berbew | 952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818ba

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Size

385KB
MD5

bc7aed3bd7f514c6e42cbe5fe4fdd880
SHA1

6e6e0bead274f321028383d7f19a650642b89d17
SHA256

952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818ba
SHA512

d8f6490d632059d11fbc59e26454d98f67b944d713d46b0e7335e42431efc7d5b60d3719a03457b9a9b52a3a05754197c793b8420a9b046c79c21a71ecbe4c97
SSDEEP

12288:vkQrEPy59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SLv:vkm4y7oWypy7o3y7Ey7oAy7oZyUy7ov

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 19 IoCs

pid	Process
1648	Cfmajipb.exe
4432	Cndikf32.exe
3724	Cenahpha.exe
3520	Cdabcm32.exe
3256	Ceckcp32.exe
392	Cdfkolkf.exe
2172	Cfdhkhjj.exe
1188	Cjpckf32.exe
2500	Djdmffnn.exe
3272	Dopigd32.exe
4220	Danecp32.exe
4952	Dfknkg32.exe
5056	Ddakjkqi.exe
920	Dogogcpo.exe
3952	Dmjocp32.exe
4728	Daekdooc.exe
2004	Dddhpjof.exe
3164	Dgbdlf32.exe
4032	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4356	4032	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1648	208	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe	83
PID 208 wrote to memory of 1648	208	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe	83
PID 208 wrote to memory of 1648	208	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe	83
PID 1648 wrote to memory of 4432	1648	Cfmajipb.exe	84
PID 1648 wrote to memory of 4432	1648	Cfmajipb.exe	84
PID 1648 wrote to memory of 4432	1648	Cfmajipb.exe	84
PID 4432 wrote to memory of 3724	4432	Cndikf32.exe	85
PID 4432 wrote to memory of 3724	4432	Cndikf32.exe	85
PID 4432 wrote to memory of 3724	4432	Cndikf32.exe	85
PID 3724 wrote to memory of 3520	3724	Cenahpha.exe	86
PID 3724 wrote to memory of 3520	3724	Cenahpha.exe	86
PID 3724 wrote to memory of 3520	3724	Cenahpha.exe	86
PID 3520 wrote to memory of 3256	3520	Cdabcm32.exe	87
PID 3520 wrote to memory of 3256	3520	Cdabcm32.exe	87
PID 3520 wrote to memory of 3256	3520	Cdabcm32.exe	87
PID 3256 wrote to memory of 392	3256	Ceckcp32.exe	88
PID 3256 wrote to memory of 392	3256	Ceckcp32.exe	88
PID 3256 wrote to memory of 392	3256	Ceckcp32.exe	88
PID 392 wrote to memory of 2172	392	Cdfkolkf.exe	89
PID 392 wrote to memory of 2172	392	Cdfkolkf.exe	89
PID 392 wrote to memory of 2172	392	Cdfkolkf.exe	89
PID 2172 wrote to memory of 1188	2172	Cfdhkhjj.exe	90
PID 2172 wrote to memory of 1188	2172	Cfdhkhjj.exe	90
PID 2172 wrote to memory of 1188	2172	Cfdhkhjj.exe	90
PID 1188 wrote to memory of 2500	1188	Cjpckf32.exe	91
PID 1188 wrote to memory of 2500	1188	Cjpckf32.exe	91
PID 1188 wrote to memory of 2500	1188	Cjpckf32.exe	91
PID 2500 wrote to memory of 3272	2500	Djdmffnn.exe	92
PID 2500 wrote to memory of 3272	2500	Djdmffnn.exe	92
PID 2500 wrote to memory of 3272	2500	Djdmffnn.exe	92
PID 3272 wrote to memory of 4220	3272	Dopigd32.exe	93
PID 3272 wrote to memory of 4220	3272	Dopigd32.exe	93
PID 3272 wrote to memory of 4220	3272	Dopigd32.exe	93
PID 4220 wrote to memory of 4952	4220	Danecp32.exe	94
PID 4220 wrote to memory of 4952	4220	Danecp32.exe	94
PID 4220 wrote to memory of 4952	4220	Danecp32.exe	94
PID 4952 wrote to memory of 5056	4952	Dfknkg32.exe	95
PID 4952 wrote to memory of 5056	4952	Dfknkg32.exe	95
PID 4952 wrote to memory of 5056	4952	Dfknkg32.exe	95
PID 5056 wrote to memory of 920	5056	Ddakjkqi.exe	96
PID 5056 wrote to memory of 920	5056	Ddakjkqi.exe	96
PID 5056 wrote to memory of 920	5056	Ddakjkqi.exe	96
PID 920 wrote to memory of 3952	920	Dogogcpo.exe	97
PID 920 wrote to memory of 3952	920	Dogogcpo.exe	97
PID 920 wrote to memory of 3952	920	Dogogcpo.exe	97
PID 3952 wrote to memory of 4728	3952	Dmjocp32.exe	98
PID 3952 wrote to memory of 4728	3952	Dmjocp32.exe	98
PID 3952 wrote to memory of 4728	3952	Dmjocp32.exe	98
PID 4728 wrote to memory of 2004	4728	Daekdooc.exe	99
PID 4728 wrote to memory of 2004	4728	Daekdooc.exe	99
PID 4728 wrote to memory of 2004	4728	Daekdooc.exe	99
PID 2004 wrote to memory of 3164	2004	Dddhpjof.exe	100
PID 2004 wrote to memory of 3164	2004	Dddhpjof.exe	100
PID 2004 wrote to memory of 3164	2004	Dddhpjof.exe	100
PID 3164 wrote to memory of 4032	3164	Dgbdlf32.exe	101
PID 3164 wrote to memory of 4032	3164	Dgbdlf32.exe	101
PID 3164 wrote to memory of 4032	3164	Dgbdlf32.exe	101

C:\Users\Admin\AppData\Local\Temp\952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
"C:\Users\Admin\AppData\Local\Temp\952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\Cenahpha.exe
      C:\Windows\system32\Cenahpha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 396
        21⤵
        Program crash
        
        PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4032 -ip 4032
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
385KB

MD5
0eb3d42d8074b63bc4f272405af19cfc

SHA1
a6117e68f8d8ec6dff5f1dd7b308de142994c876

SHA256
6f5ef72315ffecf0d8eacb575f455f6031810cc2c7adcee2e5f6f0d5c30ba261

SHA512
395b36f2f956d5972d437572bb2202cb14abdaf1ec7e6a3457b49d2c956e297a628c74ce3abe6dd16ac4e7375c0898e4f346a3f3165a5cd2d85c42defd8887ce

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
385KB

MD5
86680e9f4bd8268806f9848de17c7ea8

SHA1
e811e921a4c3906b12559f0298977f65dc1b5f31

SHA256
0945c2d858b7cb10f3b9da96e536fd44ea7be19f52db0657444ba453f834a275

SHA512
d211da271599af1289687fc2442459995b3c038dd0a915765a847f1de059fb21328b299a40d7f2adafc10288e4eebe301fb478814753cf3d18c1026880454f54

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
385KB

MD5
f9678335c37aece973294e768fde266d

SHA1
ffdcf9ecbfd4abb2ab07f29f309d419d2ffa1d43

SHA256
63f1e107f4a3dd5f031e8b70dc924dc7755a570025b1c4bdaedd085979183d4b

SHA512
af97332afc70ccfe97bf27f25bc55628069254e51be44375c9c745f55b27aad42e843632377618cac5c95970757885fb3822ad989c2ff200e6d3c1f4fb18f9f5

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
385KB

MD5
37b915920490249404e4de762dd2e2ad

SHA1
a6e0dd6beee5cbd4941d4ec9bc6ee4a10a70dc1d

SHA256
c75328664201b2e70954a1d6a710d959e0da38c9fca9e124f24e227835a6eb47

SHA512
f6c64cf9933a3598f72a91c234eb65f516d5f0700d55bbad3de9be8138e0bce43adb6dbfb008f77a2b630d58ca0a72faf93b7342008243ce35d66fa40948f887

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
385KB

MD5
8f6bf52a3efe3fcde37cdc159592c78e

SHA1
01452d7333ba50c56ce1079bc264c089894eac15

SHA256
d4c002d7d165c9f86fb6308d8f39952fdd28502994b42b2341cd117df49bd977

SHA512
5bee87a226a398d080b1a326bb38323d6125cb6e00a004b24a70ebc0d5b81eb31c3ec2c053e582cb1d25ba997ff31cd9f55d8a251dcae81b80a5318de9c34cbb

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
385KB

MD5
b1187fec9b7dbdbd0fc2f40c9e4bedae

SHA1
61a8d9db042fbca648f75827f5c1ec90af367947

SHA256
3de123c1647ad1f6211316f9312dd2555af7d9b466d408fa029e265f3bdc66c3

SHA512
7db0ec7fe22c080e82e40428c7f09662180ffe6ff4e63c4026540539a03c98349eea8b055b8f6b98b2c5ad6efb196162310b40099765b98d8f0ff258f4c20c1c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
385KB

MD5
3ee30bd5861252947fd7f7a9a8f17022

SHA1
4477ee88b155abd5dcf5a72482ebf2b1bbdf9321

SHA256
ab8f09df53071e90e155239e4deb695739e9c07143c905e3627f489ad1a4cd8f

SHA512
51f6985c0106a3ae1a1ddb38eeba5f7cf0788731caaa4ec01e6fbaa780344788747b8c6edb8fbaf66b88930845c10963a03a81cd72a6ea59ee653bcd65454fcc

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
385KB

MD5
859e59284100ddb631fdf266aa69d719

SHA1
a368099e0b8300f4423ea6c2979fda42e7238e76

SHA256
845b1889080e2fd823d1825064f4b542b15bb6045a7ad7aea6bd56334e194f13

SHA512
a432f3a12708f5785f27676f42e5bf290e8ea69e657d64467f1a3bdde08568c89a0122116f23ddc961e75f12661074dd64492e0ab397618be512a2c0c8c30432

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
385KB

MD5
91074c1a319c4ea2bb040d0fa9870839

SHA1
8ae21bbedb4bb9c71be89a5e07bd99f2d0c26ddb

SHA256
45e5cdaa779ee09d7a0fac0d7eaa3bd345894d7f9aac71c22b8863e4c514fbb6

SHA512
d2f641b5ebcf74d6860123718a6f157121b1c02da3102251f308a28d3c5880e96cba506a00c54f18b0807e1f3f05c58a72ae673c6242175e2d1b8a65afb57725

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
385KB

MD5
fd7da107e3e69532c66bc162bfa88a66

SHA1
1bfe220e6911f55574f475e88abfae2e9875eeb6

SHA256
5cde2aa2b9959e87b16a7d1ebd39f9f52ab15f7f73bc280cf4462f5861c30841

SHA512
1b218f1cf46fec206c515a65e78c66f93a5d6562e6fd9a781c4b206fcad43affb516433fa9ba7607319ae196196178ba105cd90024748ff9d16d867b0e39cb3d

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
385KB

MD5
30a4ce7b400b5e743b695fbb50bcb939

SHA1
79cf589251e9c2a63c461708a800e5a53527d282

SHA256
04b7ad8947a6fea7835e345c23180466b383de376fb9a3fff96703c4f5de9710

SHA512
913cd1ea4f95e71b51761d03a68130c63a283688eb24e4dae288d784fe95a9feb65bfe8e120ab2ff7bc89e6beebfc50bd8b0c78a36da82e3b064627301b5866d

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
385KB

MD5
2c55f61af6fdc9347738bd6d81d12440

SHA1
b47d69b5ada45b8f435fe6b62ee3b0d31564a2c4

SHA256
644f9408a900cf21f3abc61e3f6ee4c689d4b11de46e2fd63cc4a8bd291f6140

SHA512
41a386c61805439baed0ece0a1faf19272da1f608a0e2cf06dd2130ed4f03ff234f68366a4146c3c21ac5972713ce1def446849001bb497980871881183e0064

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
385KB

MD5
b129dd9c466e494223a06bbf73ff6bc7

SHA1
0cf9b2850e261f7d1fa2923dfe9b65f5d694b322

SHA256
f5744448abc0d124aeb7d5b6dba57d29baacebae81c0a678c9f864ee8bccf680

SHA512
d92797916574608a0af86826fdc8b80c126ab439da60c3962cf1d1d7bd5b22be28680823fa0f07deb3321b31bd9384470c35d497de06e833c41a15366c9b6ea8

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
385KB

MD5
5c255583ce4374ce881d68bdeaf08a72

SHA1
7625a7e79a6ef570ba44085686bfc699c2de7dad

SHA256
13b2e6156c93b7f516da2c95be08f2755ae776e8392a951e691539a9f17a22e9

SHA512
5c1e270ee2a176f3191e60a86617defc8128836216a347238016c249fb1f2b72ccbd37d5547fc00bbb4b5872773c05f45d434708bc1e4b82e6c4a69174004bc6

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
385KB

MD5
ed1f30a9b0e26c6a5f48f048a7aeb685

SHA1
92b825ffd85b6d66eef5e789c423511661741abf

SHA256
cb30bacc6ca29d87ee417261d538a824bbcf643b875241e406ac9977f0718f8e

SHA512
5796f5ccb0c94f0ea49bcf16c2fb27d3db56c7839f4817cc345a9f66576aa6f9b494da76e332cf0eb8adc01b2ba9ac7882bad0899edb92d7c7974b793253c0d1

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
385KB

MD5
978552613f6b8bdc0cbeeb032b8f0285

SHA1
3e05cab76512e70e0ed841337bb826d8661d026e

SHA256
82ad935add07d6dd2eb47c175092df363ac77f1ebb603fba7558979601712ef8

SHA512
925e762fb68eeed211434983d3b98708a3c3039b0f8e87cf0b9fdfbdddc0d6115615f37552a00bc3790ea5b0d62cb6c5a6c7e61a79767f70f4db2304027ba5eb

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
385KB

MD5
a263a855d20092f5a4be68e9dd8795db

SHA1
8c1427a4933a5d4a7a55ba2a35d56e58e6d62c90

SHA256
5ccc983c65377022086a6d451f48bf5a24699dcbb0ef31158dacd32ae1102ea2

SHA512
98aa66cfa5d0e7c979184ac01a0c3433d1962e73931fd4cb252a850bd90055794528b793e7089ff5f36b6dae0466779981ec68e894b4b1bf3042076978cea553

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
385KB

MD5
fcc5643f6d879d6e545f84b89304bf41

SHA1
4d79c31afaa96f41fd6280d88116deb5b9b31c56

SHA256
6b28f27936e9ab360b2f710a6c5c6a7462ee1305bfd6afa20c6312e03c4b9e5e

SHA512
54f990b0a809a801567911ba11db4a85e242900e7237d9ecbc41e498581703a1b8b61293850f21a87e8f4e490a21795670347c449b9ef7476205e48ee5487100

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
385KB

MD5
fb21cf4445573c745eecda85692a6c16

SHA1
2a408b7f244b148fb7ef591b49da14ec6f27aa2a

SHA256
7747ca24dd2acee0d253a98ebe9ef370ab4cd6472f0de2314d154d3462afd7e4

SHA512
62b9b11bf4259fcf911c488fbbdfcfe5ffdc99ad7bcdda0ba5ebdd2dc13ba13e310c87d391f571f24a31d5761609c555a8088d08502ae78ee9029d36d3c75992

Download Submit
memory/208-192-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/208-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/208-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/392-49-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/392-180-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/920-117-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/920-164-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1188-65-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1188-176-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1648-190-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1648-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-138-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-160-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2172-61-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2172-178-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2500-174-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2500-75-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3164-150-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3164-157-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3256-41-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3256-182-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3272-81-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3272-172-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3520-37-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3520-184-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3724-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3724-186-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3952-166-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3952-128-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4032-153-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4032-156-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4220-89-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4220-193-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4432-188-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4432-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4728-161-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4728-133-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4952-169-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4952-97-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5056-168-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5056-104-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads