berbew | 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b

Analysis

max time kernel
110s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Size

337KB
MD5

eb7149bc5392f44efeb1837a19abeb53
SHA1

f754d335de7a783bf1b03206c95a09aead483d70
SHA256

04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b
SHA512

0562b235a3ad00d153f151fb124213ba332985faef25518bc4e5b5444e339639b5c07a8f52c04288ec2057c5b9b2a7a4d9dbf15cac4f70bf9bd0d5769d397e78
SSDEEP

3072:IfDdfB+qLKF9H2h9gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0X:2JUHK91+fIyG5jZkCwi8h

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 19 IoCs

pid	Process
6100	Cnnlaehj.exe
5692	Cegdnopg.exe
2428	Ddjejl32.exe
5908	Dfiafg32.exe
5240	Djdmffnn.exe
2720	Dmcibama.exe
2248	Dejacond.exe
5768	Dhhnpjmh.exe
3868	Djgjlelk.exe
5012	Dmefhako.exe
972	Dhkjej32.exe
5884	Dfnjafap.exe
4516	Ddakjkqi.exe
5188	Dkkcge32.exe
5656	Daekdooc.exe
3304	Deagdn32.exe
724	Dhocqigp.exe
5660	Dknpmdfc.exe
5452	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process
3368	5452	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 6100	2232	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe	85
PID 2232 wrote to memory of 6100	2232	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe	85
PID 2232 wrote to memory of 6100	2232	04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe	85
PID 6100 wrote to memory of 5692	6100	Cnnlaehj.exe	86
PID 6100 wrote to memory of 5692	6100	Cnnlaehj.exe	86
PID 6100 wrote to memory of 5692	6100	Cnnlaehj.exe	86
PID 5692 wrote to memory of 2428	5692	Cegdnopg.exe	87
PID 5692 wrote to memory of 2428	5692	Cegdnopg.exe	87
PID 5692 wrote to memory of 2428	5692	Cegdnopg.exe	87
PID 2428 wrote to memory of 5908	2428	Ddjejl32.exe	88
PID 2428 wrote to memory of 5908	2428	Ddjejl32.exe	88
PID 2428 wrote to memory of 5908	2428	Ddjejl32.exe	88
PID 5908 wrote to memory of 5240	5908	Dfiafg32.exe	89
PID 5908 wrote to memory of 5240	5908	Dfiafg32.exe	89
PID 5908 wrote to memory of 5240	5908	Dfiafg32.exe	89
PID 5240 wrote to memory of 2720	5240	Djdmffnn.exe	90
PID 5240 wrote to memory of 2720	5240	Djdmffnn.exe	90
PID 5240 wrote to memory of 2720	5240	Djdmffnn.exe	90
PID 2720 wrote to memory of 2248	2720	Dmcibama.exe	91
PID 2720 wrote to memory of 2248	2720	Dmcibama.exe	91
PID 2720 wrote to memory of 2248	2720	Dmcibama.exe	91
PID 2248 wrote to memory of 5768	2248	Dejacond.exe	92
PID 2248 wrote to memory of 5768	2248	Dejacond.exe	92
PID 2248 wrote to memory of 5768	2248	Dejacond.exe	92
PID 5768 wrote to memory of 3868	5768	Dhhnpjmh.exe	93
PID 5768 wrote to memory of 3868	5768	Dhhnpjmh.exe	93
PID 5768 wrote to memory of 3868	5768	Dhhnpjmh.exe	93
PID 3868 wrote to memory of 5012	3868	Djgjlelk.exe	94
PID 3868 wrote to memory of 5012	3868	Djgjlelk.exe	94
PID 3868 wrote to memory of 5012	3868	Djgjlelk.exe	94
PID 5012 wrote to memory of 972	5012	Dmefhako.exe	95
PID 5012 wrote to memory of 972	5012	Dmefhako.exe	95
PID 5012 wrote to memory of 972	5012	Dmefhako.exe	95
PID 972 wrote to memory of 5884	972	Dhkjej32.exe	97
PID 972 wrote to memory of 5884	972	Dhkjej32.exe	97
PID 972 wrote to memory of 5884	972	Dhkjej32.exe	97
PID 5884 wrote to memory of 4516	5884	Dfnjafap.exe	98
PID 5884 wrote to memory of 4516	5884	Dfnjafap.exe	98
PID 5884 wrote to memory of 4516	5884	Dfnjafap.exe	98
PID 4516 wrote to memory of 5188	4516	Ddakjkqi.exe	100
PID 4516 wrote to memory of 5188	4516	Ddakjkqi.exe	100
PID 4516 wrote to memory of 5188	4516	Ddakjkqi.exe	100
PID 5188 wrote to memory of 5656	5188	Dkkcge32.exe	101
PID 5188 wrote to memory of 5656	5188	Dkkcge32.exe	101
PID 5188 wrote to memory of 5656	5188	Dkkcge32.exe	101
PID 5656 wrote to memory of 3304	5656	Daekdooc.exe	102
PID 5656 wrote to memory of 3304	5656	Daekdooc.exe	102
PID 5656 wrote to memory of 3304	5656	Daekdooc.exe	102
PID 3304 wrote to memory of 724	3304	Deagdn32.exe	103
PID 3304 wrote to memory of 724	3304	Deagdn32.exe	103
PID 3304 wrote to memory of 724	3304	Deagdn32.exe	103
PID 724 wrote to memory of 5660	724	Dhocqigp.exe	104
PID 724 wrote to memory of 5660	724	Dhocqigp.exe	104
PID 724 wrote to memory of 5660	724	Dhocqigp.exe	104
PID 5660 wrote to memory of 5452	5660	Dknpmdfc.exe	105
PID 5660 wrote to memory of 5452	5660	Dknpmdfc.exe	105
PID 5660 wrote to memory of 5452	5660	Dknpmdfc.exe	105

C:\Users\Admin\AppData\Local\Temp\04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
"C:\Users\Admin\AppData\Local\Temp\04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\Cnnlaehj.exe
  C:\Windows\system32\Cnnlaehj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:6100
- - C:\Windows\SysWOW64\Cegdnopg.exe
    C:\Windows\system32\Cegdnopg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5692
  - - C:\Windows\SysWOW64\Ddjejl32.exe
      C:\Windows\system32\Ddjejl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5908
      - C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5240
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5768
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5884
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5188
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5656
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5660
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 396
        21⤵
        Program crash
        
        PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5452 -ip 5452
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
337KB

MD5
ca6b0c7a1ea7bb9bd1427c52d109af3d

SHA1
1655ba6bc639a4b09106484f0dfe26e3734a448a

SHA256
5941cd006e953c39591bd1875ad490a9913d5c62033cd27f60879d8eb608bff2

SHA512
b2351062ba8a71c0ac8887b4f382a82b61434e59484b0e03cea6ab782e0d9c28302efca114ee70dd5175d219f5871fbe42534637499beaba3847e198090eb1c4

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
337KB

MD5
397b5fa15438ab8398141b45182feae3

SHA1
3f0093cfd8e08daff8419292da879c01b72134f5

SHA256
8bdcc490f278d87b328ddface4fa1ab49946105dd8f26ac6a55d33d31f5b9aaa

SHA512
d9a8bd855f2393ef6caf0a2ba445ebf0d03fabc5c105a73de2aa440bb65bac89b03beefc1b434000d6b849e24dca6dd3d5f66766319023c29a6f8b3530d0a2c7

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
337KB

MD5
1b9d4489b0fa4567d3b5e857267b8ca6

SHA1
197084048901c23fe39582085cd94c7d68d05d5b

SHA256
b90cf53f38facb2b228c9d42ca257ae32e0a8fdc6a5c8ed4d20d98323a3e8736

SHA512
362d937d8abc124902ce3c3bd9e83117cd929671948f3ed48ebf66dc952a12ec40597dd4f258178faeeee3705331d03aef92c531907e10058a1cd4127db9e932

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
337KB

MD5
a38dcf0edef4d2e35d5f896219527b02

SHA1
1c9b739de3af87d91e38a8b8fca0d1c63d04e6d1

SHA256
f4bd62c05ed49e0c1ca11e0b5dcbe67a0d51bfe6c260821492b3ef8fac921fd2

SHA512
49254cb961b724e550b61ffb91a066b0a878b3c811387202297a285b6c6cf18ae22962a78e51db535519dbf6db6396efedd08313aed76f5a3a986dcb595e9694

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
337KB

MD5
b22d0b6cb1133d562144f4b5cb0f7c5f

SHA1
3bca676af76ee09f156d376f9814fcb3f705827e

SHA256
997b9079d32e121f7a492efc93f502bc98689413099b54a0070916a67043eb57

SHA512
c4f596647a43e8a4ff2bd46a9c2e646a8962cb5db38fb66946831d1dde8dca886ab8afe26be396254af295a6ce3794f36580c410a5f24777e1ca64cc7ade2e0f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
337KB

MD5
8573e0534ddd372abd70d3419931f772

SHA1
a245188c7a5378a0ce4dbe7f3abfff66e8a5fa06

SHA256
b2c1e2f75e6e24d53ba6e70ab0fc5c0d43ec778943dab5ca43225ce4f57007de

SHA512
e687b98d7265f427154207c4eb9c719349101bfecd7dfe1886e38c1142f877a665785f54ba4477fceead8eccc6fefd1e9e1eebb8097dbb06313b28d37c45c7d5

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
337KB

MD5
b54b328808ee188fd1373548187a30cf

SHA1
3919fb5c6aa784eba8a4c496c24e1beae5f6ce7e

SHA256
58f2f5dc5dc67b4bffa7799a80eafc1e2b669ecc27f888075a673728462f0d48

SHA512
583cee81c73e0a1d1a498188240a4fb66c902751ebceac364ebf1ab78ee23fc437e141bf49baf7f55a934c247197954014ad883e18873ceed865c5b028117a8a

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
337KB

MD5
2906f63c26f50fee28cd8883a1605b68

SHA1
c12652628e0d55f08689c4dce7070be9b7a02944

SHA256
d6d5909eb95e8aba43d847b8b09a5f342349f892d647bf376e32293fd4e0ddbc

SHA512
7f118f326d97edd5ce8606185a110f37f21df13ffb6ba4f118cc413f7dece9d91b51534a63df4d8608c77faa08414aecfa8e7a2f76f1f9ecefaf1f7e3ae1aeaf

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
337KB

MD5
2e551501350b5e9d7aed539506e3fd6a

SHA1
4f804dfb3479c3540bdc5cdcaa2436a2daab80d9

SHA256
e5ecd508a01ca440882e7fe1fc6a0ca44ca93dd8081b62477e43cd0ce2a021f0

SHA512
f5969124e4f7851ce4f64123a36a8fb850fcfbe4e8073014a9c01958b250880ddb8ae6e112470c5b21e5b08aede7004b35bd213a0a6fb36f142afc79c228cbb9

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
337KB

MD5
b17ae29679f877ed8233bb2dec9b4ba8

SHA1
9ce7176c65d5ed65fb4b3b12d895c3b9ccffd3a3

SHA256
24f6a8ed3ce3f2b8c51ac4118cdd459608290be596cc6e90f62987e39f371fd1

SHA512
a5954b909c1950ad27127bc40e19e0da5439b76a77fa8129bc66cb8010fdb675f3137f8dfff549f34500e396a0fbbae37e52966e3a087d58600dd9cb5903fb37

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
337KB

MD5
9b3baf0312288636fe4a600c194603f6

SHA1
23933b74d812e9bbad3ef0b43c42ed29c9e1e170

SHA256
0a2f28d493d01b3e593bdfb7adc7c14ed5ba70281dbacb0622914b5c2761a480

SHA512
fcc4d5f545159ea44a6c1aa8f2d4828ada7d07d2857db7cc8a43bde29fe885d24e01985daafadf5b1a4d59399693052257cc8a839bc287df9fda5050ae7b552b

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
337KB

MD5
42c201d46d29a10be39665d7e7dc60bc

SHA1
2b163c0ed324a13a113cbf893f3ba74f0e3b5d3c

SHA256
2bf0cf38f7dfccc75ba307ebabb1698634960d1006999fe6baa24296ce51f397

SHA512
8424bc38209745b69944a991849f9c3fa0647b30a4ba304ec944f6c03cb7f230bd53dd6876a786a9f976a319b28fb4c10c29f21348c0e37a654c0197999f7475

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
337KB

MD5
70e44fe080f70317944b0131b15a37d4

SHA1
9fa3419dea85237849dd01910da98ddd0ad9f114

SHA256
d31613d57e8c682ccee2489d79d8706f7b81c18cf52dca3adc56a4dfb21b16a4

SHA512
fd43f55d5bd6d355c5934a9f7b2b3fb5a5a71e681b36bd9b95741d8fa0f491dd6a14bcf1c9ecafb434d9abf9cc0a5d401a6d0a97f3e349748a762b9df45c7a9c

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
337KB

MD5
455b4f1feb4a4fbf36a8cae6dacb7e2a

SHA1
61b64ec450f823856cb6788e070d5d6859e41120

SHA256
f8201c413d470673662637e04f89b0cc53e90bbfa9235acb335687bce72779a9

SHA512
2ab8623978a4c92e80b5ab3fddad95e5478bd8731676eae51962fafd00138e90de3c667cd2a132c2c9e6e580157a0b331d013162b7f71c144f7ca71d84812c99

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
337KB

MD5
1ba62f2b3194bb9c375352990b0133b2

SHA1
3dce42228d0d79dcd2eeaa1597e6cb1a76f83354

SHA256
b63f451a89e24b7630a48a56e4eeb8451b1869418ca4309e31a5660ecdbde321

SHA512
c4e6d7e7c3e2d827ec58b9a227ba4e4912cc941a2a6a6fdea16b5d864be38e9f70135df3f8026f843a5f2ce5c3eb01ecb8ff5a9f326708a6d0baf0cfe67a22b7

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
337KB

MD5
e96d65e029524a6b16c69fff93a787f7

SHA1
6f7dc51a35b8737e9481afcfa91f07ff8c405c8d

SHA256
d9b57f9168ed7a0048572e0570bb868c6b35b72dcff3a01158f849e4cde0e141

SHA512
4cc7f83041bf2f4762348a1725112004f21286ec93c2539e224641fc00059b7adec194a4ef2f43476ce1703caca8d96e892465c34a8cef65d7c8cfe7106beb3d

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
337KB

MD5
99fd152f1eb15f3462fad3ba9a198915

SHA1
72b821d22074f30136712c2ae72452c312f3a07b

SHA256
ebb84edfa413c3fdfe52e9b05c0515bedc53165b682732606c64848de6652872

SHA512
b9e9a5850020849020eaca25c59ab95bbfa8d8c85fd7f11e99e2587539cae122c741d48fd9267b54a5634308bd7d0ae6cdc5c3f9141c11e72783a967c0367e1a

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
337KB

MD5
f0852cfd0904c64181531e783a2d9af4

SHA1
68183e09442471f2b4f3a5f9156b149f69375128

SHA256
f0ad08bc31b53c3648a463f9f70bfca72d918fc198f5a3bfd58455c9a67e8ca8

SHA512
abfdcfbe4e6f124dac74f02b8ed086882119a270c8423ec374a72f661539b9f5b8ec106b855e4808a11aab289c19ebc4a7bacb2e385c5dddbd58b0475c183570

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
5c851c337066020a934f52b526d859db

SHA1
c2571c0d33ac7d78ab2b89e1dc0d2b8955e54d7c

SHA256
0e9aaf2ec5ccdb3e3db162a3ba2595c3766b6babfb4d99f3508fb2c03f12a329

SHA512
302bd96bd07160f041fed9734af5f958bf3053adffee7f0e6bd0cf3079bb5a68cefa4436c7ccfdee3f6aea02499b46a04cb9ce502f6fd9896295bb10232dc71e

Download Submit
memory/724-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2248-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5240-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5240-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5660-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5660-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5692-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5692-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5768-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5768-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5884-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5884-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6100-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6100-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads