02fdcd4d194c1640dd90886a796a95e24ae109cb4fb9d5f0a4b768f29c801fde

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Size

96KB
MD5

a7a0385a1323f5972c266428ea1e3574
SHA1

01bec230143f38f45b68a7e21447a1986510ebda
SHA256

02fdcd4d194c1640dd90886a796a95e24ae109cb4fb9d5f0a4b768f29c801fde
SHA512

e8b23ee50ad0760284a7b4809141c7a339fd26faf98f93a4752f55af6f14fec4dc8e25d8389938aaf3cb531c9215654709a20b796fe09dc2af673a7e03353b78
SSDEEP

1536:H4LLl7lVY3vUSeedRd39yaiYNZGGG1rY4uVcdZ2JVQBKoC/CKniTCvVAva61hLDF:YLLl7lufU63UIos4uVqZ2fQkbn1vVAv7

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe

Malware Backdoor - Berbew 57 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/616-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/616-1-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x00090000000224ad-7.dat	family_berbew
behavioral2/memory/1452-9-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x00090000000224ad-8.dat	family_berbew
behavioral2/files/0x0008000000022e3f-15.dat	family_berbew
behavioral2/memory/4692-17-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e3f-16.dat	family_berbew
behavioral2/files/0x0007000000022e45-23.dat	family_berbew
behavioral2/memory/3488-25-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e45-24.dat	family_berbew
behavioral2/files/0x0007000000022e47-31.dat	family_berbew
behavioral2/memory/5072-32-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e47-33.dat	family_berbew
behavioral2/files/0x0007000000022e49-39.dat	family_berbew
behavioral2/memory/1300-40-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e49-41.dat	family_berbew
behavioral2/files/0x0007000000022e4b-47.dat	family_berbew
behavioral2/memory/4608-48-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e4b-49.dat	family_berbew
behavioral2/files/0x0007000000022e4d-55.dat	family_berbew
behavioral2/files/0x0007000000022e4d-57.dat	family_berbew
behavioral2/memory/3412-56-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e4f-63.dat	family_berbew
behavioral2/memory/4716-64-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e4f-65.dat	family_berbew
behavioral2/files/0x0008000000022d5e-71.dat	family_berbew
behavioral2/memory/616-73-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/5012-78-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022d5e-72.dat	family_berbew
behavioral2/files/0x0007000000022e53-80.dat	family_berbew
behavioral2/memory/4704-82-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e53-81.dat	family_berbew
behavioral2/files/0x0007000000022e55-89.dat	family_berbew
behavioral2/memory/1060-96-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e57-97.dat	family_berbew
behavioral2/memory/4692-99-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e57-98.dat	family_berbew
behavioral2/memory/2028-104-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e59-106.dat	family_berbew
behavioral2/memory/3488-108-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e5c-114.dat	family_berbew
behavioral2/files/0x0007000000022e59-107.dat	family_berbew
behavioral2/files/0x0007000000022e5c-115.dat	family_berbew
behavioral2/memory/1452-90-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e55-88.dat	family_berbew
behavioral2/memory/2924-120-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e5e-122.dat	family_berbew
behavioral2/memory/5072-125-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2388-126-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e5e-124.dat	family_berbew
behavioral2/memory/3980-123-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1300-127-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4608-128-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4704-129-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4716-130-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3412-131-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew

Executes dropped EXE 15 IoCs

pid	Process
1452	Cdcoim32.exe
4692	Cmlcbbcj.exe
3488	Cdfkolkf.exe
5072	Cmnpgb32.exe
1300	Chcddk32.exe
4608	Cegdnopg.exe
3412	Ddmaok32.exe
4716	Dobfld32.exe
5012	Ddonekbl.exe
4704	Dodbbdbb.exe
1060	Daconoae.exe
2028	Dfpgffpm.exe
2924	Daekdooc.exe
3980	Dgbdlf32.exe
2388	Dmllipeg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdcoim32.exe	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2340	2388	WerFault.exe	103

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1452	616	NEAS.a7a0385a1323f5972c266428ea1e3574.exe	89
PID 616 wrote to memory of 1452	616	NEAS.a7a0385a1323f5972c266428ea1e3574.exe	89
PID 616 wrote to memory of 1452	616	NEAS.a7a0385a1323f5972c266428ea1e3574.exe	89
PID 1452 wrote to memory of 4692	1452	Cdcoim32.exe	90
PID 1452 wrote to memory of 4692	1452	Cdcoim32.exe	90
PID 1452 wrote to memory of 4692	1452	Cdcoim32.exe	90
PID 4692 wrote to memory of 3488	4692	Cmlcbbcj.exe	91
PID 4692 wrote to memory of 3488	4692	Cmlcbbcj.exe	91
PID 4692 wrote to memory of 3488	4692	Cmlcbbcj.exe	91
PID 3488 wrote to memory of 5072	3488	Cdfkolkf.exe	92
PID 3488 wrote to memory of 5072	3488	Cdfkolkf.exe	92
PID 3488 wrote to memory of 5072	3488	Cdfkolkf.exe	92
PID 5072 wrote to memory of 1300	5072	Cmnpgb32.exe	93
PID 5072 wrote to memory of 1300	5072	Cmnpgb32.exe	93
PID 5072 wrote to memory of 1300	5072	Cmnpgb32.exe	93
PID 1300 wrote to memory of 4608	1300	Chcddk32.exe	94
PID 1300 wrote to memory of 4608	1300	Chcddk32.exe	94
PID 1300 wrote to memory of 4608	1300	Chcddk32.exe	94
PID 4608 wrote to memory of 3412	4608	Cegdnopg.exe	95
PID 4608 wrote to memory of 3412	4608	Cegdnopg.exe	95
PID 4608 wrote to memory of 3412	4608	Cegdnopg.exe	95
PID 3412 wrote to memory of 4716	3412	Ddmaok32.exe	96
PID 3412 wrote to memory of 4716	3412	Ddmaok32.exe	96
PID 3412 wrote to memory of 4716	3412	Ddmaok32.exe	96
PID 4716 wrote to memory of 5012	4716	Dobfld32.exe	97
PID 4716 wrote to memory of 5012	4716	Dobfld32.exe	97
PID 4716 wrote to memory of 5012	4716	Dobfld32.exe	97
PID 5012 wrote to memory of 4704	5012	Ddonekbl.exe	98
PID 5012 wrote to memory of 4704	5012	Ddonekbl.exe	98
PID 5012 wrote to memory of 4704	5012	Ddonekbl.exe	98
PID 4704 wrote to memory of 1060	4704	Dodbbdbb.exe	99
PID 4704 wrote to memory of 1060	4704	Dodbbdbb.exe	99
PID 4704 wrote to memory of 1060	4704	Dodbbdbb.exe	99
PID 1060 wrote to memory of 2028	1060	Daconoae.exe	102
PID 1060 wrote to memory of 2028	1060	Daconoae.exe	102
PID 1060 wrote to memory of 2028	1060	Daconoae.exe	102
PID 2028 wrote to memory of 2924	2028	Dfpgffpm.exe	100
PID 2028 wrote to memory of 2924	2028	Dfpgffpm.exe	100
PID 2028 wrote to memory of 2924	2028	Dfpgffpm.exe	100
PID 2924 wrote to memory of 3980	2924	Daekdooc.exe	101
PID 2924 wrote to memory of 3980	2924	Daekdooc.exe	101
PID 2924 wrote to memory of 3980	2924	Daekdooc.exe	101
PID 3980 wrote to memory of 2388	3980	Dgbdlf32.exe	103
PID 3980 wrote to memory of 2388	3980	Dgbdlf32.exe	103
PID 3980 wrote to memory of 2388	3980	Dgbdlf32.exe	103

C:\Users\Admin\AppData\Local\Temp\NEAS.a7a0385a1323f5972c266428ea1e3574.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a7a0385a1323f5972c266428ea1e3574.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\SysWOW64\Cdcoim32.exe
  C:\Windows\system32\Cdcoim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\Cmlcbbcj.exe
    C:\Windows\system32\Cmlcbbcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\Cdfkolkf.exe
      C:\Windows\system32\Cdfkolkf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028

C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\Dgbdlf32.exe
  C:\Windows\system32\Dgbdlf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\Dmllipeg.exe
    C:\Windows\system32\Dmllipeg.exe
    3⤵
    - Executes dropped EXE
    PID:2388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 404
      4⤵
      Program crash
      PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2388 -ip 2388
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
ad50a6629c9a220b49bc776bd5c6c58b

SHA1
2690a99dd1ae2d235243239a17522b5f2ccadecb

SHA256
e36d63093fc1a7f2e090abcebbb1013225b691724810b2d90ed9da3990374e3b

SHA512
b7c424aa7b51846d597b78773d7949e8828396db6c62bb96c9d685a74d103a6a9c18d70f117e620cb7eeaf92ecbc5647b48f66126281a46202fafe52bef43820

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
ad50a6629c9a220b49bc776bd5c6c58b

SHA1
2690a99dd1ae2d235243239a17522b5f2ccadecb

SHA256
e36d63093fc1a7f2e090abcebbb1013225b691724810b2d90ed9da3990374e3b

SHA512
b7c424aa7b51846d597b78773d7949e8828396db6c62bb96c9d685a74d103a6a9c18d70f117e620cb7eeaf92ecbc5647b48f66126281a46202fafe52bef43820

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
3d321cf0296da2875a7df205626469de

SHA1
c0d8d33a5f38f23274282bd576bfe004715fe4c6

SHA256
d26da9c80936a4c7d617e9395036d383943e5b8222a8069c58be3480928be8a2

SHA512
1646a8dbe5853ac710a5728d0ef48d258a9d3f89f04938c9055387ba5c36ae7c1a1c540f8caeb2082f8817f74fb909c698cda285bbf05c96b733eb56af4c58a2

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
3d321cf0296da2875a7df205626469de

SHA1
c0d8d33a5f38f23274282bd576bfe004715fe4c6

SHA256
d26da9c80936a4c7d617e9395036d383943e5b8222a8069c58be3480928be8a2

SHA512
1646a8dbe5853ac710a5728d0ef48d258a9d3f89f04938c9055387ba5c36ae7c1a1c540f8caeb2082f8817f74fb909c698cda285bbf05c96b733eb56af4c58a2

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
ea246df27d17b0c358f2ebc6eacbc4f7

SHA1
da8ed8da6b983101550b331da08bf9f1182134a2

SHA256
3f089b6aed421e6e465cd01160a543422bd180ff9acfc4db1199b3fe26bd2310

SHA512
a5d16e4faf87b13e3deefb2df117bfc808ff4c899300f4a2b91be6002098bd336b2e46321df414c4901a216825d1f95b2d9e74fac08aa0c1c6b8e69081a51885

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
ea246df27d17b0c358f2ebc6eacbc4f7

SHA1
da8ed8da6b983101550b331da08bf9f1182134a2

SHA256
3f089b6aed421e6e465cd01160a543422bd180ff9acfc4db1199b3fe26bd2310

SHA512
a5d16e4faf87b13e3deefb2df117bfc808ff4c899300f4a2b91be6002098bd336b2e46321df414c4901a216825d1f95b2d9e74fac08aa0c1c6b8e69081a51885

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
221893b078015e8f017fedfc659e766a

SHA1
5289223fddaf012019fa36fa9016cd4f19207a70

SHA256
61aa097feb453966038eea34902a15acd9a79cee546637bb8d8eb3c08017fb5a

SHA512
634405d455dc8c884b0a107dd98f4ef972d4565b3b9eac1ab4d06d7f8193169a8436873f11f37dd687c9f429a3c7d97bd4cee57bd78937716b327295214a5589

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
221893b078015e8f017fedfc659e766a

SHA1
5289223fddaf012019fa36fa9016cd4f19207a70

SHA256
61aa097feb453966038eea34902a15acd9a79cee546637bb8d8eb3c08017fb5a

SHA512
634405d455dc8c884b0a107dd98f4ef972d4565b3b9eac1ab4d06d7f8193169a8436873f11f37dd687c9f429a3c7d97bd4cee57bd78937716b327295214a5589

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
cac13ec9b7c6455ab88766d8339406b0

SHA1
5807cf416cd1ebcc7cb9771161b36239101cba98

SHA256
066e1661956834748cf1759d3d20c77454542736589189d021bb934dc1a35057

SHA512
01e37816224b71753d4ce049ba3dd69032afe32843e0db0297d5cf240f2fa2cc24f893466de1b99b371d1fc441b45050a8232b574f889d05ad7156315afc51c6

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
cac13ec9b7c6455ab88766d8339406b0

SHA1
5807cf416cd1ebcc7cb9771161b36239101cba98

SHA256
066e1661956834748cf1759d3d20c77454542736589189d021bb934dc1a35057

SHA512
01e37816224b71753d4ce049ba3dd69032afe32843e0db0297d5cf240f2fa2cc24f893466de1b99b371d1fc441b45050a8232b574f889d05ad7156315afc51c6

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
96KB

MD5
fcb082242071efd13345da85c8e040d5

SHA1
0e34e99c984fb80e58c5757f50597d3c6c46c5b0

SHA256
7e4b9e831546a429f36c9712bd06cbb934744aee4eed70f2c7826ae30cadd218

SHA512
318a102b477a57e4785c86606a63d1081f3b276b7cc05d06a7140061e2eaff72c3dbe63f7231e2a8682471ea36bc0bc8bac5a8de75813e8556b7cacfa770fb78

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
96KB

MD5
fcb082242071efd13345da85c8e040d5

SHA1
0e34e99c984fb80e58c5757f50597d3c6c46c5b0

SHA256
7e4b9e831546a429f36c9712bd06cbb934744aee4eed70f2c7826ae30cadd218

SHA512
318a102b477a57e4785c86606a63d1081f3b276b7cc05d06a7140061e2eaff72c3dbe63f7231e2a8682471ea36bc0bc8bac5a8de75813e8556b7cacfa770fb78

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
0b2a8948a7bd05effd04320db73b0ccb

SHA1
3c65d0d21d1933ab89906721c8ec9afa9735ca3c

SHA256
0da5e36c37a574ae2029a9dadad336ebf971aecdef64b7bc8bf892e284e1dadc

SHA512
940daccdf83f13a2d8d2e5e2f0b82a9dd1d0dfa73614cfaf4eddb01db720aed7801c974a3ea00f00447cc5e5c4bc913e1c3c8ce7f222052a68daa78225acb590

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
0b2a8948a7bd05effd04320db73b0ccb

SHA1
3c65d0d21d1933ab89906721c8ec9afa9735ca3c

SHA256
0da5e36c37a574ae2029a9dadad336ebf971aecdef64b7bc8bf892e284e1dadc

SHA512
940daccdf83f13a2d8d2e5e2f0b82a9dd1d0dfa73614cfaf4eddb01db720aed7801c974a3ea00f00447cc5e5c4bc913e1c3c8ce7f222052a68daa78225acb590

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
2d1835996e5f3e9b4450d8d800c15401

SHA1
6fe9ef659f5cbe4595b13ac5ed84f130f13cf653

SHA256
52ce2f963e55f9a11b7f644f227f65b6c9cbf0c6f377a985e61b48833fe15d83

SHA512
1be00f01520141998804f2e87372e8def4ce54ffa16c35c8d4c87d0c597bd736473f71f464199349d948183b82b72d61fa8f93509bcd567f61009e8e7f627720

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
2d1835996e5f3e9b4450d8d800c15401

SHA1
6fe9ef659f5cbe4595b13ac5ed84f130f13cf653

SHA256
52ce2f963e55f9a11b7f644f227f65b6c9cbf0c6f377a985e61b48833fe15d83

SHA512
1be00f01520141998804f2e87372e8def4ce54ffa16c35c8d4c87d0c597bd736473f71f464199349d948183b82b72d61fa8f93509bcd567f61009e8e7f627720

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
00d1fdfdec7c7949ba4ed6bf7308979f

SHA1
338777dcdb4e18e21840b37512af0ae307f1bdcf

SHA256
6beb14523c1d2a80254f8322fc201181f7f1631a1e69e38fa4a70d78d85428ea

SHA512
b46b27597a58dd88cdae72267b045c53300516be1fb8427293e2e3c6d31da138905a09d2cf40ef9eb480d7fb17ceba599336d1da00cc6a94daa8af6323661c2c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
00d1fdfdec7c7949ba4ed6bf7308979f

SHA1
338777dcdb4e18e21840b37512af0ae307f1bdcf

SHA256
6beb14523c1d2a80254f8322fc201181f7f1631a1e69e38fa4a70d78d85428ea

SHA512
b46b27597a58dd88cdae72267b045c53300516be1fb8427293e2e3c6d31da138905a09d2cf40ef9eb480d7fb17ceba599336d1da00cc6a94daa8af6323661c2c

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
d648a28b5c7b049bfa5214743aca7f3f

SHA1
95889ee5e235e267495c8d666775598db58af84b

SHA256
0fd3b2c9ca263975d7d914e1535405dd8a67b93f98f0e6b33cd12552b18172ca

SHA512
fefb155035d8b1d9c674569f004bc35a6f8096f4b9f3d9ec2588246ea61f23ccc947eaa24539d31e0227d26d7f6c10b951c41c656dda790beb89f1f0027549a2

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
d648a28b5c7b049bfa5214743aca7f3f

SHA1
95889ee5e235e267495c8d666775598db58af84b

SHA256
0fd3b2c9ca263975d7d914e1535405dd8a67b93f98f0e6b33cd12552b18172ca

SHA512
fefb155035d8b1d9c674569f004bc35a6f8096f4b9f3d9ec2588246ea61f23ccc947eaa24539d31e0227d26d7f6c10b951c41c656dda790beb89f1f0027549a2

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
6a2e4e8ea3b84e8dbd1f7fc6a203a956

SHA1
e8474980aca789d9e544157304d4f376b131c462

SHA256
3b0cd5404a9d8450ef3537ef3ba7c312bc8a8a49bcb8ad89e4f7cc72a40df237

SHA512
407aee99939ed6ecc9c0ec54e4e29fcf46e33942f10f81ebcac0d9e0303c9cf90a4e1cb1afce593d28d79130a6e636483b64e413ef8d3bda445270d2bd4b66f4

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
6a2e4e8ea3b84e8dbd1f7fc6a203a956

SHA1
e8474980aca789d9e544157304d4f376b131c462

SHA256
3b0cd5404a9d8450ef3537ef3ba7c312bc8a8a49bcb8ad89e4f7cc72a40df237

SHA512
407aee99939ed6ecc9c0ec54e4e29fcf46e33942f10f81ebcac0d9e0303c9cf90a4e1cb1afce593d28d79130a6e636483b64e413ef8d3bda445270d2bd4b66f4

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
7c8a27519d6fc305fea81c33f174462d

SHA1
3987887def0954a3918d8af4a40712bbbba65162

SHA256
db1a5d4a09c9bc5a666116e0a3f3e4f1f68920bda0b11b2be0cb41ff699fb33e

SHA512
f295efbf5c7862fc3f8f444dd5e7cfccfe511a9502138a02a3f5b3943faf90230a2beab35a8e61a463caef2b4138754205f16a383eb3599829785c6851d8af37

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
7c8a27519d6fc305fea81c33f174462d

SHA1
3987887def0954a3918d8af4a40712bbbba65162

SHA256
db1a5d4a09c9bc5a666116e0a3f3e4f1f68920bda0b11b2be0cb41ff699fb33e

SHA512
f295efbf5c7862fc3f8f444dd5e7cfccfe511a9502138a02a3f5b3943faf90230a2beab35a8e61a463caef2b4138754205f16a383eb3599829785c6851d8af37

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a6fd12a9f700799f94ab2b362570c60e

SHA1
20f668861e869d8b37386897aa9194895b94db90

SHA256
89ff848ff044490da13432d0e900d34c05d91e6d2c2b53cb22d56e43f595a584

SHA512
ae58eb85997ce07b019989bfb4d2d0c702ed965e7d05a4095846940fd31fe6333d626f69302d47c414ad4e68f766495f003448d5d447290ca35bc7705efbb136

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a6fd12a9f700799f94ab2b362570c60e

SHA1
20f668861e869d8b37386897aa9194895b94db90

SHA256
89ff848ff044490da13432d0e900d34c05d91e6d2c2b53cb22d56e43f595a584

SHA512
ae58eb85997ce07b019989bfb4d2d0c702ed965e7d05a4095846940fd31fe6333d626f69302d47c414ad4e68f766495f003448d5d447290ca35bc7705efbb136

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
5f330ba69b4b142338bd6a3e29aa5105

SHA1
65cc7c61bec8593dd0500d6de7cbb6f045908ab0

SHA256
02a683918e611b6257d704278dee4325ba4f864b8baf62a926da6146c80fa247

SHA512
31f55cd90fd802f981c855ecc922a7787fd2e1a06f03c51bebef1e3a3a02d4cc86d3262b032cdd1f982c57386dd6bb0547426fbede90ac831146d350f2388668

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
5f330ba69b4b142338bd6a3e29aa5105

SHA1
65cc7c61bec8593dd0500d6de7cbb6f045908ab0

SHA256
02a683918e611b6257d704278dee4325ba4f864b8baf62a926da6146c80fa247

SHA512
31f55cd90fd802f981c855ecc922a7787fd2e1a06f03c51bebef1e3a3a02d4cc86d3262b032cdd1f982c57386dd6bb0547426fbede90ac831146d350f2388668

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
9260e960903688eb63a998f9ad3f83ef

SHA1
fe70ea706549b848f1fc46f6dc0db71c58c389a1

SHA256
b519666c1f39823189adf0fea4279c0c2c298f1915d06c9d717bc4aa5c2c52fe

SHA512
d97e5f50cc6621fecaeb76eb4e6f785c1e7bbb371cd6ab77943e0a9b689ec07064b5ed8502ba958d7cdc24d3e3baa84724d84ca5ca6cbad4508b7e2175dca679

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
9260e960903688eb63a998f9ad3f83ef

SHA1
fe70ea706549b848f1fc46f6dc0db71c58c389a1

SHA256
b519666c1f39823189adf0fea4279c0c2c298f1915d06c9d717bc4aa5c2c52fe

SHA512
d97e5f50cc6621fecaeb76eb4e6f785c1e7bbb371cd6ab77943e0a9b689ec07064b5ed8502ba958d7cdc24d3e3baa84724d84ca5ca6cbad4508b7e2175dca679

Download Submit
memory/616-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/616-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/616-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1060-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1300-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1300-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1452-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1452-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2028-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-131-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3488-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3488-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3980-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4716-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4716-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5012-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads