berbew | 6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Size

82KB
MD5

9d54aa0ab5a3df68a68c215416fba4c0
SHA1

1086820d845f0018488b1e82e6f609bb1b35f720
SHA256

6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9
SHA512

5eb338a4d15987cee29293d0e1a2bc892b0efb917d35d4a71e91b1f8805354fabf196a26d205343bf7198f90dcfb2f18dc8ce7d904aabe7202297988ff013895
SSDEEP

1536:I4Mn1D9x+6hkxWFjOy9eq2L7Ypm6+wDSmQFN6TiN1sJtvQu:und9x+6hjFjn9Ekpm6tm7N6TO1SpD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 19 IoCs

pid	Process
4312	Cjpckf32.exe
628	Cmnpgb32.exe
3508	Cajlhqjp.exe
2968	Chcddk32.exe
4844	Cjbpaf32.exe
1000	Calhnpgn.exe
548	Ddjejl32.exe
4628	Djdmffnn.exe
216	Dmcibama.exe
4172	Dejacond.exe
1108	Ddmaok32.exe
1392	Djgjlelk.exe
4380	Dobfld32.exe
4588	Daqbip32.exe
4916	Dkifae32.exe
312	Ddakjkqi.exe
4124	Dogogcpo.exe
4048	Dddhpjof.exe
3192	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1884	3192	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 4312	1572	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe	82
PID 1572 wrote to memory of 4312	1572	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe	82
PID 1572 wrote to memory of 4312	1572	6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe	82
PID 4312 wrote to memory of 628	4312	Cjpckf32.exe	83
PID 4312 wrote to memory of 628	4312	Cjpckf32.exe	83
PID 4312 wrote to memory of 628	4312	Cjpckf32.exe	83
PID 628 wrote to memory of 3508	628	Cmnpgb32.exe	84
PID 628 wrote to memory of 3508	628	Cmnpgb32.exe	84
PID 628 wrote to memory of 3508	628	Cmnpgb32.exe	84
PID 3508 wrote to memory of 2968	3508	Cajlhqjp.exe	85
PID 3508 wrote to memory of 2968	3508	Cajlhqjp.exe	85
PID 3508 wrote to memory of 2968	3508	Cajlhqjp.exe	85
PID 2968 wrote to memory of 4844	2968	Chcddk32.exe	86
PID 2968 wrote to memory of 4844	2968	Chcddk32.exe	86
PID 2968 wrote to memory of 4844	2968	Chcddk32.exe	86
PID 4844 wrote to memory of 1000	4844	Cjbpaf32.exe	87
PID 4844 wrote to memory of 1000	4844	Cjbpaf32.exe	87
PID 4844 wrote to memory of 1000	4844	Cjbpaf32.exe	87
PID 1000 wrote to memory of 548	1000	Calhnpgn.exe	88
PID 1000 wrote to memory of 548	1000	Calhnpgn.exe	88
PID 1000 wrote to memory of 548	1000	Calhnpgn.exe	88
PID 548 wrote to memory of 4628	548	Ddjejl32.exe	89
PID 548 wrote to memory of 4628	548	Ddjejl32.exe	89
PID 548 wrote to memory of 4628	548	Ddjejl32.exe	89
PID 4628 wrote to memory of 216	4628	Djdmffnn.exe	90
PID 4628 wrote to memory of 216	4628	Djdmffnn.exe	90
PID 4628 wrote to memory of 216	4628	Djdmffnn.exe	90
PID 216 wrote to memory of 4172	216	Dmcibama.exe	91
PID 216 wrote to memory of 4172	216	Dmcibama.exe	91
PID 216 wrote to memory of 4172	216	Dmcibama.exe	91
PID 4172 wrote to memory of 1108	4172	Dejacond.exe	92
PID 4172 wrote to memory of 1108	4172	Dejacond.exe	92
PID 4172 wrote to memory of 1108	4172	Dejacond.exe	92
PID 1108 wrote to memory of 1392	1108	Ddmaok32.exe	93
PID 1108 wrote to memory of 1392	1108	Ddmaok32.exe	93
PID 1108 wrote to memory of 1392	1108	Ddmaok32.exe	93
PID 1392 wrote to memory of 4380	1392	Djgjlelk.exe	94
PID 1392 wrote to memory of 4380	1392	Djgjlelk.exe	94
PID 1392 wrote to memory of 4380	1392	Djgjlelk.exe	94
PID 4380 wrote to memory of 4588	4380	Dobfld32.exe	95
PID 4380 wrote to memory of 4588	4380	Dobfld32.exe	95
PID 4380 wrote to memory of 4588	4380	Dobfld32.exe	95
PID 4588 wrote to memory of 4916	4588	Daqbip32.exe	96
PID 4588 wrote to memory of 4916	4588	Daqbip32.exe	96
PID 4588 wrote to memory of 4916	4588	Daqbip32.exe	96
PID 4916 wrote to memory of 312	4916	Dkifae32.exe	97
PID 4916 wrote to memory of 312	4916	Dkifae32.exe	97
PID 4916 wrote to memory of 312	4916	Dkifae32.exe	97
PID 312 wrote to memory of 4124	312	Ddakjkqi.exe	98
PID 312 wrote to memory of 4124	312	Ddakjkqi.exe	98
PID 312 wrote to memory of 4124	312	Ddakjkqi.exe	98
PID 4124 wrote to memory of 4048	4124	Dogogcpo.exe	99
PID 4124 wrote to memory of 4048	4124	Dogogcpo.exe	99
PID 4124 wrote to memory of 4048	4124	Dogogcpo.exe	99
PID 4048 wrote to memory of 3192	4048	Dddhpjof.exe	100
PID 4048 wrote to memory of 3192	4048	Dddhpjof.exe	100
PID 4048 wrote to memory of 3192	4048	Dddhpjof.exe	100

C:\Users\Admin\AppData\Local\Temp\6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe
"C:\Users\Admin\AppData\Local\Temp\6ddecfeba0ee197f0a6ed110512d721b21b58f8ba4f12e4ca9e4210713cdb4c9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\Cjpckf32.exe
  C:\Windows\system32\Cjpckf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\Cmnpgb32.exe
    C:\Windows\system32\Cmnpgb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\Cajlhqjp.exe
      C:\Windows\system32\Cajlhqjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 396
        21⤵
        Program crash
        
        PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3192 -ip 3192
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
82KB

MD5
9c00c2812fb9b49c8a7458043560fa15

SHA1
4f4a4c885dd298ed341bde1c729916311cdc744b

SHA256
b31dcbdb7ead9e5caa1304e68b571c1f1ab8f48f9dda8d9ef60c2e5a6263084f

SHA512
92215df9883bf38ea065cfcdaec42ec0c16c44f861521d9941f459aa75cab1725331952dda4e9c80e0ccd56200b08505c5e31ca9e98d0c68cb0370e035702fd0

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
82KB

MD5
9075bac96a45dd0e9324293bfadcd930

SHA1
d95830dc5f47966ecbf729aae0e18885cda387f9

SHA256
e02ba4de47e58417f5d37c9ca97eedddf4cf0c428374aafdb83473b3906a699a

SHA512
d141662914e42d7ddb31ba8b47a2ff0d32ab70dbb2e4794c5a5cb92459a6c3df3a2b6cc29bbc3690ada5a48383044d18733be2aea408854a34f0c12834f587ad

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
82KB

MD5
a7e1138346b041cf2bc1739ac8320e50

SHA1
dc580ee5619b14f7ec2a4648fafda50768c93c92

SHA256
7795c87b24998061e065372575f2edcd3340181295d65aac0aa0cceb46a66256

SHA512
5602af0018bdb660db478de377a575b331408bb47c46f55340c5879632bb8e88941ba2f7d6943bd614519ec04557e7aeb9e7299271c72283993df62abcd2bc0d

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
82KB

MD5
8a8ebc4eace8f7f3028dd1597163bf8b

SHA1
eb942152564909933a410a0adec7e31aada49877

SHA256
c7d7ae9bbea42314ffd9e5f799667581bab634cef839c3eedd5baba89b57e51e

SHA512
9355789ecc837968c6db1188ddb710549779a1a73055b33c78446bc5456b43eab010afd9e0095fa18d8219f32d6e1c43b26a566079fe8ff2d43df011b902d9cb

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
82KB

MD5
8a538a34460bc5890f153bd191e64648

SHA1
258a891889b8b903abba699b43cd83638f5d6606

SHA256
3332166767a5178b4b94d8917f44084fc64ad796d318eaa0a43bb2dbc9af6cae

SHA512
d1065cda8390d90ebc669c0c7eb7de007781a1046dcd25cd1695e8ce79dfb8a620b6eac43db7ac1adc97822774cfec8a66482ef615e2fca886cf4660b655237d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
82KB

MD5
3461e2b2e4f5729f340a0414f25ec1fa

SHA1
27e8defb79553f5499f90ab437c4ad50ee73da06

SHA256
7107e0d1f96a99a4248b68fe3047d76721b19310720d864ff96c5d1f03b0867e

SHA512
8ba510745ad4b8221c57bdb7720babfa1e7a08a8ef6cb3c5ec12e818c5195b9e1c2be8993a38bed04ca0d9631faa248b7fed091544c7e4acf32a6a7103ba64b1

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
82KB

MD5
3aa3dbc8647f56af2dd3c4f8600caa0a

SHA1
ff6ea74a085ef8485a85f7fa6838a81d7824c324

SHA256
808c342f6e3174d6d24fdfdadac9b13d8a96733cfb1bc42407baba59d4d4365c

SHA512
2725a12d843b9fe06e43958fb9ca96ec6dc08d4f92ce1363c1dd19bfa406bce9a0ca95a81bd81232405f5aac3e018ffcc1be772be88a946acab447f3b157bd8e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
82KB

MD5
b460dd07955989b99a8db50df84f3c73

SHA1
957688235f62cb8884e917c0f8214677963a42e4

SHA256
8f4baf2b01c12b14c5cc093486c86d25c6374cdfe5970873f285a0cffb7f9c25

SHA512
8f4714c39a30f22bad7a51f1649a34cf5c056e5ba3df20b00f14a9720025d72b41463938ccaaacff212a339b1d682e01f37e7efc956d39de99488481be0764c0

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
82KB

MD5
976053f6accf2470bda68397d3ccd85a

SHA1
2935bb26c241cf7733ea5e5cbea862c3249272c2

SHA256
c38441ede80311a70f79bec9d4e1819bda2326b39cd2d9037bbbdb764abf8d04

SHA512
298885f7f2e50c2d07e426ecd259fabf1403d1e04f0967814f26b8577902cef5690c5b656e7cae3f4b1ede76d8a6e1c35ef23a44c49d71d6923a099b4f7cf57d

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
82KB

MD5
3e84ea0e8602f672356205b1559e2738

SHA1
984bd495d2e5d5eef91b205f9f98352379e17422

SHA256
d16a72356db5b86115038a88a011809f442d1ea0867dbf0862164c3a1308f499

SHA512
6f13c362250914cfdd9a1bed26735fb98920015ec1555fbf1f983da0f7678ae0858779af8356a84e951fb0215feb8faf4fc171773a17323a5d408796cecbe724

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
82KB

MD5
a24e7a36c4aed87496da23c8d847c05c

SHA1
34e957e0ca92ae3c21d741f2df36099089ccb997

SHA256
29f2e684ae0b97a18f58eec3755139192a7856059b334461dc0b38f37c1c600f

SHA512
47036adc197f9f9dbbabd18c40f39fe196e86faf6e88da6a3cfd0ce085e2cb2fce9a607a3b7e79f068d0685f9d03d433240a8c7ce8a1dd6b0620c6b17d141bcc

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
82KB

MD5
a66cfce490fd241088b4c861a5fa8649

SHA1
6dead35910b1a820413dbc718c2056e968a27511

SHA256
99468bca05f23190f14bc3587979758e8154eb22d41844a81b024e1b125b01f0

SHA512
17e8ecc736e44738acd270e4014aa485fdcfcf5a85c6768712d0c6524b7020ab366b956cc24285f0b6aa6932e8fe922d270d2ca5a066d6c38dc2d003ae5b9646

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
82KB

MD5
ea4c63a7b16a627420ac29d3ca0e4ed5

SHA1
8e70267fe847eda4255458c298495ed9956255a8

SHA256
fc23205e16e22bd49e7b23ff8e56e92230c7995f0bf87fd763572713e7d33f11

SHA512
7aab06c30f6fe309a8b07adaf93e172bdbbf9e81af69a5d548758ef3d94fa94ba1cfc5e446ed70894548d95ba6337ec0378de0f2db6fa8127c2bbe84a07cbb74

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
82KB

MD5
1ff969a402a4539f67490b8d01840ee2

SHA1
9483757159291d76430726cf45eaf46ca74fde7f

SHA256
08b382373e0f9a31e3feffda83e84e9eebdc7d89cd699dc4df97809cae0c4dff

SHA512
69453d9af6e1b5ffab7cfac3603c70a6e3fe1969fbc03f4681fec32dcd6ccb56d945e3a18133c4594844730f0791b4075418a0f841583de18011298dd96072ba

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
82KB

MD5
6e093d811ba266140b55b1900e50c11d

SHA1
dee5e21c39baae30d513edb9840fb98e820d4a99

SHA256
efe28313d8b6d3dd8a3fefcec0697b054ec902929e77b1f3236228003efe9715

SHA512
d77a217e29267e8eb463503adb86b22e885b8e77958d6d6e22a6f6a6c98fe881340d5fe1fb85b406cf5be2dc4fa36dbe3f0061af8dd04ad687d3d32c4c0f7ba1

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
82KB

MD5
52fea87774b8484b32adf850c93e5a9c

SHA1
50625ea6e56b214b39872ac80422f73581ca67e7

SHA256
bbe88cc46949061920837d0640b140b3dc476bb1e872ae1196f368ddc204b397

SHA512
e939e58015d77a289afa7b2ba195b1d8ff64833449607d06da6048ba9a68baff0e0c71d6fa479c113e1cf865b33d212edd6c1fc84dd02ae39ad147213135de52

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
82KB

MD5
209d75ce13e2501bef8cbde4ef946c40

SHA1
455220cfa5afd3edc2c0c7b351c5a13e6135fdcf

SHA256
7e2eeb79231ad488324bc4472a60df5bc28eaf4e65360b053d223bcddb7005ce

SHA512
cb89d665240b47d74722b6f302d9eedaf7816a96d7feb574664d8735520e7ce7e005c421b9267d05df5ea97478022d378ae48bf795bbe6b06d7e1790b104fe45

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
82KB

MD5
5580f6d5f0883655d118fe1c7e3ae034

SHA1
3dd069d7452327d59162e3277f485c67d3751564

SHA256
c91572ec64ad344c6dd38e5cb42218d01373da3ae00da2aca1c2159e057bf312

SHA512
4d021a8c3f280c66875f47240d0918698ddb3d58c0cb74b6a5e919a0196e85a9b0bcbdfd81aa6bc94d01ce1df15bc8fe4a916b3357d0ceb9d600b499b27e2cf9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
82KB

MD5
bef80df6ad44e286fe228ed531f4548f

SHA1
088288ed89e0d4a043c64f4b0c01e0e6fc4512b1

SHA256
5e6ca2669920a77b37ea33453c5bfaa014cad180d92b9c5b8a65f816eca5b6a2

SHA512
7f965caa69f21c3f7c72af9ca88e72f27750131ed5d09915a9f6b2cd019e05c9a793d23eaa0efc280a38ae067e6f8bd92713ec6d7e30920271c053a0914996f0

Download Submit
memory/216-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/312-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/312-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1392-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1392-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1572-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3508-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3508-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads