berbew | d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f

Analysis

max time kernel
105s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Size

243KB
MD5

13b23a26ac61bf3bfe6c71f9ff2115e8
SHA1

97b0865b1ff9e12ab185b718f1f638b698cf489c
SHA256

d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f
SHA512

4ce04db917387adddb6108f1a482411db2c7d2c78bfa65b8d55a50a48821f0fb99312b556fce8801e3a8d53957eed13ef48819f89300dc52e4352e569759c0a4
SSDEEP

6144:4mt0ixiBeTjm4ZKzwdlU2zlNgwTnAWtlhjQ:Prjm2l5LhDAalhj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 19 IoCs

pid	Process
2692	Cfpnph32.exe
1872	Cnffqf32.exe
3440	Caebma32.exe
2212	Ceqnmpfo.exe
5016	Cfbkeh32.exe
4592	Cjmgfgdf.exe
4920	Cmlcbbcj.exe
3776	Cffdpghg.exe
4780	Cnnlaehj.exe
3916	Dfiafg32.exe
3468	Dmcibama.exe
4936	Dhhnpjmh.exe
1168	Daqbip32.exe
452	Dhkjej32.exe
4668	Daconoae.exe
3688	Ddakjkqi.exe
3152	Dogogcpo.exe
4232	Daekdooc.exe
2468	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flgehc32.dll	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2468	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2692	3928	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe	87
PID 3928 wrote to memory of 2692	3928	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe	87
PID 3928 wrote to memory of 2692	3928	d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe	87
PID 2692 wrote to memory of 1872	2692	Cfpnph32.exe	88
PID 2692 wrote to memory of 1872	2692	Cfpnph32.exe	88
PID 2692 wrote to memory of 1872	2692	Cfpnph32.exe	88
PID 1872 wrote to memory of 3440	1872	Cnffqf32.exe	89
PID 1872 wrote to memory of 3440	1872	Cnffqf32.exe	89
PID 1872 wrote to memory of 3440	1872	Cnffqf32.exe	89
PID 3440 wrote to memory of 2212	3440	Caebma32.exe	90
PID 3440 wrote to memory of 2212	3440	Caebma32.exe	90
PID 3440 wrote to memory of 2212	3440	Caebma32.exe	90
PID 2212 wrote to memory of 5016	2212	Ceqnmpfo.exe	91
PID 2212 wrote to memory of 5016	2212	Ceqnmpfo.exe	91
PID 2212 wrote to memory of 5016	2212	Ceqnmpfo.exe	91
PID 5016 wrote to memory of 4592	5016	Cfbkeh32.exe	92
PID 5016 wrote to memory of 4592	5016	Cfbkeh32.exe	92
PID 5016 wrote to memory of 4592	5016	Cfbkeh32.exe	92
PID 4592 wrote to memory of 4920	4592	Cjmgfgdf.exe	93
PID 4592 wrote to memory of 4920	4592	Cjmgfgdf.exe	93
PID 4592 wrote to memory of 4920	4592	Cjmgfgdf.exe	93
PID 4920 wrote to memory of 3776	4920	Cmlcbbcj.exe	94
PID 4920 wrote to memory of 3776	4920	Cmlcbbcj.exe	94
PID 4920 wrote to memory of 3776	4920	Cmlcbbcj.exe	94
PID 3776 wrote to memory of 4780	3776	Cffdpghg.exe	95
PID 3776 wrote to memory of 4780	3776	Cffdpghg.exe	95
PID 3776 wrote to memory of 4780	3776	Cffdpghg.exe	95
PID 4780 wrote to memory of 3916	4780	Cnnlaehj.exe	97
PID 4780 wrote to memory of 3916	4780	Cnnlaehj.exe	97
PID 4780 wrote to memory of 3916	4780	Cnnlaehj.exe	97
PID 3916 wrote to memory of 3468	3916	Dfiafg32.exe	98
PID 3916 wrote to memory of 3468	3916	Dfiafg32.exe	98
PID 3916 wrote to memory of 3468	3916	Dfiafg32.exe	98
PID 3468 wrote to memory of 4936	3468	Dmcibama.exe	99
PID 3468 wrote to memory of 4936	3468	Dmcibama.exe	99
PID 3468 wrote to memory of 4936	3468	Dmcibama.exe	99
PID 4936 wrote to memory of 1168	4936	Dhhnpjmh.exe	101
PID 4936 wrote to memory of 1168	4936	Dhhnpjmh.exe	101
PID 4936 wrote to memory of 1168	4936	Dhhnpjmh.exe	101
PID 1168 wrote to memory of 452	1168	Daqbip32.exe	102
PID 1168 wrote to memory of 452	1168	Daqbip32.exe	102
PID 1168 wrote to memory of 452	1168	Daqbip32.exe	102
PID 452 wrote to memory of 4668	452	Dhkjej32.exe	103
PID 452 wrote to memory of 4668	452	Dhkjej32.exe	103
PID 452 wrote to memory of 4668	452	Dhkjej32.exe	103
PID 4668 wrote to memory of 3688	4668	Daconoae.exe	104
PID 4668 wrote to memory of 3688	4668	Daconoae.exe	104
PID 4668 wrote to memory of 3688	4668	Daconoae.exe	104
PID 3688 wrote to memory of 3152	3688	Ddakjkqi.exe	105
PID 3688 wrote to memory of 3152	3688	Ddakjkqi.exe	105
PID 3688 wrote to memory of 3152	3688	Ddakjkqi.exe	105
PID 3152 wrote to memory of 4232	3152	Dogogcpo.exe	106
PID 3152 wrote to memory of 4232	3152	Dogogcpo.exe	106
PID 3152 wrote to memory of 4232	3152	Dogogcpo.exe	106
PID 4232 wrote to memory of 2468	4232	Daekdooc.exe	107
PID 4232 wrote to memory of 2468	4232	Daekdooc.exe	107
PID 4232 wrote to memory of 2468	4232	Daekdooc.exe	107

C:\Users\Admin\AppData\Local\Temp\d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe
"C:\Users\Admin\AppData\Local\Temp\d1e30db43b8c284bf826ea52c10c707800883ff824bbea456457e96d1dedce6f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\Cfpnph32.exe
  C:\Windows\system32\Cfpnph32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\Cnffqf32.exe
    C:\Windows\system32\Cnffqf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\Caebma32.exe
      C:\Windows\system32\Caebma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 396
        21⤵
        Program crash
        
        PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2468 -ip 2468
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
243KB

MD5
5e0328dc10d97ab7ffc241696bd8a388

SHA1
0c5f1f990e99ce8ac88b3bbcb32fbc2311667295

SHA256
74054948d11ea35c565fb40cc1a45ae150e5ce3edb8c0876a5dd62aca6d99281

SHA512
45b62ac96a1612d6424527f673f1a752f5aa7ce1780077722bf980b4887f81120a878dd3fb08ed4414a966855e3e1cd4bd7f6097f2a836892d4f86aee5abda9b

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
243KB

MD5
794e2974ed72f11dda2c529d4a076341

SHA1
3eb9005341af110bdd5dd86475ee96526792815d

SHA256
48f97a846d34795dcae7a37e7fca9ca070a1fac3b1f3f83faeefb1ae0ae8acbb

SHA512
85f4b32f243fb2b43ee9fbaefc532016e7906bc79290fe5d918dd7d6d7b78ee51677545d3cef3c758a9bb18ce9344a1e631ee81fbd704f67cbad716ab2c21b84

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
243KB

MD5
ca57ee7ad48e24812a8649ded47654d9

SHA1
46ae20406705754d62d618d3d1f46d417b173389

SHA256
6a881d42e77c341f58621d7f2d892d6b8ce058f5931e9fb6fc771041316fdeea

SHA512
a8fac773259933c3331b9000da0d9ae49edfd348fc6a3ca202707b52921dea5b741539df4291794a6f818adf943be41b023e3436a5cf5ce340a3eb2fd53c4ac3

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
243KB

MD5
4e6815ba51821aeb377a8ac5a0a6855d

SHA1
6f5e5998e091061be8cfe509ebd8dbb5f665fb2f

SHA256
64c16ce6cd44b05057f9ee44f830ac9f61d48304f5c620697f5a1881706c2727

SHA512
255867fed3d51869877a6c4726b9d30fc5486ce6146cdd5d12444e90bc36d4ab0f77d3dc2561cbffaebae2d8ae2556e658a2841968abaf83d62618f580639f07

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
243KB

MD5
5ca51f7f6d4cf871095df9cb4f9e002a

SHA1
9fb64d1539bd70e904acbc83173a76922e5759e5

SHA256
9ea5482d4d11c1f5b010067ac852207cfae10ef162ff7abea5cc0f99b2643785

SHA512
410f5f56e353d73dfed0b0894be6236b0db44d7349924ae56579f578e65b3167c99776512847ea529005272635943e7617cc235111580bca8f781f2c9d6bc881

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
243KB

MD5
6d69016d20c2e6899e5d3c1133c8ed04

SHA1
ecc0284b7fa734acda9b17ab2dd657995bad7d9d

SHA256
a619c758a3b012200f30727b6da99f53d5c552fa3aa945d10433a4735e3689ca

SHA512
4777c09599cbf8fbe4c80de79e167c6d7adf4fd3d96e66339fccd62c33327a37980bf94c4e7faa5501011384a6b0d1c93a5df4692280a209f793988e0ff6c699

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
243KB

MD5
167b649b9a8d45f545dad4e133eabf14

SHA1
0b331ed81101071fa6e34b08893453360667a46a

SHA256
b888d39d2e5194e37ddabfa492f85f0ec463c1d3310f96c239f7b5e6ff8367dd

SHA512
3f41cfd714182062d7cf6e1a0579ebdc8eff7699d0394e723c9679f2e721d690e98feb6c7d64760464394ca8633725905000722254c323c9f9f40011c3eee389

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
243KB

MD5
7be6069b440c64c3cb19319a1ff42068

SHA1
c01141466e04ce73e75616b3cbc62afbf6d1cab3

SHA256
f28608b6be17f1bcc57d62446228a26b31dac10106d8429e19012d0c8adb2307

SHA512
c7ad10d26cccaac4e779507b7559fd8a73cdda050e4f464459b50f698aee48e605d6e418031d45e22d539c38baa5a988fb50680e227def9bd00d3f049c979f06

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
243KB

MD5
92a98ff2f1fe4a5ec1eb2235d75c3f77

SHA1
1dd3e831f322cd0a06a508a88c1a9a88b8c2d987

SHA256
d4f0b416a9272605d63cd73b89ff41eb37a375e71f1e92a6c474c74d6d896167

SHA512
1339ee716aaf6d2e962377ef992fbcf0759627613d6fa803b98c89e27db6f0df4b510bf60d7478ff69d0e3890e2350556d197dc4c111f2d65132b07c82a12229

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
243KB

MD5
9bca9f91a0e777aef155e4445cc9600d

SHA1
dfc7ef833973a0421512dad3b0a150646572d211

SHA256
9e5f3bda30a36e8af19391f0bb89fa4353d55f55939fb8629bfcf09ca27bc3d5

SHA512
24fb6d2456931cec4b3c9322bc5167a9faca12c4aadda6f950dd0d0b1eae435097191006ef30a4b8fbba1066e1ef460dae2251578fd962c0b6e9fec84c585d8b

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
243KB

MD5
7856fc4786bf8acbae25bac465e38db1

SHA1
efc158171f200862e7ef4b652fbc82a0379debbf

SHA256
6c108edbd548b4be0ba5cfb71526bb98f9ab77f2b6026b217606bfe20f6812da

SHA512
ba051f5adbba0afcfc3a7ca6325c3130038cfc725a5cc303891ae56a2c2d9f29020cabf7765e61377ce41ca3b0b6f1d4cb8b064c5bf5ae487032feb1cebdd3e6

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
243KB

MD5
8f71459a9f067777e208c0dd8f53512a

SHA1
e57304de7adfa2cf7d793ee1d7f939eb311a0622

SHA256
c50a5afff747307bed6a90d2faaacf89450c3b8b5055ddbc9e8c7655d8b3af61

SHA512
a322a997e536527f4ef67a4ef7ac48a8cc905d7970002da3a04d81f42e9b9b9467cfea202897f78feae371cc5c07d2035af92b0fa9125168e6f0739029008ebc

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
243KB

MD5
8a43d36185ce8c140f85bfa76a5ad82f

SHA1
3ea2a77acc6ca3a81713c9bdbf41426ac9c14f47

SHA256
2183f15c4c07e50d0d0fe5b3754299157c1ce8b6fa540812114772bf1d97c805

SHA512
db71be5aaf53d1c0b9bc4febe46b4dfadddfc93f5fe4a136e9176d5287c796dd3d23b665c2a8af0bf56eb067dd3ad78ddcd65ddae59f65731f9ebc74432c1104

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
243KB

MD5
87449cce953e1bb346c3c9b812992dd7

SHA1
9407d4ec8066732425530162e0b3a822dfa0f89d

SHA256
e3d6c93851a8e1e01b3b285950b682b1ef23d94e2254c9e7ab693227e84a7121

SHA512
3acdd206de67a1ab605450db1ef02e0d26c3a6015612e13e4865a72ef881c748463025566b96a8aa04383764a1369ffc42e8cbf2e20641bf220e29c99ad18763

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
243KB

MD5
de787382d4e1785399d53c147273691f

SHA1
561de55b8af6febeb4bb56f69e5fb4a9b6007b04

SHA256
19ffb1267207186aed3fe240d1ab0c3e25538cd2079dbbafbd950472ee583b62

SHA512
27813a15e625a1e200202bc6721b3e34f728dc8db02697fff22472eed136b48b8c5c925635a67d9dd439bde73088906b7bac19baba2679eb52344053e2c4f49a

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
243KB

MD5
a49cd2eaebb91d1eb149f472f652728f

SHA1
ea5021536e64ecb3fe0070ff32f5c50945df635d

SHA256
5b79b4903e1947234ee51560067fc4941c7f74402cd265e5a4d1f0012f1a9094

SHA512
0cf86dbaf7608bfb63deaa4879827919fdc8b337892981946750903402136d61154756727937721aafaf70e5b9ffdf4042ca6da74da21f37f4d23bf7f9f7116b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
243KB

MD5
6f14a2bfcd6b58db1249200457f0dad8

SHA1
b873a49c3c8e76d2ccc8cc366043fae3ed80b17a

SHA256
c1de57660c5750548c31c984db6334c9a26a8ef17a3323edda224f60c07e09db

SHA512
68421c63c5a20196b0f58d70101e3bbb1dbf9dbcbfc20a6b6a9947472bf10d68a9c061cb2c1441f79bff2de96a3a33af7ae6cbf21c9a943e362d3c9e8fa3a818

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
243KB

MD5
3fe92bf746dbd29fef31b22fa4c01fa5

SHA1
d26d8265731444060f2dc32162ef644fa4f21bcc

SHA256
0bd4939c15dff4cb2a3fcaa54eaf9d3b4030ae8ecf48bc747fcbc16fbfa67c68

SHA512
f6702a0488dc9fb242e0543cce374c4e6afc5627e9edb6440088ff1f4806d0871252b6d4115a60960a874314bef087029304d0f41a53409eb09074675bf87dae

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
243KB

MD5
e105318ce5d39ced74718e8cd70b25e0

SHA1
a14b7d4624d1bd40e1c21d0ba877466214faf313

SHA256
711c3eafbb7d9eb4918225693390abe9e43b4ae1ef2cfd15d8b2741b5168fa4f

SHA512
1b051b3d9879ab45137f9ca756464455d33f63823f855538a2e269a81dfd83c7513f9e516fd13070c8f3e90e9a62aae2eed119216483c723c2e61b368cc7679f

Download Submit
memory/452-164-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/452-112-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1168-166-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1168-104-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1872-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1872-188-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2212-184-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2212-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2468-156-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2468-153-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2692-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2692-190-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3152-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3152-161-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3440-186-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3440-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3468-89-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3468-170-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3688-129-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3688-160-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3776-176-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3776-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3916-172-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3916-81-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3928-192-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3928-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3928-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4232-157-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4232-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4592-53-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4592-180-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4668-120-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4668-193-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4780-174-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4780-72-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4920-57-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4920-178-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4936-168-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4936-97-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5016-182-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5016-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads