd7e337e57072f1c27134

SHA256
744ae26d57bcb880111586150dcde2cb3d1501927ab7c68c40403234a594b899

SHA512
4f2435b60042cc88496a4743d7ddbf5d87fe469bb8a442161f446e21bc14688468ac4618c5205884f721f0f8e1091bad80335bec787d40457078bb920b128643

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
276KB

MD5
b3b009ac53822b838641d6b77b36456b

SHA1
ce340c307933643035a543a70c798fd342291ce9

SHA256
68a3b529d16d3b673dd841987ca0653adad9f0856f47c2c41408b38bb60e1324

SHA512
2220668b9d9d83e64046a22523fd248c30e06c9e5df3551fafd8be5420d92b79f38a706d3b9411934228c4b7fe9e7787fcaa38e4cb846a3be7f362cbef26992a

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
276KB

MD5
7cc4ff715dccffecd116849105517f4e

SHA1
86166fbfde718a225667f595cbb0b4a3bd17824c

SHA256
b28da3508bb63fc022b6b86598185190ad0c24c900ee8449fb4ae48868c4bd39

SHA512
ffe129efc417466a4ab678080a9a215e5e4a161ac1181ad6f1c9c56b8bd982bd180621cd2c3876181608d54162b65fc33c533fe33a3f96530dcb9754987a9db7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
276KB

MD5
8e0df14c840ecb0e9fea9f5e907d653b

SHA1
ecea38577640989d21af5b6a76ba304cbaea8e39

SHA256
6ccadd7ac6618edc731d7478b7b8ebfb3dc00bbe1345fe6c563dce5b2ef78fa4

SHA512
1278a29f43221699aa7d8ee21ba39387808cee5cd039392299528f7f0c2b36432bd4ac1dfd525376d5974375eada3c6cbc98690fd9102a001be86b51d5ebbbd4

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
276KB

MD5
31fc960ade399bb2a22a909398b70d89

SHA1
bcfb177a6b0d9429cadb7d9a0f684cab052661c3

SHA256
de69f3819b5c74beb3bc90690477164e77c2246552eee63501533a93c88b5158

SHA512
853555dec1a81d2a3ae50a4065f3105733885a300aef34e1c67598b74554f000e2da0275316c76ce1b848d592b01939d3510a4303c8da91d060aad6bba3dc66a

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
276KB

MD5
a89dc23a86d9d4be56c927f3d6fd7744

SHA1
2825106e1eacc596177a99d50a9a83455401f430

SHA256
a3e01c0211c1ca21c40746a21b94031d93164706df0ff7bc808dabcb0c331586

SHA512
49a1112bed236c83a556563d294df5626ed8956a0e8d00a651e32aaf06a510653737664d71e5c8bd6eed628c52355c43fc5a9b025de3e632b334733fb26469fd

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
276KB

MD5
37674316949bea52a733fea2254b1d43

SHA1
b99cd0eb1c60b2d558e149a13b832c0105e4fb7c

SHA256
16ee3f38f8e629a6cb86a4c9af77de61cd4391fb2eeee3f781753356d2443e11

SHA512
cfb11a038a8283ca307a16e2255ce5e94b2d313a33514ba717e45f4016762117d477964709fd1d5d6cb64652779ec19c513c377343bfc6e920b5317cf66fe495

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
276KB

MD5
212c48f3a6330ed9f903fa9e8492a840

SHA1
3b4ddd2df23a80e54e67d00c7b4ead475059e65c

SHA256
76cee761ff54b764cd01b6799714511263b7d4c15aba5fa0301a4c009757ee87

SHA512
ac0fb8851e5967b0df344945ae88cae92efebd057a41935c2f0d4ef235023782c036185d9d0b90feb8418e8cbf315f3802df50808fb1361b9936d3619c276c43

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
276KB

MD5
78963b7e84d11b8218d5a47b696fa92e

SHA1
2e149c2df64da92906ac07b9b708814955b67d25

SHA256
10091dfc9325f2af939771a065e4e85390e3f186998daf1d4d7c290ad1e2773d

SHA512
946db54fd83a3fb632fc70f8a9c0cb0bcad88fe7f7399ba703057d541b88a54cf13a3559c6bdc24414011a77bc3ba2175fc3cc2a1c7f1f4383bd3f922c227749

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
276KB

MD5
853445970b790da39821aa89dd9f4f55

SHA1
a2f6be474ba3d6d568c65de3157924480489b74e

SHA256
bb9356f0614d6f27007a5effe76b784545e442ecca89a09d240ca891703fb132

SHA512
43afd6066e13578228b1bed16b08f34852fe90bcfddbd908375f60208106286e3346a11cbdcb870ad7454669fa490c680af409302904231ad7cb0f68fe66380c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
276KB

MD5
b3636ea6c0a5f68a65b1d374e51c7e68

SHA1
fca8f819996b0e2ce965afd304fd37f5c48ec2ef

SHA256
9ed0743a97c407bb463d1514434ade27bc7e086cf027e123980626aeda60c3fe

SHA512
f823f45712880310dfbb97cb49a48ae80463b49b4327acf6e934ac5a180f7b0a9a1d69b5e80f68954075941a51f614dd16e191b1520325fc73350bc906aaafd8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
276KB

MD5
50f666613b03d307ba2e7c7d22b1152f

SHA1
5dea06ad23900d09cd5c77809a891e2d8ad4b817

SHA256
89134a1997f14bf476b2e2d8413959794b93fd862bd884b2425436dc39390598

SHA512
890c062ada92e2c0674b17f9f0c5e5da1736fc86ff4c168cf86d723f9506298f62e44dc1db8a85f65cf931538b574fd909eae4afeeaf6e4c94adbf8d98d404d4

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
276KB

MD5
e44f4c42df83a3a2da3a3956a42debad

SHA1
b54fbb42e001be1750881529c65d99a99cae4ea0

SHA256
70b7e208fe977f067bcef3632a91b8698e8cef442c33abf22c77460b3c07f382

SHA512
8036b14c774287d81f4fc064692760f2c38a1a4075b9662ef9abd900e976a08ae71b19423184a1373bf0a4582aaf58593e18aa0b54a8bb7841d0cedae2ab56b3

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
276KB

MD5
bb35985222cfd6bf44334e8e4e9c5c68

SHA1
2f3b1e8e7373b2274629d2e76da3adc769f32d06

SHA256
7f017d3b6eb51150e936539e67246121320cab9f46b9e83704ac4066257a06d8

SHA512
a01092bd44cfa5f674f6355f47888eb1148177fbbcc268f34766c7f541fcba1208d0b74be069a13b6d498adfc3ef8f116c80a21ff9de2ea892b52114a37d4963

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
276KB

MD5
2adf0fd2585e9f837df2e557034f83bc

SHA1
0dc9710f7c0a2c3261cadf0bff89d9f915a5124f

SHA256
0026258d9a1a74c24f0fdc2574f37ce06ed531e05cf805d740ce70820285497b

SHA512
b06b0dccb2c2ce6206f0b03736b02e37d134e4202a6d819a8b9d17c135cd49b21e5d8729a56319a813e9b426edb89a5a3afca308e2d33494630860d67ff38724

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
276KB

MD5
b31a2dddfaaf3b08fc02a386dd636f6f

SHA1
1c4ff81dc08f9fd57b35546a9cceeafc8092be08

SHA256
fa4796fd32e50703541400bbdd0717c97238b9103af5c35f1dcd59caede1f562

SHA512
b8c2f1bddc46dea644a76fec53ccc4e758ca3118d48562a37af82d515e2fcb61cb60e693f5f4cc36b779d4af2c91aceaf2b9fa0e88b4cf1f1b304e6455e0cb97

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
276KB

MD5
33dd9dacc9cf4b1db123433faaaa618e

SHA1
587f5a94a53550d272fc77deaaf2b91dde55b375

SHA256
bc7c12c9393e9ceedd54b39534f455585d2fdb4453a4ae8e32b942e0748d9284

SHA512
ff9fbd276b99033f401b4f82d749148a4cabdcaf9e7a13f1da21fc960e865661b129ae0893ea1c446fb6e0d91804033f8c55caebcf2dea632ae3194438fef2f5

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
276KB

MD5
34aca3e36eecf49e9ee85314724c8188

SHA1
00fe73f8846da8e44be92f0a757ccf052df47a57

SHA256
a832ff8887baf6bddf405f0dc0be95a83d9bc6d2c7e26cbde6fc297e1c25640f

SHA512
64931c06a6964d05365ab6b900b414be1044a54039db6cce6761ad8175e1092a9ef8065250415dd17558a791e39503a54c477c6efe820c1c51fd399ed3d7f92c

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
276KB

MD5
08f75fab0a6bdd47dbef5392ad52ee5f

SHA1
71c32e2bfd0249120a0b10dd8755ad143f55a398

SHA256
e33a697aaaf7896f9a3e4d87bdf8ad3b8152e2177d5d5f24e1296ea75ac5d90c

SHA512
4179f38a6e03aebb8e2662536f7578754df3d98bfd09f6cf351b5290762ea6b055b50f30b52d1eeaafcf126a824609126eb70d6dc061bfd64042d50d85962a36

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
276KB

MD5
d25b1d8df6b0ef39017334ddfafe8594

SHA1
c9a8b6c232751dc8b47ef375019adc6a0b621b07

SHA256
6f0d7e901511b60d3a3f23ac05c14ef5b1a1d49f0ee9eaf534fe002f2a09bfb7

SHA512
52213c1ab1baeacff036c7e52d6fb5262776aa7ed092bf25ee1df0b59ebc398e13ebfc69227013813d17ac1d258f95362230f7b013d52489c03a91ddbc5dc5d7

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
276KB

MD5
90ad66d966ebbd92c326590f2ca6d6e4

SHA1
3b4831397617e4ab13d4fcc1130bcff341631d66

SHA256
91ea4229805969cc3c3fcd5eff7e8827a5f1c6f4d707426a7da9dba1f3633e61

SHA512
10fc46cfc41b04a754e553e91ff2e5c5e81295cabd0f3d2be3b39c2de1c5c7a029f90471e1afaf671e28f34f87325b87402f2211f20bb7c5d0b010d48409e86d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
276KB

MD5
695b81eed030c10eb8be593e511a7809

SHA1
cb6f88761ec5b882cb502e598f87fb3bdc76dffb

SHA256
2733bce31defcae5aade3b44d4c865eafa5e704fe7588f0fe9c87048d2650ce6

SHA512
3c87e5b95feed7c5636fa8a4b5d47a5bcd3cf043e10e0603698f2c4b1792da3ed00e4c3aaa3f9f1bd1a63f9b4f240352e11e1b370881de29c040b12e66138a17

Download Submit
memory/216-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/724-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/724-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads