berbew | 25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Size

96KB
MD5

c00b3e4e15959fa1df2c3d65ec7af080
SHA1

81894fe24f9756e9867aa5046b0788102b81b63b
SHA256

25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508
SHA512

6c7d0a4126ece69f55516379b434227e69e1549c6222b0e2960e837f04902439b44d40e3cd2b85f2118719bf294092a1eabf86a9bddc682144074420a20068ed
SSDEEP

1536:o1nOOYrMByntBI+ABopjYLF0UUmbs0uVvoYf+A9bXvhrUQVoMdUT+irF:AYrdtF82wbUmbao4+ObXvhr1Rhk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cboibm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpefaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 18 IoCs

pid	Process
2136	Cpnpqakp.exe
3756	Cdjlap32.exe
4380	Cifdjg32.exe
1752	Cdlhgpag.exe
2304	Cboibm32.exe
3652	Ciiaogon.exe
4652	Cpcila32.exe
4476	Cfmahknh.exe
872	Cmgjee32.exe
4352	Dpefaq32.exe
3760	Dfonnk32.exe
1076	Dinjjf32.exe
3376	Ddcogo32.exe
3536	Dipgpf32.exe
3960	Ddekmo32.exe
2576	Dibdeegc.exe
4068	Dmnpfd32.exe
4024	Dbkhnk32.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdjlap32.exe	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Imdnon32.dll	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Kqfaoo32.dll	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
File created	C:\Windows\SysWOW64\Aoedfmpf.dll	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjlap32.exe	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Qfeckiie.dll	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dmnpfd32.exe
File opened for modification	C:\Windows\SysWOW64\Cboibm32.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Dinjjf32.exe	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Ddekmo32.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Cboibm32.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dipgpf32.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cdjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmahknh.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Cmgjee32.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Dpefaq32.exe	Cmgjee32.exe
File opened for modification	C:\Windows\SysWOW64\Dpefaq32.exe	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Ciiaogon.exe	Cboibm32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Cfmahknh.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Ddcogo32.exe	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File opened for modification	C:\Windows\SysWOW64\Cpnpqakp.exe	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
File created	C:\Windows\SysWOW64\Eicfep32.dll	Cmgjee32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcogo32.exe	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Dipgpf32.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Cbccbiml.dll	Dipgpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dibdeegc.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Dmnpfd32.exe	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	Cifdjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfonnk32.exe	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Cpnpqakp.exe	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Pkjhlh32.dll	Cpcila32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjee32.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Kcgmiidl.dll	Cdjlap32.exe
File created	C:\Windows\SysWOW64\Ladlqj32.dll	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Pfdnkk32.dll	Cboibm32.exe
File created	C:\Windows\SysWOW64\Dfonnk32.exe	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dipgpf32.exe
File opened for modification	C:\Windows\SysWOW64\Cifdjg32.exe	Cdjlap32.exe
File created	C:\Windows\SysWOW64\Hiagoigj.dll	Cpnpqakp.exe
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ciiaogon.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Dibdeegc.exe	Ddekmo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Dibdeegc.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	Cifdjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	4024	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjhlh32.dll"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cboibm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiagoigj.dll"	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffopp32.dll"	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll"	Dpefaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfep32.dll"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdjlap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbccbiml.dll"	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdnkk32.dll"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll"	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdjlap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkgac32.dll"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoedfmpf.dll"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladlqj32.dll"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfaoo32.dll"	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Ddcogo32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2136	2956	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe	89
PID 2956 wrote to memory of 2136	2956	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe	89
PID 2956 wrote to memory of 2136	2956	25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe	89
PID 2136 wrote to memory of 3756	2136	Cpnpqakp.exe	90
PID 2136 wrote to memory of 3756	2136	Cpnpqakp.exe	90
PID 2136 wrote to memory of 3756	2136	Cpnpqakp.exe	90
PID 3756 wrote to memory of 4380	3756	Cdjlap32.exe	91
PID 3756 wrote to memory of 4380	3756	Cdjlap32.exe	91
PID 3756 wrote to memory of 4380	3756	Cdjlap32.exe	91
PID 4380 wrote to memory of 1752	4380	Cifdjg32.exe	92
PID 4380 wrote to memory of 1752	4380	Cifdjg32.exe	92
PID 4380 wrote to memory of 1752	4380	Cifdjg32.exe	92
PID 1752 wrote to memory of 2304	1752	Cdlhgpag.exe	93
PID 1752 wrote to memory of 2304	1752	Cdlhgpag.exe	93
PID 1752 wrote to memory of 2304	1752	Cdlhgpag.exe	93
PID 2304 wrote to memory of 3652	2304	Cboibm32.exe	94
PID 2304 wrote to memory of 3652	2304	Cboibm32.exe	94
PID 2304 wrote to memory of 3652	2304	Cboibm32.exe	94
PID 3652 wrote to memory of 4652	3652	Ciiaogon.exe	95
PID 3652 wrote to memory of 4652	3652	Ciiaogon.exe	95
PID 3652 wrote to memory of 4652	3652	Ciiaogon.exe	95
PID 4652 wrote to memory of 4476	4652	Cpcila32.exe	96
PID 4652 wrote to memory of 4476	4652	Cpcila32.exe	96
PID 4652 wrote to memory of 4476	4652	Cpcila32.exe	96
PID 4476 wrote to memory of 872	4476	Cfmahknh.exe	97
PID 4476 wrote to memory of 872	4476	Cfmahknh.exe	97
PID 4476 wrote to memory of 872	4476	Cfmahknh.exe	97
PID 872 wrote to memory of 4352	872	Cmgjee32.exe	98
PID 872 wrote to memory of 4352	872	Cmgjee32.exe	98
PID 872 wrote to memory of 4352	872	Cmgjee32.exe	98
PID 4352 wrote to memory of 3760	4352	Dpefaq32.exe	99
PID 4352 wrote to memory of 3760	4352	Dpefaq32.exe	99
PID 4352 wrote to memory of 3760	4352	Dpefaq32.exe	99
PID 3760 wrote to memory of 1076	3760	Dfonnk32.exe	100
PID 3760 wrote to memory of 1076	3760	Dfonnk32.exe	100
PID 3760 wrote to memory of 1076	3760	Dfonnk32.exe	100
PID 1076 wrote to memory of 3376	1076	Dinjjf32.exe	101
PID 1076 wrote to memory of 3376	1076	Dinjjf32.exe	101
PID 1076 wrote to memory of 3376	1076	Dinjjf32.exe	101
PID 3376 wrote to memory of 3536	3376	Ddcogo32.exe	102
PID 3376 wrote to memory of 3536	3376	Ddcogo32.exe	102
PID 3376 wrote to memory of 3536	3376	Ddcogo32.exe	102
PID 3536 wrote to memory of 3960	3536	Dipgpf32.exe	103
PID 3536 wrote to memory of 3960	3536	Dipgpf32.exe	103
PID 3536 wrote to memory of 3960	3536	Dipgpf32.exe	103
PID 3960 wrote to memory of 2576	3960	Ddekmo32.exe	104
PID 3960 wrote to memory of 2576	3960	Ddekmo32.exe	104
PID 3960 wrote to memory of 2576	3960	Ddekmo32.exe	104
PID 2576 wrote to memory of 4068	2576	Dibdeegc.exe	105
PID 2576 wrote to memory of 4068	2576	Dibdeegc.exe	105
PID 2576 wrote to memory of 4068	2576	Dibdeegc.exe	105
PID 4068 wrote to memory of 4024	4068	Dmnpfd32.exe	106
PID 4068 wrote to memory of 4024	4068	Dmnpfd32.exe	106
PID 4068 wrote to memory of 4024	4068	Dmnpfd32.exe	106

C:\Users\Admin\AppData\Local\Temp\25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe
"C:\Users\Admin\AppData\Local\Temp\25de1fd172bcd3c535d419bdffe5fee33b45eab835611bb33a55ffbf13c66508N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\Cpnpqakp.exe
  C:\Windows\system32\Cpnpqakp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\Cdjlap32.exe
    C:\Windows\system32\Cdjlap32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\Cifdjg32.exe
      C:\Windows\system32\Cifdjg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 412
        20⤵
        Program crash
        
        PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4024 -ip 4024
1⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aoedfmpf.dll

Filesize
7KB

MD5
5115574d7ce6dddcc106490f9e631826

SHA1
4e0c0b2424f64e24b8a87224f4eb1d07a8addf6c

SHA256
a27a9ec1adc53cc2eb5b5f04c97342b542a9ab1f6d85be6b148d859802f7056a

SHA512
09d800c91b5d0e55ea4c1a276d41f0a4943002a5d3e1ac782db3ddcdbc573a8b2d634b58a61d0db24f93b250c1954219656f748dedda957e571278b2967fef7d

Download Submit
C:\Windows\SysWOW64\Cboibm32.exe

Filesize
96KB

MD5
ba8d1784d85c98cb7341fa4b910d98f2

SHA1
21a25885fb48fb9a89ec48123f78218c0e48c12a

SHA256
c638ec4be3d7b6d8869be2529c8f29a2d872443d9c42c1e6f2ca7b85c58bb331

SHA512
3379baaaabbdee314844b93c3998ffc67f14b882a95094fa7f0794ada0794b41200f5c962d810d7ae1560094b94fff1e566d0c627fae352ea0292d093f0d8936

Download Submit
C:\Windows\SysWOW64\Cdjlap32.exe

Filesize
96KB

MD5
c69f4c0c1e36a747ffa80d995786bca9

SHA1
88fdac40109f80a279ef0a5c3311590632f765ee

SHA256
fae18d33a48887ced8b75b72b664118799fbf0ed477793086f508bfc1b2e4c78

SHA512
ccca5d7c334dd1351dd100b7547763a1eb24b3db5a885983793b1079326a8d5610116da091b9bea6bb5472e0ec61495c0b27080efd452098ab0c0dcb4cbaf7e1

Download Submit
C:\Windows\SysWOW64\Cdlhgpag.exe

Filesize
96KB

MD5
befb45bf6f6ef6b7d05afc7c8d170a03

SHA1
730840d749a32b239c97b52262f32e8ba7fc2f37

SHA256
9650be77868af25e413e8fc1ecdc7c15411e4308baaf0606c53a48d80b1da963

SHA512
0bffaf991130d17a763de7a23c87dc8682079f3404e9d826b9f7c4f0374042ac8c55c69be7de9dbbf7675579f1046f26463d2d9cf206093773274c182bae0b7a

Download Submit
C:\Windows\SysWOW64\Cfmahknh.exe

Filesize
96KB

MD5
4e2368cdb374858e3289e0812723b3ae

SHA1
c6633cae3c66d49aa4502ec7cea93a6f24c6db8d

SHA256
d8f07ddb1f38ae41e7508a32ec007c551dd99a968649ccc14dd081e675da49ca

SHA512
eab527b67b182227dcc4225bff6b922a42c8666587d51a0e6d43d2779bbb1c528a013ab66901cc45a74ecf9ab053c85383f651b73633efc5f4fcbca28290d4aa

Download Submit
C:\Windows\SysWOW64\Cifdjg32.exe

Filesize
96KB

MD5
8ce97675c668eadc495c6e758088c2dc

SHA1
32c0eceb6437c526e57301632c1e4e74429be886

SHA256
548cd98de4e92e9c09457eede1f1e486a48ed97f0f498a47192f19eddd662cf2

SHA512
42ca15f9e2e99fca63bdddf5e4c9da4613377c5e08a35b6641a3b9c102bdc0b929d13d028dcf374119648269878e59f750ce2afdef77247d64ee67b42ceb1382

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
96KB

MD5
bddd8b98c872b85a71f025776e98e19f

SHA1
db52329bb8726adc7bf9373275e8609cd2bd3c4c

SHA256
cd2f5371d9fee69192ce55350d8cd95dc6b54edcfb7f80ae14f11b117a34d50e

SHA512
2bec522367f8bdbf4e1c3b281402f3c66626f4582e35d18d85ff1dee27ff4f71692113a78b9270e313a19e390dc410e23f5388b0fa93a58d3d6d2251e4e5643d

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
96KB

MD5
9a1dd6b25950db5de6973f14727c0cdd

SHA1
9a3d7feb26088b6d71f260dd3824169120c131c1

SHA256
c116168f178527adfe5fa56784a8207185131cfa15ac94e669539144b8379f1b

SHA512
d9321d3e493469cf775bdd3974ab1af2ea9d9134d44dcb24ca6ad1511bdcf572235bb1c30c290fdbafa4e8a50a3a658e9783c7887859a4986f15046a2344861d

Download Submit
C:\Windows\SysWOW64\Cpcila32.exe

Filesize
96KB

MD5
ca01c0ef7bb25265b9243f0ea8150a70

SHA1
749f5aa51f1439dda075234856c97270678f4600

SHA256
f94b0bd576a5cfc87f97adb32a35cc2b330f71b9df3302f12a815d7058c3a59c

SHA512
8fa985bfeb9bf2a08c686ac3b130d8a34809e326645f910377e0653e8fb807003e921afa466629f53af4dbfcfff7525e52becf4f54f11075d34492856518c07e

Download Submit
C:\Windows\SysWOW64\Cpnpqakp.exe

Filesize
96KB

MD5
70b7d393cd87ddaa20ccfb1e53bfad0c

SHA1
5a87e362554ca1f1d6bbbb578cb1b7781e48118f

SHA256
ecc48e592f196e05b4e6ce866717541373f567b00781b7079fadea8be4903959

SHA512
2fc2904dc6e45640b143d210f9e6c442cba8a7a39cfbc2815484d6b764cdfd0eb9444471bb0bb709845bb4412f883f8e108a32401943912521e799ece97464c0

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
96KB

MD5
2f13431dc22c8dcabd69754402c56c8b

SHA1
43fb523ef975838e65674a9592739102f274cb42

SHA256
008eea7d6c7b4314e7a4d9575d8b8b3bcf0efdad7f084b9f19296876916abf2d

SHA512
92bdcd16986aab11defa9fb01e82bb61c6c008c85cb9a47f7cd4c97efd1d7b75c5ee0f70325269280cad7a213f73dde4ad0b9d38ebe386909cfe2eea593b5519

Download Submit
C:\Windows\SysWOW64\Ddcogo32.exe

Filesize
96KB

MD5
b9149d541335ecbdafa8b1ed5856428a

SHA1
c762eba67e85955cc51b6289e2ec4a85e0fb4353

SHA256
f618a1dc93f60c879b5bad0d58c1f45432f7d640ab049eab069b302cf2fccff9

SHA512
78cee97e6e75ab89d9c49aac0ff4b95363f16047b8e6fd5d77dd1efeba5599489ed19e58ac3686c14084ac5f43483b97fbfc46180029b29a68bd236e26f7ce5e

Download Submit
C:\Windows\SysWOW64\Ddekmo32.exe

Filesize
96KB

MD5
ec1274e1ad1311f079aab943b030e52d

SHA1
601c6d251babcff1cef6c390274a08f432e79294

SHA256
ef5a277970fa0a2b1e11d12394d3db44c1bd4150cebced886971e8b2d57c5568

SHA512
45f67ed4abefa00b092bfdc6742aaa15ec63bec60fb34aafec0c0f7417ee69da09b1106d934fcc39ca788e75c78a4d93cf8506c53913ea8857eefe3ee325eb02

Download Submit
C:\Windows\SysWOW64\Dfonnk32.exe

Filesize
96KB

MD5
d7f1baf1bf4c7a1345dc70a5cf069227

SHA1
86133ba5297c644767404e1082f3b5fd436eb1b8

SHA256
0825136109844686f585e0336e4c9af40c7dda93212c4756698f22565a6ae8ac

SHA512
19c37cd39194188b6d3972076b09930525063d59a8b05ad207cda3509e5be8bddd2874675bc23a6d52ba08ec11de658086763bfbd5ef488c1b861aa368b8db40

Download Submit
C:\Windows\SysWOW64\Dibdeegc.exe

Filesize
96KB

MD5
ce3b9b4fad54db28ff9f53be65ff77a3

SHA1
41eba8d8b78f4b4bc09ec41a2aa6cd15842cde0c

SHA256
36736739cbac8c9be0fc7d0f2e808c061d1b5a0b9f558947ef52760c210c63a0

SHA512
040b03bb46baef4ec20e9044195305dd6ec53aa873fb560e17124832670b07f7c3afcd7eb97a03da41090c5f2b2b23286133c710ad0ffdefafc98d7c34e2ffbe

Download Submit
C:\Windows\SysWOW64\Dinjjf32.exe

Filesize
96KB

MD5
1e60c897cd9306228bdedc71f0781b5f

SHA1
38d48bc2ca748b0bd2989bb3e25efeffc3e0f8ce

SHA256
9f50f067aee560ef0c1a1b39f229f7d380d1ae08aaa6d40a8b0c42779bd3058c

SHA512
7d84d0d80b4d02a822c41757c67a5a1a35d8c4ed0713a9bd6e96d0450bb8795aae3eaa414e8846320d3183d018e1c9f3883e5e292f14f7db4807d56dd43a1569

Download Submit
C:\Windows\SysWOW64\Dipgpf32.exe

Filesize
96KB

MD5
8c1ed6f97e2fe1b21a923fffc7101afd

SHA1
84e88592d245dc036231eb948f7836d4e6e480b6

SHA256
898de21fad6c2d73a40dbd3032892d2e28dbee4823cb82e08ab86d1838b5f4ac

SHA512
6cb981069a83b2f04e31f4c299079b0400517b21665c08110025f8806b2c10f8e47bc879c4b6ceaeb1e645cd7812fc3c89070bcbbecaf2dfe61053abca3d95d6

Download Submit
C:\Windows\SysWOW64\Dmnpfd32.exe

Filesize
96KB

MD5
2c2fd4c96b81b2287f2c0af1257cbcce

SHA1
a978bd32dd949e85dd887dfaf28528c02168aef9

SHA256
752e6698201e83d938b3f03fcc91873adec843cdef19080bf21a41dc6024f575

SHA512
b7d95e35e09dab0a31585cc5397b82d92fb8782804f7826529e5c112923a4ebc534fb222dd6738ce850f695f6f340d835d6fce8c0233badadf7a3c582cb7c80e

Download Submit
C:\Windows\SysWOW64\Dpefaq32.exe

Filesize
96KB

MD5
8eeccde51a18406cee3500623e6836fc

SHA1
10773475fd79ceb144b18d7e811de345c2b17433

SHA256
12cdf973d5367283fc72a21126360c045fde80200433d9eb3eff822201d3cf01

SHA512
cc54fbfae347adb79b1f3140152d99f72b5faf3654e92e606c49e4714f9ccfc575fc12e306338bcdc127eca9e50c5ab5979022b3b2d4e520cbefe7e75fc11de6

Download Submit
memory/872-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3760-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3760-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads