berbew | 6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9

Analysis

max time kernel
96s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Size

93KB
MD5

116d4c14dc894113481f8ef235313c40
SHA1

daa99b3b68897da879c6e85ce7ba295fb558a833
SHA256

6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9
SHA512

907531ffde269f6b0f1c4f04202ff17f8f03ac987cabfc156d508bfb86bc05a10afacdecbffd69ba0fcb88fe58434f37f21999cf8332287e1025b38a34095752
SSDEEP

1536:7V2AtksK+jeqj2RiQsVhxHYQChv1DaYfMZRWuLsV+1x:7xtk2eqKRYshvgYfc0DV+1x

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 23 IoCs

pid	Process
220	Cfbkeh32.exe
3324	Cnicfe32.exe
4892	Cagobalc.exe
1276	Chagok32.exe
1904	Cnkplejl.exe
1048	Ceehho32.exe
2768	Chcddk32.exe
2628	Cmqmma32.exe
3964	Ddjejl32.exe
4144	Dfiafg32.exe
1708	Danecp32.exe
4588	Dhhnpjmh.exe
3216	Dobfld32.exe
1864	Ddonekbl.exe
4948	Dkifae32.exe
2416	Daconoae.exe
2056	Ddakjkqi.exe
344	Dogogcpo.exe
1740	Daekdooc.exe
4356	Dddhpjof.exe
4448	Dgbdlf32.exe
3644	Doilmc32.exe
1280	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4392	1280	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 220	4104	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe	83
PID 4104 wrote to memory of 220	4104	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe	83
PID 4104 wrote to memory of 220	4104	6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe	83
PID 220 wrote to memory of 3324	220	Cfbkeh32.exe	84
PID 220 wrote to memory of 3324	220	Cfbkeh32.exe	84
PID 220 wrote to memory of 3324	220	Cfbkeh32.exe	84
PID 3324 wrote to memory of 4892	3324	Cnicfe32.exe	85
PID 3324 wrote to memory of 4892	3324	Cnicfe32.exe	85
PID 3324 wrote to memory of 4892	3324	Cnicfe32.exe	85
PID 4892 wrote to memory of 1276	4892	Cagobalc.exe	86
PID 4892 wrote to memory of 1276	4892	Cagobalc.exe	86
PID 4892 wrote to memory of 1276	4892	Cagobalc.exe	86
PID 1276 wrote to memory of 1904	1276	Chagok32.exe	87
PID 1276 wrote to memory of 1904	1276	Chagok32.exe	87
PID 1276 wrote to memory of 1904	1276	Chagok32.exe	87
PID 1904 wrote to memory of 1048	1904	Cnkplejl.exe	88
PID 1904 wrote to memory of 1048	1904	Cnkplejl.exe	88
PID 1904 wrote to memory of 1048	1904	Cnkplejl.exe	88
PID 1048 wrote to memory of 2768	1048	Ceehho32.exe	89
PID 1048 wrote to memory of 2768	1048	Ceehho32.exe	89
PID 1048 wrote to memory of 2768	1048	Ceehho32.exe	89
PID 2768 wrote to memory of 2628	2768	Chcddk32.exe	90
PID 2768 wrote to memory of 2628	2768	Chcddk32.exe	90
PID 2768 wrote to memory of 2628	2768	Chcddk32.exe	90
PID 2628 wrote to memory of 3964	2628	Cmqmma32.exe	91
PID 2628 wrote to memory of 3964	2628	Cmqmma32.exe	91
PID 2628 wrote to memory of 3964	2628	Cmqmma32.exe	91
PID 3964 wrote to memory of 4144	3964	Ddjejl32.exe	92
PID 3964 wrote to memory of 4144	3964	Ddjejl32.exe	92
PID 3964 wrote to memory of 4144	3964	Ddjejl32.exe	92
PID 4144 wrote to memory of 1708	4144	Dfiafg32.exe	93
PID 4144 wrote to memory of 1708	4144	Dfiafg32.exe	93
PID 4144 wrote to memory of 1708	4144	Dfiafg32.exe	93
PID 1708 wrote to memory of 4588	1708	Danecp32.exe	94
PID 1708 wrote to memory of 4588	1708	Danecp32.exe	94
PID 1708 wrote to memory of 4588	1708	Danecp32.exe	94
PID 4588 wrote to memory of 3216	4588	Dhhnpjmh.exe	95
PID 4588 wrote to memory of 3216	4588	Dhhnpjmh.exe	95
PID 4588 wrote to memory of 3216	4588	Dhhnpjmh.exe	95
PID 3216 wrote to memory of 1864	3216	Dobfld32.exe	96
PID 3216 wrote to memory of 1864	3216	Dobfld32.exe	96
PID 3216 wrote to memory of 1864	3216	Dobfld32.exe	96
PID 1864 wrote to memory of 4948	1864	Ddonekbl.exe	97
PID 1864 wrote to memory of 4948	1864	Ddonekbl.exe	97
PID 1864 wrote to memory of 4948	1864	Ddonekbl.exe	97
PID 4948 wrote to memory of 2416	4948	Dkifae32.exe	98
PID 4948 wrote to memory of 2416	4948	Dkifae32.exe	98
PID 4948 wrote to memory of 2416	4948	Dkifae32.exe	98
PID 2416 wrote to memory of 2056	2416	Daconoae.exe	99
PID 2416 wrote to memory of 2056	2416	Daconoae.exe	99
PID 2416 wrote to memory of 2056	2416	Daconoae.exe	99
PID 2056 wrote to memory of 344	2056	Ddakjkqi.exe	100
PID 2056 wrote to memory of 344	2056	Ddakjkqi.exe	100
PID 2056 wrote to memory of 344	2056	Ddakjkqi.exe	100
PID 344 wrote to memory of 1740	344	Dogogcpo.exe	101
PID 344 wrote to memory of 1740	344	Dogogcpo.exe	101
PID 344 wrote to memory of 1740	344	Dogogcpo.exe	101
PID 1740 wrote to memory of 4356	1740	Daekdooc.exe	102
PID 1740 wrote to memory of 4356	1740	Daekdooc.exe	102
PID 1740 wrote to memory of 4356	1740	Daekdooc.exe	102
PID 4356 wrote to memory of 4448	4356	Dddhpjof.exe	103
PID 4356 wrote to memory of 4448	4356	Dddhpjof.exe	103
PID 4356 wrote to memory of 4448	4356	Dddhpjof.exe	103
PID 4448 wrote to memory of 3644	4448	Dgbdlf32.exe	104

C:\Users\Admin\AppData\Local\Temp\6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe
"C:\Users\Admin\AppData\Local\Temp\6339a7ee30d7cb1cbff24f08d558555fb69cb14f86f1431fce6831073f9974b9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\SysWOW64\Cfbkeh32.exe
  C:\Windows\system32\Cfbkeh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\Cnicfe32.exe
    C:\Windows\system32\Cnicfe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\SysWOW64\Cagobalc.exe
      C:\Windows\system32\Cagobalc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 396
        25⤵
        Program crash
        
        PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1280 -ip 1280
1⤵
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
7f88c9e8b1ead71521ef16fb91f7d083

SHA1
a66459311360aa42bfc62f7679d1d07b54d7c7af

SHA256
d65a363690cf071ca2e30be50e3e7d9aea4181e4f168eb45a931b303210a0b1d

SHA512
be00741a99ae1df8dbe17150bc4157ab120b57b66d8eda9269bca46c0e90f69ffdf590aa3d88c1e6c95896e825d24533456ef537b5fe26e6eca4af1379de5927

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
93KB

MD5
b55aad24dd1c95983f1583e1fd534330

SHA1
02faedee4fbd74661c4a800ce91434fd23dc8551

SHA256
7623b67829b1c9c7ee95bf839461f3aa06d24f688e7553d8ca8cff704e979525

SHA512
0a245064c5877832437938a0f25b54c42616c2b2847f0fb6acac13e9dbed93ebd8c38bca5eb6d8823df5a55e218f67a8efb1b3f422b008bfde4e8ed8db693ef8

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
93KB

MD5
716d86949aa55645fc1a1cc29028fdb5

SHA1
400cb615a135a96f934b52f1929a343442b02dc8

SHA256
a9c8a2589bae4957745704f7cfbfc89899b98476a6115293211b87b60127dc32

SHA512
3f1bf1db993d9ff049ad334f92e643e8b28929e7f8af835226cc434c0e711e2e0a0d33abb9bb19faeab7c4464cd51d54f49bab8053431ec04943a3582a5b9d16

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
93KB

MD5
f782e27d420ce5db1a4b79c1afdcd4b1

SHA1
9b05f5d8a37c23024fb1d574acecfd9b8aad5c37

SHA256
4bc96957a7087af4d3e47cd3e1bc8d13c564a69f23a385f4402470e939897f69

SHA512
85f5d7ce07fc59b0e36b76f9a23919ca48fb07a94b3d3bdace004bf3c4585df14936f080f50cc075f17dc27da8f9753e35ccae4a24accaab5b91df4728c56eb8

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
93KB

MD5
61f1b0af32cc66267db1917f73331920

SHA1
e5f4d90c90115dc27dc4d1f34d1b014f718a5b4f

SHA256
b97ed98ed24bc9cf8856f83eba08d94077790913db2820dd52b456b3cf64f25e

SHA512
4d84f35ec397b14cea04b3cf1e50c32c2f140b57c391f7b4f97403b9f7966cc4a3a622e02af4366873383680b6c93acc066576fd3bdffae65bf7d9de7a2f3e86

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
93KB

MD5
a3730bef5fafe1e0e338633fbe2901fc

SHA1
a97dd276cc015db7f1e3e9bdc5f1f6cc9ead6c36

SHA256
5581c41c0847ebd4c0ee03bd3f979538f246bbb2d00f70b277e8a616036f509e

SHA512
b803427d42a409e8d33d79117b0c2bc460ce3075c54475cbc5976cf3f126d459d27b6fbfc9f0bedf0a8d5caedaa9a0e91179c54c428d4bd19b8595b494fea329

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
93KB

MD5
64951dee51026ed40ce545866375d678

SHA1
caa6feb37f7f83c1ecfd927751282f7b403ba53c

SHA256
7d12231b2cb122dd1b842c11413fcb2daadd418f83dd11cf9f343b7ec9bfcae9

SHA512
5deb22f71eadc71d1ec0c97c47af88782810188aff88561c45820459aac76405872dd9d975d4e30591229d563d0a61165e06d78742075f4f3ea517d0f0740d98

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
93KB

MD5
2532e0f280a32a00c9bc04a948eb6019

SHA1
377004453fed6beb4b862acabdd7dc1c3ad4559d

SHA256
bb37fd6fc7a1d518be3806f922fb6b880bf8aa7b99f3cb04e905e93bccd4ed6e

SHA512
79a687418f67ace5ef1c14da40788969c6b6ebd580b4534ee45c373c9dc3e44c51aae6a55859ae6e714005744ad001e57a80db52ee90415159a2c6d2e21a319f

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
93KB

MD5
6f5ac28079bf6cf6270d919b8e875299

SHA1
e976ddd7001e24f3d6a3f1ad059739ca1b0f1156

SHA256
dc066bd935b5cdf4f9eedbbeb79841a0149cec954c73e153431d23f1502f4435

SHA512
2078eaec82d7887a0bb876d84d1d136356b9e3f8a31f7900a2eee176b17a3008d3a75cbcb9bc7372f001cc701fb234b31cdcd6b615d49c8d4b80f54a215f2076

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
e375a866a5a1cea5a67fb3c252f371c1

SHA1
86cf0cf0c97ba39b2d659477deb0c1775c8e9733

SHA256
539a3a0662574eb4888ca045c2c589ca485cb2a9c705a8eac4b604b56e2a5158

SHA512
0034c24570ab95be1a2f9be475fd16971c2613038dd39150e20cd3a151486a47dd5da0eb592fe93c6c5fb784483b28c7c5be0c2a987fc8508bf709a6ca0aee96

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
93KB

MD5
5def1ed3db5e8fe8ecb3482530661586

SHA1
8466b1adc761d57bd80733b835cca55b664677b5

SHA256
88fe157cdc64e741abe997ebf05444ed6e0331ba023c19d4b77351c84c928b39

SHA512
c91e52545434580f47b7432890a642c1cd4017c23b444227c63419853c84c4ae7929649490b3b6485c753808b1c43fcda97467c8571b103149e819834fa1bdb4

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
21555c9ff81de5a7d726df1fbdcaf0f7

SHA1
93efa32447bbb53aa16386b5b169b8b548a90a67

SHA256
72f4975aec91c246000936960897cb819592d50accdbd0bc412068123c32a0c6

SHA512
29026648f79615d2fa25a51a003381aaf38ccca2b35522dcb8cd9c2ec460cacae5a2dbf83d4238e6261e012698a45943ce574732cf9d4e2de011db1d96fba4d0

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
da8b70661d110832e6a4fface237087b

SHA1
b1d88552b436d28b4baf48b6e1382f3869510550

SHA256
0b5ebb3533c31e7ad7c5c7c7fa5348271ae882302873cbded807648aa1920548

SHA512
9c176a79ec030a60261cfd24a850482accc7f5d0db6577ee9fc7c1cb3300dfdfac4ca9cee299c581370ab90121126796a3635cc23db222af4802bb26554e5ec5

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
1c627d9c384e5bdf3c02453c5113ab31

SHA1
d8dab5f5d99f8c544d0746d57e1c2f5ed87dbdc5

SHA256
ca89b266978ebfb0b5830a25bc2457a5d4dea7ec9b4be97b34ee31edbfd33b8f

SHA512
2e097cfa34f1a3276ae80c4cc7f0d1e6d497bf875e53b1a2ba778215ca920156bdc52116fa2bc1f5633651902443fae63298377b601cde91bae9b4c9962a64d5

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
93KB

MD5
49b32570d186bd3ac0934b6e3f102fdb

SHA1
973f63b2f9dad03e8b65771a3068eaba86b59ab4

SHA256
23eb585a170421f042ca217d001cccf5a3d41dd8394e5cc0517ac2b6fe464475

SHA512
4d5cf50c2220440d7761422dff5ed3124594f955d170077419322d7d9876cce24694da16248d08309edbe01b52c863bfc34ff28a62c8e543a90ea2e1f6874000

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
34524cbbc3ac56b421969b6c05d3262e

SHA1
822a6904b2567140c2bcb41b3add6da49eedf9d9

SHA256
a79fb4314906c316d7e0ddcb791cf8a42c13f7c0319910e0e279397482cc512d

SHA512
6912f648c45031e676f2c6282a22cc34e2ed819680ded5f03e5f25f3ccb4332138b2da5ac851c88c8fdab9ac467f74b25aa271785004d4d6700144cb06603d2d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
93KB

MD5
10a356fa09f3319370e9a068cede5f1d

SHA1
21a3a5c51c98e12df98d90d99f1a3e8cea3bdfa5

SHA256
7591ef6dbfaccc9d95a03e93ce36a19959ecf06d1949ae562fd9aa1df1a20fd2

SHA512
cce2244db23425796cb75ecd7c6714cf756088e74508c655c9f9a4fa9781ea5d17e11f18ae065f37a637d94f89f172b86864080354f3283b97c4149eb5c28ada

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
80696ae23a1ca01b74e74bc3435fb5c4

SHA1
dbade73de6fe6ec70190c63651af1eb056472524

SHA256
411ea8a30b0c400a4e497dcf2d38cf9e85bae204be46dfcab99b12c9d6a71c30

SHA512
f8d8ef00e7c67c350e8490922992e19c7aecbc2869a000fa5abc63d2ddd1c4f384491df86494b0a33d2c88f828810cac856f642b5c7242a2df04395c5f1db46b

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
d521c45bb066226ba021c17d2b4d7bfc

SHA1
8125f24f38382c298ef16169ae7e9689cd423a53

SHA256
397e323c0622ea9383e3c00f2c45505db6416bebe1dc2b880c7336628bd0522c

SHA512
de1170357818491cbe18cb6552ad82dab47f38a33b244768675d75f1d4918943893642003500b83848c2c6575b2b062a7d6a1406ad1aab0587243b0b437e7c3e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
b403dceab43b50615a246120f894535a

SHA1
39bd254eb5152e237c965d706effc26b403c3d11

SHA256
c2b6eb1607aa22617637db069472b59e9a260d6d408fddf9cbb29d599004dfb2

SHA512
9e5f255aedf86bbfde575ab00ee9e9544fbf3ef247371a2fe318edb144a5e6c29e1a33871c1810c69edeb6ca9ee8203a73f2ab971b6b69352f491d0691cbb1d0

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
93KB

MD5
cac0325455f79f203c02d3173b7edf64

SHA1
3030f924908b0e05bacd88abbc0b480c4eed1dc6

SHA256
755598a0dcbf96eb21e866b15054359526edb2cb4af6b7b862d532af9e15e84f

SHA512
d663d858049bbc599bd7b255686b767a548d2cdef577ba25e20e5806698afc5636d71f948e31c6113f27748e86d83d5b4402912cc68a789c2c1a740b368c2420

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
93KB

MD5
fb561302f6e2a9f3c28499bf5af640db

SHA1
c0e0eb0300a8ab45802aee31953354a33ab93de8

SHA256
ad277146086046f9230b58e1abfaf97bc1621f5dc2ecdc0d852841b903de4766

SHA512
006747b6231b06d9f151f526dd5119d7f9bea1297930bcebd4c4dcda1235506f3efed33d575b292aa810c8d7e6eda7ee007c8a956ed39a1cef2f3609a12ca481

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
93KB

MD5
bff49664255c7af1ccffe8628a57080f

SHA1
4f904a3f9bbef26bba7d52a4634a97a1d4024c91

SHA256
1dd7d213c5cad5cf75e50e0a72020ace762e035205e6b777f0f63ef4847bc0a5

SHA512
239875de5839f2e8bcaac99010bba20610ece6974080564a0e6e2da191c8c4e707cde8a7061843878fee36c5e874dabc51677462a057cf9f5a5a3ced25a64900

Download Submit
memory/220-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4104-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads