berbew | 1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Size

96KB
MD5

12f7255e2d1448b6aced31dd96f1dc00
SHA1

ed927f52a93d4e01852f83ea3ba765b3bd49553e
SHA256

1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6
SHA512

553bfd04c743e8fe10dcaeed91be688384726d11c8f2aa9b58e773a828be2f0260a0bb65182efd6f4728ff94d658ca3125ea94114ea6a5b70393b9bad05333c8
SSDEEP

1536:kfNN+PqgBcEsTaw408ToeB9HO7r+6s6O4NCBYajUABmkP6Mq7rllqUOcyoh/NR4T:cmncR0Tohc6OFBxjUSmkCMQ/9h/NRa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 19 IoCs

pid	Process
400	Cajlhqjp.exe
3008	Cdhhdlid.exe
4184	Cffdpghg.exe
5016	Calhnpgn.exe
3956	Dhfajjoj.exe
1188	Dmcibama.exe
4156	Dejacond.exe
3128	Dhhnpjmh.exe
536	Dobfld32.exe
1228	Daqbip32.exe
4408	Ddonekbl.exe
4476	Dfnjafap.exe
3476	Dodbbdbb.exe
2728	Deokon32.exe
4516	Dhmgki32.exe
3992	Daekdooc.exe
2632	Dddhpjof.exe
4612	Doilmc32.exe
4528	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4524	4528	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 400	1220	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe	82
PID 1220 wrote to memory of 400	1220	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe	82
PID 1220 wrote to memory of 400	1220	1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe	82
PID 400 wrote to memory of 3008	400	Cajlhqjp.exe	83
PID 400 wrote to memory of 3008	400	Cajlhqjp.exe	83
PID 400 wrote to memory of 3008	400	Cajlhqjp.exe	83
PID 3008 wrote to memory of 4184	3008	Cdhhdlid.exe	84
PID 3008 wrote to memory of 4184	3008	Cdhhdlid.exe	84
PID 3008 wrote to memory of 4184	3008	Cdhhdlid.exe	84
PID 4184 wrote to memory of 5016	4184	Cffdpghg.exe	85
PID 4184 wrote to memory of 5016	4184	Cffdpghg.exe	85
PID 4184 wrote to memory of 5016	4184	Cffdpghg.exe	85
PID 5016 wrote to memory of 3956	5016	Calhnpgn.exe	86
PID 5016 wrote to memory of 3956	5016	Calhnpgn.exe	86
PID 5016 wrote to memory of 3956	5016	Calhnpgn.exe	86
PID 3956 wrote to memory of 1188	3956	Dhfajjoj.exe	87
PID 3956 wrote to memory of 1188	3956	Dhfajjoj.exe	87
PID 3956 wrote to memory of 1188	3956	Dhfajjoj.exe	87
PID 1188 wrote to memory of 4156	1188	Dmcibama.exe	88
PID 1188 wrote to memory of 4156	1188	Dmcibama.exe	88
PID 1188 wrote to memory of 4156	1188	Dmcibama.exe	88
PID 4156 wrote to memory of 3128	4156	Dejacond.exe	89
PID 4156 wrote to memory of 3128	4156	Dejacond.exe	89
PID 4156 wrote to memory of 3128	4156	Dejacond.exe	89
PID 3128 wrote to memory of 536	3128	Dhhnpjmh.exe	90
PID 3128 wrote to memory of 536	3128	Dhhnpjmh.exe	90
PID 3128 wrote to memory of 536	3128	Dhhnpjmh.exe	90
PID 536 wrote to memory of 1228	536	Dobfld32.exe	91
PID 536 wrote to memory of 1228	536	Dobfld32.exe	91
PID 536 wrote to memory of 1228	536	Dobfld32.exe	91
PID 1228 wrote to memory of 4408	1228	Daqbip32.exe	92
PID 1228 wrote to memory of 4408	1228	Daqbip32.exe	92
PID 1228 wrote to memory of 4408	1228	Daqbip32.exe	92
PID 4408 wrote to memory of 4476	4408	Ddonekbl.exe	93
PID 4408 wrote to memory of 4476	4408	Ddonekbl.exe	93
PID 4408 wrote to memory of 4476	4408	Ddonekbl.exe	93
PID 4476 wrote to memory of 3476	4476	Dfnjafap.exe	94
PID 4476 wrote to memory of 3476	4476	Dfnjafap.exe	94
PID 4476 wrote to memory of 3476	4476	Dfnjafap.exe	94
PID 3476 wrote to memory of 2728	3476	Dodbbdbb.exe	95
PID 3476 wrote to memory of 2728	3476	Dodbbdbb.exe	95
PID 3476 wrote to memory of 2728	3476	Dodbbdbb.exe	95
PID 2728 wrote to memory of 4516	2728	Deokon32.exe	96
PID 2728 wrote to memory of 4516	2728	Deokon32.exe	96
PID 2728 wrote to memory of 4516	2728	Deokon32.exe	96
PID 4516 wrote to memory of 3992	4516	Dhmgki32.exe	97
PID 4516 wrote to memory of 3992	4516	Dhmgki32.exe	97
PID 4516 wrote to memory of 3992	4516	Dhmgki32.exe	97
PID 3992 wrote to memory of 2632	3992	Daekdooc.exe	98
PID 3992 wrote to memory of 2632	3992	Daekdooc.exe	98
PID 3992 wrote to memory of 2632	3992	Daekdooc.exe	98
PID 2632 wrote to memory of 4612	2632	Dddhpjof.exe	99
PID 2632 wrote to memory of 4612	2632	Dddhpjof.exe	99
PID 2632 wrote to memory of 4612	2632	Dddhpjof.exe	99
PID 4612 wrote to memory of 4528	4612	Doilmc32.exe	100
PID 4612 wrote to memory of 4528	4612	Doilmc32.exe	100
PID 4612 wrote to memory of 4528	4612	Doilmc32.exe	100

C:\Users\Admin\AppData\Local\Temp\1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe
"C:\Users\Admin\AppData\Local\Temp\1e004a51b4d9258dc781bb29a06666b7fba2567f7d875cc4e4575a406f7f64f6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\Cajlhqjp.exe
  C:\Windows\system32\Cajlhqjp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\Cdhhdlid.exe
    C:\Windows\system32\Cdhhdlid.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\Cffdpghg.exe
      C:\Windows\system32\Cffdpghg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 404
        21⤵
        Program crash
        
        PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4528 -ip 4528
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
ece4d7b9d5a1f0d3d5d438b328576e24

SHA1
3cbed4dbae2a0b68cb4981bd2887abdd3715d957

SHA256
28b39ef8507f6d3eb2057f307a82991373770154172ab120600bc98bd08b5ad9

SHA512
40e4cf9f6e7980639201c3ca48cf1433a121998b3788f7688aac581b4b025f09642f8964c6bfd7eff01150cbecd4aafe656fc64157805a5d242a10fbd31e5460

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
fd5ad9deb470fe86c5cbe696a4ddfac2

SHA1
2d1c0f70fc73df4683d44cbee318821eef008e9b

SHA256
d57a6e1209a0cfb484487e941fa7b5b76815cf51102653936dad5eff4fad1a18

SHA512
202c45d45060c81de28776b78e740a5d83aab9a72f8eea5c229c9616b03428326fb764cf049f91332162b390b611280cc1d842f25ab18e8028577210d0c4c4a7

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
b320b3baa06b40a17d969ba2bfabb786

SHA1
c2891fe4c822a43811b9556472397186727a5fbc

SHA256
0ab433e807994bdbf90a44763189421183d23f43c74eca92a9b2546a35d04414

SHA512
2a95200f5cb6c69555cb6c2dd0f46981fa6eaf5114f06b02531941353c8637b8dc6eb9c37bca39a20f742cce926277228a29b0ec4ccc451f563fce8ee66b66a1

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
76a58c7cf6a67a90f966de4fdc6f5d26

SHA1
a634eec1a3f2d0c0c67d7f8b442602656585e4e6

SHA256
95bc0d2e3212285352db044ebd08bbb0a8b7c31327e1a25f2edb5d31f4d49ec0

SHA512
7143e44b2338eb5c55928fca1f4c705432a12da5118609b6264e4960c2890e7659e9f6545124fc4c9f921ab8183133f0ddf3d805ec29961a6068d429df77060c

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
f173f41cc74488edc2818c193c6caa6a

SHA1
859ef5e0265afe68543d2f4243aab0a5d37900b8

SHA256
4b53a2519efd113281392d1fbbb58e38b4ce1f3f97fd2529d98edd42f2f1b15b

SHA512
c0d766595e970280f66b793c90b426bd4799c99ff5be61e46af21664a68e7967ec9e94cd4c2b4a88b41068451651140b7a4e861899a0d664e097b0e790442e55

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
2f81bfa257a166ba3bf5a31c54eb40cc

SHA1
5c5e9282b37cbdd7a7e0122498f8e19a7ce3e357

SHA256
94050c95513fe3b18f7a4b6a285f743d3db201c3e758daa830bb48681881530a

SHA512
97da021f5690810e38d9a3f06a419a00a79ec5ce2a551870530612b78a3fe4b4c6ee040d87fec49dcdb48c3c6bc488447c3f7a790c182656327d305a92f32186

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
369feb6bf5a9ec99b4ab61f9cd4d9f66

SHA1
d8a2be5fcfb55c5a57a7ee4c9d9db2084fa8506a

SHA256
d2a58b99b7b9a8fadc56c10443b59e5c2dc1527ee72e6a8228cde6a98ef4ba17

SHA512
94ab09b3d26d1cb7f8c7147b24c8cd5008637b9b1a969bf104fd087e5b0fca9957d58f905c87347c6db3c299cea8165f0e7adab0c5e54f6d6c6212c518bd95c6

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
1bca0f0f7947c2a37db7f1afc2e273da

SHA1
563863c72146c9ee6617c55965315c9857065a02

SHA256
eec4f56d54abffac6f35de21d50c021f5a350d870144892d6188ba0af98f45db

SHA512
9d69d8b404860a1691ebe087ab4958b338b301f83450d09326e8bf54122067a487eb09d0dff1aba795aed155a539be35222bb90576601f035b5e0a6b7f0ef3bb

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
2508476e931259116f97a01efd541ecd

SHA1
58965a49e8bc5b95b32f2a08547e48dc8aa72029

SHA256
bd3ebe54ba41bb532822f6bb40bbd782eaa2e4d2c5691b7d32e83c24ee46ee9c

SHA512
88ac6e560180188d6875f43eb30e216e8ec469d11a4275fa69f5200787bc828fd8777448f91d867b7b8aa8af65807e4aa7a8eca3f8d2bcfdde9ff81f24270797

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
fe8202ea5955c52853879c409005cfc7

SHA1
0a03f1ec5c5001d016f13e7d69ad2c2863687e9f

SHA256
a004ab2ea42ee83c2a30a7ecde07a6e90570259258c24854ef5f3f9932d649a9

SHA512
24f4de5b2b9510ff4e3a3637af3f7e5d70667d95174020e31d362609da206aaf8e0c6dad346d3a0ec9fa9f1f17487515636889e68c2a1d5082ccc54687abc87c

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
b50bd7b3953fab83543939fabf798a87

SHA1
1d8b37b8d0a8cef45354297e8c5cb606c5d68b19

SHA256
c1403e831d3412a2ebdb52ee6adeb25984aa2379ceec2b2083c4bc48eb08619d

SHA512
e8838f17ce339b1a49683d6f579d723690f4f62fad1daad69b44e13cd4b2a81bf1896e28e12e95ad8c60df3a12a23c34ab94e20dc229a752a38c7bc3cde6af9a

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
3eaf3e1c4e5d8cc8e0ce617903ea67a1

SHA1
3671547e9da9f30f18b66a44da12845b535d3508

SHA256
01aacc4bc056bfb7b17039ce689306f8d031489b541d310b610e14802dfb4ad8

SHA512
bdad5f694d8eb96ae5900439ee8d0aedaa57db83bb83fd64713c92e4ed6bb42ff133f65450e3a09d2ff7d14a20aa90639640b1fc482cba3578daaad60742fe34

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
991760b103e24e77024c36d70d46d455

SHA1
9fe2fc98916cb073479fdbecc4fae3d7f28bbd6b

SHA256
b09ac8fc07786b8b725944954ad0bf7add0ce8373e969384d3fd44c8a906115d

SHA512
c755abd47a895180ca7df9f4627a9074457f1504f75386e135b7c6953db23ae16e1840e816a1d88d11c8365f8c3a2b97b7d60c62deed9262c536f986173e0012

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
1afb816df96f113ac3b09b0465ee1c5d

SHA1
2137f91fee35c3bf58d2dbb4a51aea98c50baa1b

SHA256
67b90d17665ed69a63e1e1927c17a2a7dd9b7be7ceefbc4bc3956f4e9263d7c0

SHA512
bc161ce4efacc9529af6850c35eddab75dcb029841dbedbced3593cd079058498f58e5c92a4134493c36b714c07ccfff435d9d00952534918b3ba6a6899a477b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
5cc9c4c40f3597231dc24d2509dacc22

SHA1
74ccbdc3f4650d1359bb84cd42b8c9842fed7ff0

SHA256
1a37547c17d1d38fa49d5c031f199da41125e48986a213a23e0a804342eacfb5

SHA512
0fd5b698259e48b5fda91c25998792ad74ca8cb968aae3529b2261ccec9c8751b218405d1d229f54806e0b7da6d42c760262e8800c35d2aa9f7528eeee829dcb

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
c340ac439799ac0131022df0dced5adf

SHA1
46412eebf64e00d1200147bd26abf4f61a42e705

SHA256
31aa6f25cc79160e9c8b9dc452ec0ed54d6d5835fafd659121c9b23b1abdc252

SHA512
4ac3ac7c2e3645c66b3ce13da651f2a76d4b0f0fd7df06742e98e9db4f506f7197b15a29f828d35320c39f1f591c18ced74e89624bfec4282630f468b882c524

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
5b71cc44d5df40bb5cda1d922cb1758c

SHA1
65fba6d86599f4ebe554e2abac991d4eb885b320

SHA256
f2fc89a7a134cdba2023ac1e8ad3b1a2e9b3e0e51783d1792427e5c272b47623

SHA512
fe3a84f563f08188886653cf693479b68ce657a04f8896ed0924e0b26df672fb2514e556ff2c9c1879fb739b8839d251bdd8813d6a299a1315154c80e1e47ad9

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
b956604e02b22bab6aaacddfd6907eb6

SHA1
1ffe087a516d96704dc3b51bc013df52db19019c

SHA256
b702c67837be3b38b4b807782f1f803fde714245a068ad01c0765881ed8f24e1

SHA512
9aadd3f11657bd3920e92acb10f76831f7479d0955688077d911238d06e2888a146b5f3ed2192528e4da2cc32a87e3a38b84fa200b73acc965a173b9965673a6

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
96KB

MD5
5e99496c2ad743ae7ee8d0a18b436377

SHA1
02a37c9345eea6dcc7232e8768362918a42edf3a

SHA256
899b60c45b1fb9f71b642dd56b2f54ed04b3530f2ced19149d5609d583a98b5f

SHA512
6607db3e8d8d47cabb497f28db9be3148ef6da001afecfe876d23fbdf50d06fef4e37555da9b38d783f427062ceaceaf9b37550aabdd64c770b2de557f193c25

Download Submit
memory/400-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1228-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads