berbew | 5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f

Analysis

max time kernel
96s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Size

93KB
MD5

4397c3f52b29399f280f562eec5cbc71
SHA1

51a2ba2409d748e1660f067822efe828683c18da
SHA256

5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f
SHA512

3ecebf1ee6df552979e20f88320eebe3921fbb27d793ca4693228e32878987e280e7f4dabaa608ba47372fcb5ebfd2370bb8a0671fe712f978191cac90f9e773
SSDEEP

1536:uWn44SexBa9Prdd9FYCIuE7OsqqG90Vf5nGsaMiwihtIbbpkp:5nnSea1A3nCsqq00V5GdMiwaIbbpkp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
3504	Djdmffnn.exe
4140	Dmcibama.exe
2832	Danecp32.exe
3528	Ddmaok32.exe
1076	Dfknkg32.exe
1124	Djgjlelk.exe
804	Dobfld32.exe
796	Dmefhako.exe
1316	Daqbip32.exe
1296	Delnin32.exe
4972	Dhkjej32.exe
440	Dkifae32.exe
1712	Dodbbdbb.exe
1884	Dmgbnq32.exe
64	Deokon32.exe
5112	Dhmgki32.exe
3740	Dfpgffpm.exe
2476	Dkkcge32.exe
3752	Dmjocp32.exe
3708	Deagdn32.exe
3680	Dhocqigp.exe
2228	Dknpmdfc.exe
4144	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process
2356	4144	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3504	1560	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe	85
PID 1560 wrote to memory of 3504	1560	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe	85
PID 1560 wrote to memory of 3504	1560	5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe	85
PID 3504 wrote to memory of 4140	3504	Djdmffnn.exe	86
PID 3504 wrote to memory of 4140	3504	Djdmffnn.exe	86
PID 3504 wrote to memory of 4140	3504	Djdmffnn.exe	86
PID 4140 wrote to memory of 2832	4140	Dmcibama.exe	87
PID 4140 wrote to memory of 2832	4140	Dmcibama.exe	87
PID 4140 wrote to memory of 2832	4140	Dmcibama.exe	87
PID 2832 wrote to memory of 3528	2832	Danecp32.exe	88
PID 2832 wrote to memory of 3528	2832	Danecp32.exe	88
PID 2832 wrote to memory of 3528	2832	Danecp32.exe	88
PID 3528 wrote to memory of 1076	3528	Ddmaok32.exe	89
PID 3528 wrote to memory of 1076	3528	Ddmaok32.exe	89
PID 3528 wrote to memory of 1076	3528	Ddmaok32.exe	89
PID 1076 wrote to memory of 1124	1076	Dfknkg32.exe	90
PID 1076 wrote to memory of 1124	1076	Dfknkg32.exe	90
PID 1076 wrote to memory of 1124	1076	Dfknkg32.exe	90
PID 1124 wrote to memory of 804	1124	Djgjlelk.exe	91
PID 1124 wrote to memory of 804	1124	Djgjlelk.exe	91
PID 1124 wrote to memory of 804	1124	Djgjlelk.exe	91
PID 804 wrote to memory of 796	804	Dobfld32.exe	92
PID 804 wrote to memory of 796	804	Dobfld32.exe	92
PID 804 wrote to memory of 796	804	Dobfld32.exe	92
PID 796 wrote to memory of 1316	796	Dmefhako.exe	93
PID 796 wrote to memory of 1316	796	Dmefhako.exe	93
PID 796 wrote to memory of 1316	796	Dmefhako.exe	93
PID 1316 wrote to memory of 1296	1316	Daqbip32.exe	94
PID 1316 wrote to memory of 1296	1316	Daqbip32.exe	94
PID 1316 wrote to memory of 1296	1316	Daqbip32.exe	94
PID 1296 wrote to memory of 4972	1296	Delnin32.exe	95
PID 1296 wrote to memory of 4972	1296	Delnin32.exe	95
PID 1296 wrote to memory of 4972	1296	Delnin32.exe	95
PID 4972 wrote to memory of 440	4972	Dhkjej32.exe	96
PID 4972 wrote to memory of 440	4972	Dhkjej32.exe	96
PID 4972 wrote to memory of 440	4972	Dhkjej32.exe	96
PID 440 wrote to memory of 1712	440	Dkifae32.exe	97
PID 440 wrote to memory of 1712	440	Dkifae32.exe	97
PID 440 wrote to memory of 1712	440	Dkifae32.exe	97
PID 1712 wrote to memory of 1884	1712	Dodbbdbb.exe	98
PID 1712 wrote to memory of 1884	1712	Dodbbdbb.exe	98
PID 1712 wrote to memory of 1884	1712	Dodbbdbb.exe	98
PID 1884 wrote to memory of 64	1884	Dmgbnq32.exe	99
PID 1884 wrote to memory of 64	1884	Dmgbnq32.exe	99
PID 1884 wrote to memory of 64	1884	Dmgbnq32.exe	99
PID 64 wrote to memory of 5112	64	Deokon32.exe	101
PID 64 wrote to memory of 5112	64	Deokon32.exe	101
PID 64 wrote to memory of 5112	64	Deokon32.exe	101
PID 5112 wrote to memory of 3740	5112	Dhmgki32.exe	102
PID 5112 wrote to memory of 3740	5112	Dhmgki32.exe	102
PID 5112 wrote to memory of 3740	5112	Dhmgki32.exe	102
PID 3740 wrote to memory of 2476	3740	Dfpgffpm.exe	103
PID 3740 wrote to memory of 2476	3740	Dfpgffpm.exe	103
PID 3740 wrote to memory of 2476	3740	Dfpgffpm.exe	103
PID 2476 wrote to memory of 3752	2476	Dkkcge32.exe	104
PID 2476 wrote to memory of 3752	2476	Dkkcge32.exe	104
PID 2476 wrote to memory of 3752	2476	Dkkcge32.exe	104
PID 3752 wrote to memory of 3708	3752	Dmjocp32.exe	106
PID 3752 wrote to memory of 3708	3752	Dmjocp32.exe	106
PID 3752 wrote to memory of 3708	3752	Dmjocp32.exe	106
PID 3708 wrote to memory of 3680	3708	Deagdn32.exe	107
PID 3708 wrote to memory of 3680	3708	Deagdn32.exe	107
PID 3708 wrote to memory of 3680	3708	Deagdn32.exe	107
PID 3680 wrote to memory of 2228	3680	Dhocqigp.exe	108

C:\Users\Admin\AppData\Local\Temp\5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe
"C:\Users\Admin\AppData\Local\Temp\5694c82153ed6b4567fa3cf68e364b213adf55cac54268b49a7690df8420753f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\Djdmffnn.exe
  C:\Windows\system32\Djdmffnn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\Dmcibama.exe
    C:\Windows\system32\Dmcibama.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\Danecp32.exe
      C:\Windows\system32\Danecp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
      - C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 408
        25⤵
        Program crash
        
        PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4144 -ip 4144
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cogflbdn.dll

Filesize
7KB

MD5
75facb95220ded041838c8ba7d030390

SHA1
baa21c14cbe745964c318de863573b9f45c03dca

SHA256
bb637dfaf0a945c646fd2ed03e02b3fede60604a4a632b15c9b44a234d95138a

SHA512
c47985d675dab0a82f777939c1cfbe707e52f5caac0bc9acf74b5b817a899e19add773226697099822601fc3c817f0b68194410642c22845bf9361b47aa3e02f

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
93KB

MD5
20fa40b773b4b33c85654482dc201b91

SHA1
d07622f0feafa01cd40305807a9e9f9a9e086ea1

SHA256
9ad752ad3b2c393b8d197d7b13ba710161566ae53d5172e1c774dea606033d97

SHA512
7cef98816b66c5d943644fe7c3739aa62e2d330aaa2bd32e913b77e29aaa03fa8e6c4fe1fcfb8e4f45a8ff9f869bc215f7082d7a1d8a5320dc86161396f7a257

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
93KB

MD5
d59e7dbf73eae0f4be72e001fe34b3fd

SHA1
c3f6f0d2af406cf0eb6d97e506c003a10cb1c5a3

SHA256
2c9eae3a8a1468e88e79dd4534a1fd96a4d39253a0d5436623f69d5a144cafcc

SHA512
aff1f78db3a0f52406ee2edb1e254081d9b7c3a97f6fdbc81ee0c345df7eac72fde32cd034c4ade6bfbd6977379616435bf4ae69d66a6045ddb4019b602499d9

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
147a7b0949bdff72b6aa9240be66992e

SHA1
75a52c3a16cb4941b9ca7178433da7376fb3cbb8

SHA256
e27588d00ddf1069bf5b9b796d60c02851ca4dbd4a923637549546e3ed6fd3b4

SHA512
33e59e9278df7f2fff37dde0d09ea2076c08dab078c8fd2dff7bae81ef4c8dfe5661964b94cb08bfa58e9e477cc963b490e776a4da4061f7caa5f2b014d3a15b

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
93KB

MD5
49b97f9ffc4159da4b21b367020b288a

SHA1
7dce712bcbb5d48e443c4a644579ace3b3e91353

SHA256
d2cec381e0bd6b0fdaf7a4ed4536cc9ca08d4d6d525860520030a01f00fbe7e8

SHA512
61366b3e45c554a9ed2eeccbf3ddb37bc5d19719f7d4b4c8f1e83c870b27c829ee1f8b65023c6d0a56d2dcd2f339c08ed2ad6fa1b3280d547818eb26d584d4de

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
dc16530b30a4573e88f8c28dc48acd0a

SHA1
b4b736d8ca3556389206e53ab15f67c60c76be8d

SHA256
fb0c7d1df2cb737be59d646402cd6ae0cd66d29928faea1b0502f1698941184c

SHA512
2daccb875b0f56ec3583bf8706ca481c87892e44bd42ec2d455f714f313f8f72553eb06b227618a3a7c0b84c4ed760b83af00da59e39db6708ed8a4e46cd82b0

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
bddac44b0680658f05a12e6126398630

SHA1
37816bcf0a6feb49c24d37dbce44c1101737e3cf

SHA256
c6d87fb226ba5add222c028e5fda860d602d248fd9bb06ecdf14da175bbd311a

SHA512
a6c2a996614384db5cced3d0b7ac9a23375683d814215a5e252254839b6bafca5b23846e21222495715b8d584e07be409fe1d39b7aa9bb7a126837f313f6ee25

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
93KB

MD5
9260e008605f074a8b6d3223bc6d685c

SHA1
9844fe3c557799c1f68e40753c4c05c8e8c70e16

SHA256
4e1c9bbde12f8e73b1e3be7238454178d2f4bba78a005f49104197d9d551413f

SHA512
178297698ac5ef1494907befcc4445105d0337901b34f2cc3c77af233cd8403c1eedbe13b31226da33092d4bcceb8b100067addd921955f54e2ba0ecaf159275

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
93KB

MD5
645ca7a8d003dbf7bcd9348bc0085fe4

SHA1
d56a95861036bb4702c8bc9608521cb027f36e1a

SHA256
b35d1385240a73d11ceec7c4c22962c09d19c91453a3641664e3492e0dc07701

SHA512
33d05eb9350701fe3f798ff93cd8c10f7cb7af9d56c3c95aa27c5dce8c29258c7f17e772d959a2fda8bb0869202326ff4e24fd33fe8b09fb05c3fb831391c27d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
901bbe0a9f0df422ecbc766e72e0ecf6

SHA1
ca06794b5bb319d58f516f2d457219d729901ce8

SHA256
0675869d0d500a19c0265d3648df9a73411471b8d86896a37c21e07519124c09

SHA512
03ac6f7c4230010a66ee73e9a9315421288fad217d4d4182a71a327c1b971ebc04527991228cfc2784a9c16b6f4c0542043c3bc4cf86199563551bd6f4c2df0d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
5207d397036cb1db7a8906157d08038c

SHA1
5628fbc5e8ac0559ef51f3845a8a811814c72223

SHA256
9d91af863a7638407d25dbf91520f202d67834fdaa9a7722e0cf6536009a7b2c

SHA512
dad288681e30c950055e93c4683e578c1a1e8ae8fbbb040c3b0529882b2784de8d8b8ccf487d188d8cd688886817b7dd6122881bc23618638a3909f40bfc5316

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
3f926c69fa9961ce6773045109a7a093

SHA1
f9a90f401c4bd7b101b1f0ec6c2ee93c2485ef10

SHA256
96d9ac5b6d45f7a78da51c98b01ac7ebb8e460eb8f94f9c8186e997ab514fc4c

SHA512
c874ce3ba546abb9aa56e1f500d8d5feb9fa49bdba6f9c204cf8137eb21fa73726ba8695b023c759e3f4f0aac8d013da3739c786e58f03778d8e5ed1f1a9147e

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
93KB

MD5
1795b28387876583fe808709d2bd90ff

SHA1
910813768be0e15e3a6db61cc8ec083bd1ce64cb

SHA256
0bc2cd577901b7da3ef7ef0a0ea2fb7666268649a42d58454da98f8084d530f8

SHA512
1610f7a3ddfb87a4dfa1addeae750aae7c2025b9f99db9cedbee6a266b37e89ef89d57348b103fe4d075620486f9ae8197937176a6a9cc05066c3d0ffc1b2ac6

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
93KB

MD5
6ced3e93ed3997202a3eda4401701387

SHA1
8bd4669d268e050c36bd9c8ef7a2421f638c0a3d

SHA256
dbb8ace350c74ce2877d1d6a0d7f164fd9b3d7afe513293a17d53448f6230d0c

SHA512
8c2501faf25c170eb7e51b82c3d9bca9fb395924c06a9731c0e2594d15f460a0514ca6658df3ec826dd9fcc407fbcb25576d952783805ba813607dd47ab995d4

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
5b0395a59e7afe732465a9d40279e271

SHA1
ee9b340178556256b8cdb4f7d42a7a5dc626cb25

SHA256
2ff0c666b8dad6fc890d232182ba1c24120780383ea5adc1b96e5592e5de9782

SHA512
d1d434c6c87d1f38b78094f3af0d289620aeac068b2596a978ba8f732532182ff5792409267e890fd26766790e2d354415a0bae7499d274c0bf648769cb3ed08

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
93KB

MD5
03a9563a363fc9a1ece584250dd224cf

SHA1
11b8755d58cc262a408e78e4c0da70c4759b5d18

SHA256
e106f14af131a76d844007a009c501d3176002a68188b7bc98342967851be655

SHA512
4b82b4111de3bce5678da1fc20bcca71e1c9b828bd8177aa1f9e02a142c204384343de3ad27ef907975688d67a6ddf9f3f715f0b23de786017b5afd232690024

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
93KB

MD5
31096b7710c0f2702f8128523388e4dc

SHA1
03bf85ea567acd11669efa6dc36f6946b4580b7e

SHA256
3eb60b057983ce6207e784bf91f8d999fca949569ee75a5052a8034c51bcdbe4

SHA512
84f8bdefec2b35b46e87ab813b6c431089abbcfccb2a5687f0140fd68269944fe15deb542a0f7cca97da573b2ca87f6a9e6b0cf150c400bb8bf0db8c2c86e17f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
febda80ae943c55fc2a6276704bd0975

SHA1
bdf078030a99d7d4561c0d3e68a574905dfe3a06

SHA256
a0cd2888237a17ddb894a36bd7c39784bf0ed63fd62a39ab1cb12c3380334ffc

SHA512
278b5d657e4c627069e51d70d4636dc69ed6c8f18fa6edad3f607365291ddcf2ee6d71737150b782b4a0351079b293542177ce08556556925fb7a75419536028

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
37d2ba7c0b483dfcc01fdee9ceebbd52

SHA1
21f37cd3c8664866eceaa0954b10e2a8def67309

SHA256
1c4afbac6a99b16d65c52d998fea4c6d9c14ee7a1c318072a3acf1fa6ade84ff

SHA512
b298f79fc752271581a3d9675be873ad9c9716001dab93e7a0fe25b047d6b76d1dc0281ab2347d02c8316e60be507df84372f9b9c7ff304f8932ce1b393da70f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
a2b5856f96110539436a549bfd64423b

SHA1
12db9514b8ff1848ccb842e25be73c4821be87a5

SHA256
78a28a8f11e49e710b8f7a2500dea443ca3ae3a4d4effc4432f293de3bbdecf3

SHA512
aaa4c20e82ce7f19659ab7496236af042e6625da0dc462373de0584a9647dbe3f4e745201f1c20a2d9073540d02808439b9510f9e631beb58230e97c8b9777ea

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
3b553825c48a798e34751f5b1adac81c

SHA1
27f950d59084491371c2002569869ed86308f301

SHA256
a732d9489b9afff28477ce02a1aa420a479a7b64dccd34a14ad493bd36b4faa5

SHA512
8506400941be061b4f43a1abe9d805859db1bc881f23129cdf3854ed884206626b6461456ae35302344b754a92bb42b0a4ae1e12e7681bcfad75259b5d6cfe5e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
4c657f0823931346d1138aa678de9ff6

SHA1
5178f1249d137c3c0adec100d48f28554fc9e2fe

SHA256
49852a8f46ae95a84f6bff92b213bfd01596617336431590abf23ac976499198

SHA512
4b91a57977b34c512702640f1725679a8c32c88732f9694fc6dba0c527cd4e08a97a1fe649cf6464c4dc7b7521bd14bb5035cc82ad227ad4ca6b3e6822cd6769

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
93KB

MD5
78282b46787c1a8f1b53c3cb52a5a489

SHA1
1b193d851af99fa60b11aae3a243d77dde9ba721

SHA256
bea645ca9da85f9827b96138273882e6340d83a6bcb20ee5f08e2196460edee9

SHA512
8e774a77e2cde4e44b52394168d178259c2fd3de94a2bfb890b200a0324ea8298cde21021dadf7e3168dde2982ff29573e2bafa15fb0b0e3846a1b669304fd8a

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
93KB

MD5
7f5e41874b46a6c882843dadb320396c

SHA1
9971a91bf4bd0e37f12417940e5bc4e312644eff

SHA256
ab8df42b909e6092686824c78f3a8ae0a07e8358a5e910435aa9491dd5fa8c33

SHA512
dc5e947b86565d3a6adc4609a1acd706bf77f269a995ac60e312bdc493cfbd299bb428bc0d981a120f63ca02f3b79d0d714e82b8a80777665026fb14feeec9f6

Download Submit
memory/64-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/64-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/804-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/804-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2476-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2476-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3740-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3740-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads