berbew | ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Size

96KB
MD5

40a42eb9cd3fba332e4a7f4fff03dfe1
SHA1

7512df72ebc2563de244ef8ea09b66a7d8a37c9b
SHA256

ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc
SHA512

3b305f1c6668c87459e0b6a37ba8947057de3eb633100161cc1f6be98d6dd229e0b9b6e7f70ed16f979b5f33cad812ecba69481b27f85793c3f1d0610df61abd
SSDEEP

3072:4DQ0M5tJ0du7EC4bK4rsbaZSs4noakXON:VAC4bK4rUaZx9i

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
3608	Ceehho32.exe
3656	Cffdpghg.exe
4020	Calhnpgn.exe
1392	Ddjejl32.exe
2920	Djdmffnn.exe
744	Dmcibama.exe
1480	Ddmaok32.exe
1640	Dfknkg32.exe
5084	Dmefhako.exe
1508	Delnin32.exe
2760	Dfnjafap.exe
5060	Dodbbdbb.exe
4084	Ddakjkqi.exe
4880	Dfpgffpm.exe
2280	Dmjocp32.exe
5096	Dddhpjof.exe
4032	Dhocqigp.exe
3380	Dmllipeg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	3380	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 3608	3896	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe	82
PID 3896 wrote to memory of 3608	3896	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe	82
PID 3896 wrote to memory of 3608	3896	ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe	82
PID 3608 wrote to memory of 3656	3608	Ceehho32.exe	83
PID 3608 wrote to memory of 3656	3608	Ceehho32.exe	83
PID 3608 wrote to memory of 3656	3608	Ceehho32.exe	83
PID 3656 wrote to memory of 4020	3656	Cffdpghg.exe	84
PID 3656 wrote to memory of 4020	3656	Cffdpghg.exe	84
PID 3656 wrote to memory of 4020	3656	Cffdpghg.exe	84
PID 4020 wrote to memory of 1392	4020	Calhnpgn.exe	85
PID 4020 wrote to memory of 1392	4020	Calhnpgn.exe	85
PID 4020 wrote to memory of 1392	4020	Calhnpgn.exe	85
PID 1392 wrote to memory of 2920	1392	Ddjejl32.exe	86
PID 1392 wrote to memory of 2920	1392	Ddjejl32.exe	86
PID 1392 wrote to memory of 2920	1392	Ddjejl32.exe	86
PID 2920 wrote to memory of 744	2920	Djdmffnn.exe	87
PID 2920 wrote to memory of 744	2920	Djdmffnn.exe	87
PID 2920 wrote to memory of 744	2920	Djdmffnn.exe	87
PID 744 wrote to memory of 1480	744	Dmcibama.exe	88
PID 744 wrote to memory of 1480	744	Dmcibama.exe	88
PID 744 wrote to memory of 1480	744	Dmcibama.exe	88
PID 1480 wrote to memory of 1640	1480	Ddmaok32.exe	89
PID 1480 wrote to memory of 1640	1480	Ddmaok32.exe	89
PID 1480 wrote to memory of 1640	1480	Ddmaok32.exe	89
PID 1640 wrote to memory of 5084	1640	Dfknkg32.exe	90
PID 1640 wrote to memory of 5084	1640	Dfknkg32.exe	90
PID 1640 wrote to memory of 5084	1640	Dfknkg32.exe	90
PID 5084 wrote to memory of 1508	5084	Dmefhako.exe	91
PID 5084 wrote to memory of 1508	5084	Dmefhako.exe	91
PID 5084 wrote to memory of 1508	5084	Dmefhako.exe	91
PID 1508 wrote to memory of 2760	1508	Delnin32.exe	92
PID 1508 wrote to memory of 2760	1508	Delnin32.exe	92
PID 1508 wrote to memory of 2760	1508	Delnin32.exe	92
PID 2760 wrote to memory of 5060	2760	Dfnjafap.exe	93
PID 2760 wrote to memory of 5060	2760	Dfnjafap.exe	93
PID 2760 wrote to memory of 5060	2760	Dfnjafap.exe	93
PID 5060 wrote to memory of 4084	5060	Dodbbdbb.exe	94
PID 5060 wrote to memory of 4084	5060	Dodbbdbb.exe	94
PID 5060 wrote to memory of 4084	5060	Dodbbdbb.exe	94
PID 4084 wrote to memory of 4880	4084	Ddakjkqi.exe	95
PID 4084 wrote to memory of 4880	4084	Ddakjkqi.exe	95
PID 4084 wrote to memory of 4880	4084	Ddakjkqi.exe	95
PID 4880 wrote to memory of 2280	4880	Dfpgffpm.exe	96
PID 4880 wrote to memory of 2280	4880	Dfpgffpm.exe	96
PID 4880 wrote to memory of 2280	4880	Dfpgffpm.exe	96
PID 2280 wrote to memory of 5096	2280	Dmjocp32.exe	97
PID 2280 wrote to memory of 5096	2280	Dmjocp32.exe	97
PID 2280 wrote to memory of 5096	2280	Dmjocp32.exe	97
PID 5096 wrote to memory of 4032	5096	Dddhpjof.exe	98
PID 5096 wrote to memory of 4032	5096	Dddhpjof.exe	98
PID 5096 wrote to memory of 4032	5096	Dddhpjof.exe	98
PID 4032 wrote to memory of 3380	4032	Dhocqigp.exe	99
PID 4032 wrote to memory of 3380	4032	Dhocqigp.exe	99
PID 4032 wrote to memory of 3380	4032	Dhocqigp.exe	99

C:\Users\Admin\AppData\Local\Temp\ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe
"C:\Users\Admin\AppData\Local\Temp\ea4b63fd66021a741ba7bda217e7e892a2d3483da569f7864ded87808b14e4fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\SysWOW64\Ceehho32.exe
  C:\Windows\system32\Ceehho32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\Cffdpghg.exe
    C:\Windows\system32\Cffdpghg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\Calhnpgn.exe
      C:\Windows\system32\Calhnpgn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
      - C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 408
        20⤵
        Program crash
        
        PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3380 -ip 3380
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
10899030c8e72a38284a0d284d5435e3

SHA1
fa901d612dbed5ded5795efbb4caf63911e8766f

SHA256
4bcb6b3e048af052b703e081ee553d109cbe191bf3cc4b63035ca907dc38577a

SHA512
2ccd7cf2ad0042d0bbcb0ffd7110ab4aa902bf2302fe1162a30549b2c38b05343e77eaba65eac99de9fea0464afc21a119559d89d1827bda83a725c6abefbe72

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
02e6b10dfa7c75705cc449401641cb17

SHA1
8d5eba6f44608825c0f7cef116841095955e9c70

SHA256
c4b9834781235eeb3858fdc94864d92cd62927c07c2397aeccfdd5324628c8bc

SHA512
c4ef8aee32fc7a1ac6c2fbbdfad8803deb03f6547400860812f0bb8c4630a7b7a3b0697e747c8083272896f552b7eba9192539633e070df8f3d58c5cefdc76ec

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
ac3eb546564db3910418f59536b5671b

SHA1
b7fb86d3795ca495bf529e07c8dcbb79ba0a4901

SHA256
40443a2080bdfb00ba2bff2f05f799796ea34a53c64739206e9715bb3fe2f408

SHA512
84bcdc262abb2861fc09e1e47a470909bedf68b7c2b9944991567145e57053fc832335c8c364eb6e4aa3377610075d1fa7d81313991343eb9073532f84622c36

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
ce8907e687d814a89d4ec9d9f5efdfe4

SHA1
4f2e37d5c9ee85c45a2cc66822c9c51321d5090c

SHA256
2c4df28e5f60e59f413db267680bcb0e938e90aeb75461799a84c220917a9cb3

SHA512
cc23ddcffe773b2a9701e9f701cf91b9b5dd963fe7381d3102db62ee1f12804070ad8ffdc6a2061b2ef796a9f15bd766f9556ff475880d4d7015e60e54159fd5

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
027a0f5cafe09f689f7dbb1bcf8227f9

SHA1
be62d58612a2db66afdd81f6c68f4899960cd36b

SHA256
416679c2539eaca68d4127c27e071c15ffd97a34cdb3a3d7a9f6e1ecbc27d6fb

SHA512
d535094c9ff08800523fb3210111a5ee7f1a0768a9c47afadee3a40a7fd1794edc01224a90552bcba39c7e745898b0f15b10eea514644b7085eaf2c949ac24b5

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
fb6a9116b9af4e662d4771ad04f12e2e

SHA1
ebd0ad1034c6a2c7076dfc2d57974d026b8db656

SHA256
d1bdc3ff8ca1df8f791bcc6cac5152103a52e8ee61a34bf20d3e902e94349a96

SHA512
a17dd3055a0a51eea0cf6a8363b4926534833963ef20f3ffcd32d22c3c6f72e1cbe467791509fff4dd307f943be40fdfde035c1423cd3b96a374e042fd6d24a4

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
e5946528ab267529ea5d4d964ed43b99

SHA1
1b0a45855dc2aab412e01427312f470903de5584

SHA256
2ec8dc791d580507b02461af98ca743e75371006cde103387e76204e39d13def

SHA512
8f8d9755fbcbf71b576518b13435398f90cf5806a6d4c3729393f347775b2fc4633e810ffc9b7e3701b5f551f7bb00e73ea9c016ca63b3ccb4147937b08195f7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
fcd05a3b8218cb96363ae80999557ff0

SHA1
e68876ea8c3cb25e0d4c2f376c956b49ae2a025e

SHA256
d6dd7295d036ef3e091cc6377992584c4e85e3973db669122011fbdc22cf1385

SHA512
17122fc59394d1359556cb06aee8ad5c7bbc3d0fe50b095a4a7adc56e77daad8465aefaf367bf1cb330aa30baf831e73b2f0c08e2702047a83771e076c99173c

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
9dfc77c194b33cae18cd720b074b5330

SHA1
95a01d1c28376511e37618213f9b3cff1a550232

SHA256
21582926b1b246ca322c5e27d2d0497aabd55e73b49294319e3fb807f47e8862

SHA512
182fe81940bb46f44b78a6647e920e02b21a9e13959a2235644526d5f6c090d725c838569171f642fd777ea63ddaf411750a4009fc8ef4596808a3eeeb658e00

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
680b3b06a73eec09923fbf1cec3234c6

SHA1
4f85c66d63ffa6b8f42fbd58e6321456f07bb3f8

SHA256
370eb3a5e2adc3c55eb32832807f4695425dcb0b53cba104f1dd2374a8fb4de2

SHA512
8a46a06ffa045442672a15335330f621a78cfe23d841869c7cada64ecc41596fb062b2c534ce5628e24be401ee43f1026888b69cc0d6c8c6e0ba2cc74f1b45a3

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
3291c84484ef91ded4b8e3050b748432

SHA1
8ad7a2b495c331063c4434e074beb3d9a965b3e1

SHA256
163882ca5fbb7014ccd1964766adf02cb8ba929d2a2bf88601e2d62f695dda37

SHA512
b3a4f31928af57f976c399b3f5adb722af2f09117dd14eb56078bb436e6f0c5c0d41a199d02ea0e9eb8d78c275640d0f195405b374eced0432336b5140c233c8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
23747d915c98411e53b08e5046e471fa

SHA1
e0fade3068294119ad8c6435aac3c265d7244c18

SHA256
748456bc6b2b46c3883a38d73f9e31d5519d8e353427fbf6eb419bd5d8a9714b

SHA512
d03007b9188845e57398f2632173c738261f1c6c0a9c933373835971157ac25e50c23020b241ceff2b3ecf550d69f05a364f2cdfe9c2005127eb2c0a3e1a4af5

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
1aabe7910d53a57c6ac399783380281a

SHA1
3eb014a73282bd04dcece8f08caccadd84150b76

SHA256
4a4c5ba6f9c029d5bb0d99fee0c368c110c6a097e969a99f9777e3eac771462f

SHA512
7ab867a560d06f4fc96c65dd72d87e309502e40955d37ade1efa93c3f5ecd009fcf6f5eda6ddc8ff79aeeb7d9d7a053909c8461c92bcd3d7eb7f2833df5a8cb7

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
f42dd56c26651769bd4aec7dff378321

SHA1
5998e917422b7e6322e384d9c5a795e4e4150a77

SHA256
f65ff4b16cdc9f85e3331ee008344282da114cbf4eeb98beca1d2aa4b756125b

SHA512
d21586c258415964572ad379bec69338cc0d95922e364f7d51435585effd6bfb478a4ab3edb657291fa6a488373768a1a0c19255c74e8ff9f0765430c4fcdfb4

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
5eb0b255362bd2eb25e023ad51270171

SHA1
d925b4da4e4924ff3934f5470870cf9ce013f497

SHA256
7cfaa083d6421a1374b26b264967fff5f5461131354b9ac8cee884e356a55a2e

SHA512
18b6d4c1532388ed36831e2c14f88b79a63ab438156d92b2c9ff0b4e46487ffe580664e9323e29339e32d67af6d3ad2202810f354c74f7aa3f9ececeb108c94e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
ea54adf18c9dbc1619f60a57c10aba1d

SHA1
dc163a1361e076b7dd1830129a391cd0cf2474d5

SHA256
605ed79ff8e912dcb500fc618e0b3f556dbbd21e6fde0df27b9c8418b1cb8eb8

SHA512
63305c351272dc6adbacb2f5b1b883c2c1637d11135e218e0b178e782aab5c75c7e324eaaa9fa617dbab3b2acb4e517b7e90e56c341e43d7788d6cf05d25bc64

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
4b7e8490ea18adb0dcc3eff24c3c23eb

SHA1
0c3f5198572c86eca2f8ee420386421e25b19217

SHA256
bb15a6904dd25ed36649a6221a73407265f60b8a01d50029e56b38d6a947f70d

SHA512
0448a9d8c6e8b8d1a967ed6713fc65963a92ff8fa9665f79d4be63fc4302fdee8fc33f586c74db18beca4514907d0e7a42ccb5adb46351cbbcdb697b7891549b

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
3fc080074f77751b707c9ed6991242ac

SHA1
d4b25d7e763729179fc172593985825766d8966a

SHA256
64f6533c2a9ccda3be8ceb3fd8b63479fc40f6865ee0d9801ef21d72f350e89a

SHA512
d1eadea738742e592d979a2a47324caf783106c7d5e31c6aaa903a8eef5e7ede23c50e2431d1521b8931e90501ea582e8d601571e71ff696707892767b3ed4bf

Download Submit
memory/744-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3896-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads