berbew | 3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b

Analysis

max time kernel
96s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Size

57KB
MD5

6941851ee5e4ba277a2da24f851abbe8
SHA1

787f5e549cbf291061ec6c735172543434aba383
SHA256

3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b
SHA512

d0e6f785df905c5ed99de1f1f7085a7c8339b295061a40919d40676bc29f417fd8025dd92b233ed89cd8887fb7704f826f2391781a64c607db274dbbdccfa804
SSDEEP

768:KLotA4kEpmst5z6fJ8RskD4XiVbxxI8SSZXieSdSZXwwwwwwwwwwwwwwFJu1IZf7:KLKpmCWBYDfJ7FJ4UEA8O

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 19 IoCs

pid	Process
3724	Chagok32.exe
3512	Cjpckf32.exe
3276	Cmnpgb32.exe
1680	Cdhhdlid.exe
976	Cjbpaf32.exe
2132	Calhnpgn.exe
1448	Dhfajjoj.exe
928	Djdmffnn.exe
4036	Dmcibama.exe
1484	Ddmaok32.exe
532	Dfknkg32.exe
1256	Dmefhako.exe
3120	Ddonekbl.exe
5024	Dkifae32.exe
3544	Ddakjkqi.exe
4788	Dogogcpo.exe
4396	Deagdn32.exe
1520	Dknpmdfc.exe
216	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	216	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3724	4764	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe	82
PID 4764 wrote to memory of 3724	4764	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe	82
PID 4764 wrote to memory of 3724	4764	3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe	82
PID 3724 wrote to memory of 3512	3724	Chagok32.exe	83
PID 3724 wrote to memory of 3512	3724	Chagok32.exe	83
PID 3724 wrote to memory of 3512	3724	Chagok32.exe	83
PID 3512 wrote to memory of 3276	3512	Cjpckf32.exe	84
PID 3512 wrote to memory of 3276	3512	Cjpckf32.exe	84
PID 3512 wrote to memory of 3276	3512	Cjpckf32.exe	84
PID 3276 wrote to memory of 1680	3276	Cmnpgb32.exe	85
PID 3276 wrote to memory of 1680	3276	Cmnpgb32.exe	85
PID 3276 wrote to memory of 1680	3276	Cmnpgb32.exe	85
PID 1680 wrote to memory of 976	1680	Cdhhdlid.exe	86
PID 1680 wrote to memory of 976	1680	Cdhhdlid.exe	86
PID 1680 wrote to memory of 976	1680	Cdhhdlid.exe	86
PID 976 wrote to memory of 2132	976	Cjbpaf32.exe	87
PID 976 wrote to memory of 2132	976	Cjbpaf32.exe	87
PID 976 wrote to memory of 2132	976	Cjbpaf32.exe	87
PID 2132 wrote to memory of 1448	2132	Calhnpgn.exe	88
PID 2132 wrote to memory of 1448	2132	Calhnpgn.exe	88
PID 2132 wrote to memory of 1448	2132	Calhnpgn.exe	88
PID 1448 wrote to memory of 928	1448	Dhfajjoj.exe	89
PID 1448 wrote to memory of 928	1448	Dhfajjoj.exe	89
PID 1448 wrote to memory of 928	1448	Dhfajjoj.exe	89
PID 928 wrote to memory of 4036	928	Djdmffnn.exe	90
PID 928 wrote to memory of 4036	928	Djdmffnn.exe	90
PID 928 wrote to memory of 4036	928	Djdmffnn.exe	90
PID 4036 wrote to memory of 1484	4036	Dmcibama.exe	91
PID 4036 wrote to memory of 1484	4036	Dmcibama.exe	91
PID 4036 wrote to memory of 1484	4036	Dmcibama.exe	91
PID 1484 wrote to memory of 532	1484	Ddmaok32.exe	92
PID 1484 wrote to memory of 532	1484	Ddmaok32.exe	92
PID 1484 wrote to memory of 532	1484	Ddmaok32.exe	92
PID 532 wrote to memory of 1256	532	Dfknkg32.exe	93
PID 532 wrote to memory of 1256	532	Dfknkg32.exe	93
PID 532 wrote to memory of 1256	532	Dfknkg32.exe	93
PID 1256 wrote to memory of 3120	1256	Dmefhako.exe	94
PID 1256 wrote to memory of 3120	1256	Dmefhako.exe	94
PID 1256 wrote to memory of 3120	1256	Dmefhako.exe	94
PID 3120 wrote to memory of 5024	3120	Ddonekbl.exe	95
PID 3120 wrote to memory of 5024	3120	Ddonekbl.exe	95
PID 3120 wrote to memory of 5024	3120	Ddonekbl.exe	95
PID 5024 wrote to memory of 3544	5024	Dkifae32.exe	96
PID 5024 wrote to memory of 3544	5024	Dkifae32.exe	96
PID 5024 wrote to memory of 3544	5024	Dkifae32.exe	96
PID 3544 wrote to memory of 4788	3544	Ddakjkqi.exe	97
PID 3544 wrote to memory of 4788	3544	Ddakjkqi.exe	97
PID 3544 wrote to memory of 4788	3544	Ddakjkqi.exe	97
PID 4788 wrote to memory of 4396	4788	Dogogcpo.exe	98
PID 4788 wrote to memory of 4396	4788	Dogogcpo.exe	98
PID 4788 wrote to memory of 4396	4788	Dogogcpo.exe	98
PID 4396 wrote to memory of 1520	4396	Deagdn32.exe	99
PID 4396 wrote to memory of 1520	4396	Deagdn32.exe	99
PID 4396 wrote to memory of 1520	4396	Deagdn32.exe	99
PID 1520 wrote to memory of 216	1520	Dknpmdfc.exe	100
PID 1520 wrote to memory of 216	1520	Dknpmdfc.exe	100
PID 1520 wrote to memory of 216	1520	Dknpmdfc.exe	100

C:\Users\Admin\AppData\Local\Temp\3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe
"C:\Users\Admin\AppData\Local\Temp\3d329efb9e7218a28cee58e1dafdfedfce7b57067b28dac08aa85b90e288318b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\Cmnpgb32.exe
      C:\Windows\system32\Cmnpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 396
        21⤵
        Program crash
        
        PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 216 -ip 216
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
57KB

MD5
33dd093da8f18c9d6a47eb15ca8c24a8

SHA1
02139aa2fcf236053715bf9135008275d75c1d2a

SHA256
97bb8671abad45229b89846c15d8edc20050d43deaed68c37b6ad5d6a7397e0e

SHA512
a1a6617e42f88cc4fbd5eec95f4498397322047d5bf7b4a8f0c373d84b040cca841dd7d3bedc149372986c6e246b8335bcb5d6aeb82388e11eb826140db453d5

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
57KB

MD5
01a35bcce8a0214a80e3cb4c38fa7c5b

SHA1
0528900daea8ed04073479f751a756b4f0c49fa5

SHA256
4180c6b35b6589c9e0e3c742f083a93921118b849ba25c15c3cfa53acc514d24

SHA512
17d8ae6b3e70e34c7666b71805108b885bc61db94f8baccb5ec748229fc006a874afa5525940129c00ca5a021cc45f94f24971cfb7330222f75068d6de5162dc

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
57KB

MD5
ae12aa30ee73eda3ea330e2d8c6c7f2a

SHA1
36c2a4dfcff03b05ced04146d313b591e889e8f9

SHA256
6ceab6cde7b8d19d6e8449545b6478a1e925b21256a65879e8e2aa1c12e30627

SHA512
0980e71c514ef4d3b6f18ddcba2522ff54a01ead8ae55ca964475947b05bff4a618b8bbf8b41b459adeb933271ea5cf59a3abed7f79f13fb2238a4c798f43e59

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
57KB

MD5
11fee8cbdf07eacbe79a5f9ab688dc5d

SHA1
510b83007b2d630ef5d9859fc23c26de5a2634ec

SHA256
11346b0e400005f52d82e26d2d5c40c645d0d9661419b8d1f877f182379d9f58

SHA512
0ee83090bfae2f3b0bc40d1794ccb964940ae27691444a29489fdf38f7c2cb862ec8de23fe75d53d966a83bb2db51cc6d733a58debcb6a9a3ec786740f3c5c0f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
57KB

MD5
d270a9102e96aef60805724c2d775ad0

SHA1
8b831f07b3f3ec256123807394299a61642a2013

SHA256
b936fb100b5e70a14aaf3a099cf7dca798020338b3649b0ea74f8c17fc9e661b

SHA512
50ea0de107680d6356afcf376d51560b12712978f2c58ad860ce815d64e16a345689de0e9642d13ee2470b0982f0ac8143b76d2e27d9c8565661c0cc54ddc822

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
57KB

MD5
d185380c33707de798387b89e9320900

SHA1
46c19a2682d04df78b909bbeee26c94b05018ea0

SHA256
9a1917eaa306f8a4fe82edb0f4456645205017fb1f4f16030ae3220dd4cff4a9

SHA512
3ef30338fffc5b9ecae01e6f61b2cf225ebd7457947f7d69ba023b21c2cbe69deb7f522df247639cf0ee504a8c3e9f407f2965b0f3b0403f00d82ed09116a8e6

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
57KB

MD5
6dcc51c065620522861d7a9f369742a5

SHA1
fb75f529b9cd97dc42fba3f74614f8a1bc96af20

SHA256
19f8be3e5deb00a2688218a2366f249cb04b479474c302fdadef6e6ebbbde198

SHA512
87964a1c61e8c4a8971148ad7fa06af292a688ac577d388749b1ff883320de841146dd0be9b0bdfd779d5017eeddd446f7f21131dbc0c39819575c4b8b210233

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
57KB

MD5
a9d8e8eb2d03514b5e4777b670e9e141

SHA1
ab777d7131241f019c69ad205ac1a54668f56e38

SHA256
8db6b3d831bfd0f65356af2376c424ed4134eaec05e8c9e4f5b5f7c9532f610d

SHA512
14d3fa05484a039551d774dd40be5911732e1e3e0f0d37ba142107c062dc9a54208dfbe6e4cc89d2ebe22d98d1b5e874eb66438364518450abe1e00757179b3a

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
57KB

MD5
37595388e797b05700774985e5bef0d3

SHA1
35e975c1776f03b1411be73657db617ddf8d0530

SHA256
0ac18dcb066f1f952d655ab735a15efedfa59095026aceccd75b3fcc22dff02e

SHA512
6d355d59f482ed4c110737ec8d86c39afaf49a10ef5243feaed25401d0d5f2b19b6e5ff84bc74b81cb9211c1bb4a73b82ed6578085fb8751c2a64a3f6462912c

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
57KB

MD5
c4f3ba1c46736b0804f51b0d16fd175d

SHA1
a3bd1b703923baa64c0975d106e51f7d13ec1e42

SHA256
571de72f92619832e5453abe936a38c9ee07da83a2951e2d34bae00739f37a1c

SHA512
e58457cc9d23c00dd3cda0740b2af352a8e66cebd74a083cae88ed6f0e539e64867ced7b024a01f35d75f37473a7def1ed731f8f081c70e46711c724ea5f4c72

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
57KB

MD5
fdd4dbc5282d6127fc0f103b1a546984

SHA1
8c8e9ed5bd31630e0ac6b3b91bb1d46a1e2411d6

SHA256
a1138acbfb3e30f0ccb3150071f357405cc84f970b60761562ee05215dfd3644

SHA512
7fc97a22907de12439ecb70da13fa1eeb238a3ae371413b66984518178d3501c52c7e97f52dc079514eea4309822ffeba5462dca1566148402e8c04d5966a9bb

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
57KB

MD5
32498c5c3964875c6c5bd811728a664b

SHA1
05f23e6976392488a0c03404a958d56398aa1499

SHA256
d528e6ec3acf02ad994cb1b180dd4e572417ebe602ce88f58f03496e2d60a3e3

SHA512
3f5e39c5b13649d66697ef9210e1e804f5d869da8c8d3211d23a0a7d1f5bad6f005ba77bb0d813c1e06b6c80f25eb00321841738bf749592ef324cc4e03d3fa6

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
57KB

MD5
f1e52cc8f6f76723c3da5df8ee302a15

SHA1
8814e592cedce2f7fbd3048c5ad6a33a45ee4e63

SHA256
9265bdb115d4e24c2436a5588eae4268286d063cd7495cde0fce30fa597b0610

SHA512
be84d4290c8a9feb0e030a8b6664640ba8b89094a39438cc604bd6d5dc9922484a24e876ba8534a2c70fdd4617651fddba72f0497577df5a41274dc4675c5425

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
57KB

MD5
1dff8bc72927c241573d289b9af2f891

SHA1
dd010a9059b0695c3e7e244a7628ca87e4c70749

SHA256
e5321e43c04911e9e3d6ba170b6c66d481d52abbb9da80916deaded987caacf3

SHA512
6f867805657fc51bb42f81387c04d33169b49c75645f24bb304d77e7b2224a7563e66c0ac42f66801e2e557d7fa4bf2074230c4555e6334fc2d194c8cd95c3eb

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
57KB

MD5
7625f3c9f33a46369ecdb0760bedb544

SHA1
7cc6a9a1d7d104651abbb2ef32f209161a219ffe

SHA256
f16e61845b256f25b9df79be2622dacfa6dc1d5544a9d6601b321784bd28ed32

SHA512
e742ad2e6ee3acbec070f3df8f06eb518c7a19eaaddfc63b16efc4dd7b92e184c58eb1de80f3cfe4eb0a0eaa142d15fa2fa8b496d9c441ce2153c02a946ff449

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
57KB

MD5
d2211f00b9d2824dd18036b060986f93

SHA1
2e9b49a82935d775bcdf1eeec094b942f862f90c

SHA256
384ae6340999277ed66bb46f7eed5864dc50aad89bf43ffe75cead7378c1e019

SHA512
2cd5a9c1e46a512417505e39577c880f4f72866784209d6b47e06fe2422bffebffabc753acd029d8be08e6a058369c0167a792ce693670d2f570cfd0428ac95f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
57KB

MD5
a0cf3662baa35fd424bd44dcdef129cf

SHA1
9ec073d87b5635d11a36b9b1a091bb63b4fc5d43

SHA256
b1a8cad29837b6b04b64d12779ebc05e1b3e0be38a069be24f1944819c9d5e79

SHA512
a46e347eab8b910159c9785f6200023ab29da575c88856bb883176c757e4630a23518c7c90a8728abad2142804a331d531e2cbcc311f1e777184c153850c89c1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
57KB

MD5
b9530a6dae1c10afa1d97523e91844d4

SHA1
ac65f03dffd7a7df3190ecf96cd6dd9a1ccfc00c

SHA256
bed9ae2cf6542040e250f1cdde015762da9dac692785a7388eabbaf160129828

SHA512
f0efc102cd374ef05a5e63f74b4eea6272f75eb34c37e1240b77995f4f348234d1df42311b558b7d02ed34c19414c8bdbb85b80fb8a6281ec087c055ac76c051

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
57KB

MD5
91167ad81c3b40d22d13ed1c3721541d

SHA1
13a0fa50d3d9222cef8e8d4f2b55b5826e1d74e3

SHA256
8502f7c4ddb0c7ee563d666b832be2e65efa57db9ea0e1af1b8f87ec408c433c

SHA512
d1918a5ae8c0cd48f44da9ef043e62e54fa663ce75ac3932a76b07c568331e220878735340a8359e8788650e75235829bbd56c42083bb35452fc47262d4e2efd

Download Submit
memory/216-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/216-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/532-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/532-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/928-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/928-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/976-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/976-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1256-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1256-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4764-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads