berbew | ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Size

303KB
MD5

d529a7694bd0e5af4c4810834278e13f
SHA1

7ed950b71df3d138b1a524045791ba0bf62b7354
SHA256

ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839
SHA512

37f9ddd54bdacc7c2b3a680aea70e176b5453d5bdae86e7ace4010f0fdfc42be08c1c49117dc6c9362627db8db9e20c4c060a054bbc3b38e246e320ad7518461
SSDEEP

6144:UTqLoQaM47bh5CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8m34:UTqLoQaM47ZFHRFbeE8mo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 19 IoCs

pid	Process
4228	Chagok32.exe
3264	Cjpckf32.exe
3408	Cmnpgb32.exe
4944	Chcddk32.exe
5004	Cffdpghg.exe
388	Cnnlaehj.exe
3964	Calhnpgn.exe
1076	Dopigd32.exe
1432	Ddmaok32.exe
2164	Dobfld32.exe
3612	Delnin32.exe
4884	Dfnjafap.exe
3012	Dmgbnq32.exe
4360	Deokon32.exe
3372	Dfpgffpm.exe
2808	Dogogcpo.exe
3152	Deagdn32.exe
3336	Dhocqigp.exe
2200	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4104	2200	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 4228	3912	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe	83
PID 3912 wrote to memory of 4228	3912	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe	83
PID 3912 wrote to memory of 4228	3912	ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe	83
PID 4228 wrote to memory of 3264	4228	Chagok32.exe	84
PID 4228 wrote to memory of 3264	4228	Chagok32.exe	84
PID 4228 wrote to memory of 3264	4228	Chagok32.exe	84
PID 3264 wrote to memory of 3408	3264	Cjpckf32.exe	85
PID 3264 wrote to memory of 3408	3264	Cjpckf32.exe	85
PID 3264 wrote to memory of 3408	3264	Cjpckf32.exe	85
PID 3408 wrote to memory of 4944	3408	Cmnpgb32.exe	87
PID 3408 wrote to memory of 4944	3408	Cmnpgb32.exe	87
PID 3408 wrote to memory of 4944	3408	Cmnpgb32.exe	87
PID 4944 wrote to memory of 5004	4944	Chcddk32.exe	88
PID 4944 wrote to memory of 5004	4944	Chcddk32.exe	88
PID 4944 wrote to memory of 5004	4944	Chcddk32.exe	88
PID 5004 wrote to memory of 388	5004	Cffdpghg.exe	89
PID 5004 wrote to memory of 388	5004	Cffdpghg.exe	89
PID 5004 wrote to memory of 388	5004	Cffdpghg.exe	89
PID 388 wrote to memory of 3964	388	Cnnlaehj.exe	91
PID 388 wrote to memory of 3964	388	Cnnlaehj.exe	91
PID 388 wrote to memory of 3964	388	Cnnlaehj.exe	91
PID 3964 wrote to memory of 1076	3964	Calhnpgn.exe	92
PID 3964 wrote to memory of 1076	3964	Calhnpgn.exe	92
PID 3964 wrote to memory of 1076	3964	Calhnpgn.exe	92
PID 1076 wrote to memory of 1432	1076	Dopigd32.exe	93
PID 1076 wrote to memory of 1432	1076	Dopigd32.exe	93
PID 1076 wrote to memory of 1432	1076	Dopigd32.exe	93
PID 1432 wrote to memory of 2164	1432	Ddmaok32.exe	95
PID 1432 wrote to memory of 2164	1432	Ddmaok32.exe	95
PID 1432 wrote to memory of 2164	1432	Ddmaok32.exe	95
PID 2164 wrote to memory of 3612	2164	Dobfld32.exe	96
PID 2164 wrote to memory of 3612	2164	Dobfld32.exe	96
PID 2164 wrote to memory of 3612	2164	Dobfld32.exe	96
PID 3612 wrote to memory of 4884	3612	Delnin32.exe	97
PID 3612 wrote to memory of 4884	3612	Delnin32.exe	97
PID 3612 wrote to memory of 4884	3612	Delnin32.exe	97
PID 4884 wrote to memory of 3012	4884	Dfnjafap.exe	98
PID 4884 wrote to memory of 3012	4884	Dfnjafap.exe	98
PID 4884 wrote to memory of 3012	4884	Dfnjafap.exe	98
PID 3012 wrote to memory of 4360	3012	Dmgbnq32.exe	99
PID 3012 wrote to memory of 4360	3012	Dmgbnq32.exe	99
PID 3012 wrote to memory of 4360	3012	Dmgbnq32.exe	99
PID 4360 wrote to memory of 3372	4360	Deokon32.exe	100
PID 4360 wrote to memory of 3372	4360	Deokon32.exe	100
PID 4360 wrote to memory of 3372	4360	Deokon32.exe	100
PID 3372 wrote to memory of 2808	3372	Dfpgffpm.exe	101
PID 3372 wrote to memory of 2808	3372	Dfpgffpm.exe	101
PID 3372 wrote to memory of 2808	3372	Dfpgffpm.exe	101
PID 2808 wrote to memory of 3152	2808	Dogogcpo.exe	102
PID 2808 wrote to memory of 3152	2808	Dogogcpo.exe	102
PID 2808 wrote to memory of 3152	2808	Dogogcpo.exe	102
PID 3152 wrote to memory of 3336	3152	Deagdn32.exe	103
PID 3152 wrote to memory of 3336	3152	Deagdn32.exe	103
PID 3152 wrote to memory of 3336	3152	Deagdn32.exe	103
PID 3336 wrote to memory of 2200	3336	Dhocqigp.exe	104
PID 3336 wrote to memory of 2200	3336	Dhocqigp.exe	104
PID 3336 wrote to memory of 2200	3336	Dhocqigp.exe	104

C:\Users\Admin\AppData\Local\Temp\ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe
"C:\Users\Admin\AppData\Local\Temp\ce7cce4097d7537edb2e0cb6bca07fe548e9c80d9af87fc5ef1d1b1d30e35839.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\SysWOW64\Cmnpgb32.exe
      C:\Windows\system32\Cmnpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 396
        21⤵
        Program crash
        
        PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2200 -ip 2200
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
303KB

MD5
04dcb891bb9960f44161bb929d095ae3

SHA1
8cf50fb5583c319650ae5efc79defedbba4de5c7

SHA256
1170fc84ee83ea76f88ed54084a6078f2db8a5af6594f12a8640503337188fe0

SHA512
93c2953a2c7bd7980a14e35a23a4b6ef2bfc60be092276e1c2e13c0cd3edc1e1d474c380fd9492f3e89c36c29a7fc2062345dc7084ee02d0b77426bc22c7876f

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
303KB

MD5
f371a9c9153595d503e547c7022a6a61

SHA1
75a917a021b5cba395e5f05e2ad392831b6525cb

SHA256
e3c6b86622c042babdc9a0883bc9e1f0839d8d39cb00690e5e9d7fe37a27d252

SHA512
58264ab9e6c4985b3c27e4ad51ba6a42523c93dc7c564d43b18d9bc64bf7b73e48356cb064b3cc93eb388d83c66204118d1da70b76c013fb750009d1e4680265

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
303KB

MD5
25a592047accc436cefd17e99a50df7d

SHA1
f72c7a352b34a232bb7b7590a0d705881b088069

SHA256
5a455ec3a52d74169b5f4a7b2dd861eecbf9e0104595950293638f02d88cc32a

SHA512
91d23edf5bd826a210a6f760836f6ae9e8f09fc8a0b002f2ff8f19724ae962186f3d25710df86fac211d29b8e0d30c8c6961074485a780593dccff8749a90fa0

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
303KB

MD5
b7dea3389699bffecd08ecefe2922fc5

SHA1
fe48245a7f3163683912b2d99e0a4df63ae63684

SHA256
25677af429fcdad2628a312a34be993f882b14bf90d848f8ec01b200c8002853

SHA512
9bd252b5ecdfbe07abf1015d01a1966894abda3c16933c45cf2f18d6cabca36bd1f4a639a717203c986570bc02ea90ea4ec6baff161da36e232f28111eb91bb6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
303KB

MD5
34e14008e6f6ad2de045805d25dc3c70

SHA1
bbbe83a00f2811bb7f6a3a3b0ab6d2f85faf9808

SHA256
5ca7922b1a502a623e8ffba34df2dd0e8d87c31f08768c075e03379a109aab21

SHA512
8b57c0219f0ca93265382e20feed588f470b8c538aa260184a7c62d1ff511cfe381a4788040b686690c7fcda80d1edc8a88f3203b279b9796334c1546c8c4ef3

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
303KB

MD5
31d8b430a1a5b8704cc287109cc41016

SHA1
7e006eff87715df657e6042ab4d6e976f76dea58

SHA256
342bd87517ac5cd80ee6c336d0e03a4b4a408115a1af6545e0c15b48c8fd730f

SHA512
5137f03a8f2029468b14eeb9d7eac142ab700c03276870e1186ece4024de92c553547971c0e2a7b660f91243f7fe632c4708cc6a57fd88a314575d31a0f9f434

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
303KB

MD5
cac214af04217d77758168b58fc56d62

SHA1
b494c8dcb6cf906722b513c99d50905a53e027f8

SHA256
b4a42eb013c7175227b947592d5314bb33e7c7abf1b17962a83915d408cb136d

SHA512
d6a9e048796e851dd05294f172f6e451aa42f1c1201efb18a6ca2cdf58b99cf40f2d0bca1f46b1b0c1ef253f4861df4b33d60991de1701a574442fcbed0a878b

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
303KB

MD5
059fa616d5b2d9a6fa9be7fa58c008e5

SHA1
d73686cfc4d4aea026dd4226cfe2a73c9d3ee10b

SHA256
8c11928e29bb32ae86bd6c1e292d96b68f9c258a801ce54d8b4d5c308bb5ae59

SHA512
a8b54c84d1685023b5a336df9204b3a81b231b534a3345de7ec15ba79ba8acdce307aff2c744e07b70d95755804cfb5baf106c9bcaf74a17976fa8d1d55fccde

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
303KB

MD5
b9ddc5ef1cee00d6e9cdab72c531dce7

SHA1
32eb879e82af51fdc4dafc4244c95292a688dc46

SHA256
dda558a249f4aaa4523874aa4fab50454d3f6842b0cf0d39ae045009e3cc4aac

SHA512
a9e9edc2bf207f06f9dfce617ec34d6dcbe022c89d9c000a6a274d47f6023ab300f0655045e6f971f036bafe31bc80de2dd05495a52769198185f6781e008ec4

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
303KB

MD5
319948c91a1b100f677a45e5d84b8ba9

SHA1
20db17823705c1d2aaabbd44e31655f59d0c27d7

SHA256
7ab3f0980770dfca1c87c5fff6e941c951f433655029abf6724b056f3875432c

SHA512
729fb33abfc70a4952ac1a2a5b8281cbe73740e0d5fe083eeb1f8fa82506f792d126521dd9c4991c81de19786125205cde7a6087a0adffdc4a82fbcf810aaad9

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
303KB

MD5
01ab5ea1437fd6346a3c8b958c5dd272

SHA1
488c5b1336b3f72e7497afae9fa570f57c8755c9

SHA256
1d01fe949e61004d68cd4facc9028bb9ca98773c8a35b8bc1b42fd66ddac1154

SHA512
c5166fba52118517f589615a5e9c3c97b8aa9b8439ea3389d0365e6e13158cdca5c3a1cb53ac17b4b698b894341130b85cd068b796d6fdf84ba4ad2bf9654210

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
303KB

MD5
3086aa579ebf9277f53c24923a9dd3b2

SHA1
061c732769a3074cafb638e3849d9404694ea830

SHA256
d4d8a49822afe402089e59dd2fecc60f9c39288051df8d1b952222d6410f58f6

SHA512
0eaf8346e6cb4a5a85eb023751d9f1134ce0a78091f47990a0d5c11a06f76bb5a8b769fd177ecd9a3173ebb17b7349eb00d5209e6f275a6f937c54ed5e682c95

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
303KB

MD5
847be34d8a334d9e5aef1eeb167c82ba

SHA1
4db4d83108f2025a36435db51b55401645f7e830

SHA256
1b414a103e2dd1d29ab3fc89f34fadf3ee6151c65cec247766fce04fc8cc2227

SHA512
b535faa0b178ad551f5f64fe8babb9935d2f777718c267a03d922826b06108e8a6de29b53c59d1961693f088df3a8e32fcda8abca7153a8dfb01795999c8b574

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
303KB

MD5
aaf27381d100d1b4a2d344cd695f4f14

SHA1
483583693c78bb87ed540505bc4280e486531a1d

SHA256
3b7b026edbd19c8829a7303e5cdab69381b63bdcc3529308f441fb62f71d405c

SHA512
0b98b29c1265930e7044780dae73307b0641f64167619195bef5e3491e2d48e50ec90db66c4461c56800c877651a8fc330013bc30aa21641b76d4f2c2f84318c

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
303KB

MD5
02bc8fc698fae9d42e3bcae911079ada

SHA1
0d30e65c460bc52409cc91f7b4fd2ee52ed4f36e

SHA256
ea5f2ee332028355b9cbdfc632e8a15b17a0def17f7caed7416ea2b8bb3c89a0

SHA512
b156a8aeaea49f9b7b6055d58763f4fe17d6d1a6f64ba43a3be23e643b643c2dd007e3ee1354f81a15ae81820b56fa4a520b1e443c63d022e9624d18e653bcad

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
303KB

MD5
355f9c676c7c3d845e27d7dfb3e7bd7a

SHA1
c0259ab30ec857b33fc5e4ffa7e5c2b93df1964d

SHA256
0d0c0c638a00f10b7e0f0ce1b435b4db8761ead425d86aa77482f8eff92bc59c

SHA512
97372b18a9c24d531018d558eaa6ab2e5b47dc069ccded4b6faeff7ae8c992d2877037970987a144c81ed992ac28c18ddc876700f9bf543b696de802d1b0e0ee

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
303KB

MD5
f81969b543e0ce01a95303e9344e7dc6

SHA1
41c2cd4e1df83a22c6c3fe53527c54d75aa787df

SHA256
cfc94f88d5fed1c63999cc23a580414928deb5d4ad17b7bf203440a7815a9926

SHA512
5e2930b4a019cfd34486a79bc4bac5279e7bbf09f5a5a05c11d5cc90793bdeeef35eba972db9485c3f11ba01ae38bfa3ea5c233d0e7db865514657aeb5f73f76

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
303KB

MD5
d68f4815aca8312e80c268efd3f7c848

SHA1
426fce13b12224d6db6243cdef80286342cd700a

SHA256
c07857f6bb0c416476b81d71e2a3503a11cd9700256e16c7aac9c183eff6d656

SHA512
c29c0353c14bb483839eb82af99be698c07fde365a23865d10fd52974ccb9db2ef56060e37874a5f22480796c2a6f5cb00a60119989edb2ebef0f70a003f65f0

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
303KB

MD5
21540218704b8c85c670a022da534edb

SHA1
da9d9ddbdaf1cfa77176995dc171a90e55ead839

SHA256
422ea2167448cb178f6a2f091499ebc437bdc79488cdccd30b970dad17674b7e

SHA512
7e9b22cfd623ff1a1b6b2fd62eb32ca85a7f200ce607aa1e2d27a73a376f5cc6bbee7a9829dacde9b459232267c2be7baa2f6f24b31785313c51d2f6ec4dd255

Download Submit
memory/388-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3912-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads