berbew | 4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Size

76KB
MD5

2e830a93870f05d2b65b3922ac3f0bb2
SHA1

1b7fc8ecd0d023337cc30a100bb4aa528fa4b414
SHA256

4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a
SHA512

0fa905b847672b3e2e9390a68602597c3c1dacb83eda11bbaeaf8f63be76ace39315600f2e8b8779b50775b875f33317cf3f647bed2364a725ceeb113cfdb6cb
SSDEEP

1536:KxhMSm0Cvjz0CdgZB8n8ayMkXu5EcZF9lZJ3Aaqt+CBMFEVoA4HioQV+/eCeyvCQ:qhMSyjz0CdgZB8n8ayMcMHZ+ae+CCFmQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
2140	Cjbpaf32.exe
1840	Cmqmma32.exe
1304	Cegdnopg.exe
2932	Dhfajjoj.exe
3632	Dfiafg32.exe
4728	Dhhnpjmh.exe
4940	Djgjlelk.exe
1772	Dmefhako.exe
1672	Dhkjej32.exe
744	Dodbbdbb.exe
4752	Dmgbnq32.exe
4464	Dhmgki32.exe
2224	Dkkcge32.exe
3476	Daekdooc.exe
1252	Dgbdlf32.exe
2424	Dmllipeg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
860	2424	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2140	2588	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe	83
PID 2588 wrote to memory of 2140	2588	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe	83
PID 2588 wrote to memory of 2140	2588	4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe	83
PID 2140 wrote to memory of 1840	2140	Cjbpaf32.exe	84
PID 2140 wrote to memory of 1840	2140	Cjbpaf32.exe	84
PID 2140 wrote to memory of 1840	2140	Cjbpaf32.exe	84
PID 1840 wrote to memory of 1304	1840	Cmqmma32.exe	85
PID 1840 wrote to memory of 1304	1840	Cmqmma32.exe	85
PID 1840 wrote to memory of 1304	1840	Cmqmma32.exe	85
PID 1304 wrote to memory of 2932	1304	Cegdnopg.exe	86
PID 1304 wrote to memory of 2932	1304	Cegdnopg.exe	86
PID 1304 wrote to memory of 2932	1304	Cegdnopg.exe	86
PID 2932 wrote to memory of 3632	2932	Dhfajjoj.exe	87
PID 2932 wrote to memory of 3632	2932	Dhfajjoj.exe	87
PID 2932 wrote to memory of 3632	2932	Dhfajjoj.exe	87
PID 3632 wrote to memory of 4728	3632	Dfiafg32.exe	88
PID 3632 wrote to memory of 4728	3632	Dfiafg32.exe	88
PID 3632 wrote to memory of 4728	3632	Dfiafg32.exe	88
PID 4728 wrote to memory of 4940	4728	Dhhnpjmh.exe	89
PID 4728 wrote to memory of 4940	4728	Dhhnpjmh.exe	89
PID 4728 wrote to memory of 4940	4728	Dhhnpjmh.exe	89
PID 4940 wrote to memory of 1772	4940	Djgjlelk.exe	90
PID 4940 wrote to memory of 1772	4940	Djgjlelk.exe	90
PID 4940 wrote to memory of 1772	4940	Djgjlelk.exe	90
PID 1772 wrote to memory of 1672	1772	Dmefhako.exe	91
PID 1772 wrote to memory of 1672	1772	Dmefhako.exe	91
PID 1772 wrote to memory of 1672	1772	Dmefhako.exe	91
PID 1672 wrote to memory of 744	1672	Dhkjej32.exe	92
PID 1672 wrote to memory of 744	1672	Dhkjej32.exe	92
PID 1672 wrote to memory of 744	1672	Dhkjej32.exe	92
PID 744 wrote to memory of 4752	744	Dodbbdbb.exe	93
PID 744 wrote to memory of 4752	744	Dodbbdbb.exe	93
PID 744 wrote to memory of 4752	744	Dodbbdbb.exe	93
PID 4752 wrote to memory of 4464	4752	Dmgbnq32.exe	94
PID 4752 wrote to memory of 4464	4752	Dmgbnq32.exe	94
PID 4752 wrote to memory of 4464	4752	Dmgbnq32.exe	94
PID 4464 wrote to memory of 2224	4464	Dhmgki32.exe	95
PID 4464 wrote to memory of 2224	4464	Dhmgki32.exe	95
PID 4464 wrote to memory of 2224	4464	Dhmgki32.exe	95
PID 2224 wrote to memory of 3476	2224	Dkkcge32.exe	96
PID 2224 wrote to memory of 3476	2224	Dkkcge32.exe	96
PID 2224 wrote to memory of 3476	2224	Dkkcge32.exe	96
PID 3476 wrote to memory of 1252	3476	Daekdooc.exe	97
PID 3476 wrote to memory of 1252	3476	Daekdooc.exe	97
PID 3476 wrote to memory of 1252	3476	Daekdooc.exe	97
PID 1252 wrote to memory of 2424	1252	Dgbdlf32.exe	98
PID 1252 wrote to memory of 2424	1252	Dgbdlf32.exe	98
PID 1252 wrote to memory of 2424	1252	Dgbdlf32.exe	98

C:\Users\Admin\AppData\Local\Temp\4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe
"C:\Users\Admin\AppData\Local\Temp\4ed1ba6661f79d8cb078aa627ba04af980557ad926415e6bf8985f6aaf98437a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\Cjbpaf32.exe
  C:\Windows\system32\Cjbpaf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Cmqmma32.exe
    C:\Windows\system32\Cmqmma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\Cegdnopg.exe
      C:\Windows\system32\Cegdnopg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 396
        18⤵
        Program crash
        
        PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2424 -ip 2424
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
76KB

MD5
72cee42454c95e9a0b40f09d56948826

SHA1
70c679842199f27f75b615866d954b9228fc02ce

SHA256
1bd7c23da5df18ff24b04f2f495659d669593da62fb11aded042357f032119a7

SHA512
01ba3f72c4084fe70a81e7a5a906e2047764c9f2044adfc6afa16ecc8acbb188a21403b32ddc1f0d685ca54486bdff74bacd2aa9ed276bfa8e8306ac326c12f1

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
76KB

MD5
9f078188fb98e4ecdfafb04791667011

SHA1
8779a02c8c05240443035a7c276236faeb52ce6d

SHA256
7f564f4597fe00a939c951c5541f2f9a4566f07b61afb7de9c1d0e386f8e0175

SHA512
38c732b8735b8837da984d27764b132285f88124b8005acb1f1e7a6bc62655d75f6188deb964a107fd6ec28ded4dbe9e313836c5603737a564597b96f243593d

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
76KB

MD5
952e7e51e7c5bd95b66feda7ef8649a3

SHA1
e9beb44b76a33bc78333b55452507573ce4d46b5

SHA256
a8e6451ad67981145ae537a4420e031c680cb08dc229e131c7a80cfd0d143452

SHA512
05bac4cfb89d7c0f8503c132206fefa59b2b58685ed13b302f0cc99f3d62021a9a60a506e5524d08b8771b15bd6b787444c15f64533d459218ec9d0ecc405dcc

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
76KB

MD5
1f705cb903528664b2f90c124bcc948f

SHA1
da3b233b7734e415549f7fcb119b84504533434b

SHA256
2d70aebca11122d488b772e0d52fc4133f0eca8d31ece99d823e0307f1544ddf

SHA512
924f60785bdf954bda21e830be43d85d24becd45f4705ca12a80a5c2cfc58bba376ca10aefd49c4dc81e9fa6abffe814b9d6081750bff254f61ec2236083d181

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
76KB

MD5
9f0c31225a9ab46ff5566363d4811556

SHA1
c03d26e42138cb5874af7e5d6627a2810f31feb3

SHA256
4e53dd2e0e4a3b68b488a61a9cc70e6edc89a754bf280c039fca3262f1a2c22f

SHA512
e3094a311adbb83508202221adb0e12bd731f507cfb308d09a2693431912b01782e0671216366b374a9fe055a2c90aa66a82731ebbd57ab7ef10785a537e6b81

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
76KB

MD5
4a3635c1835147d32340699f36a7de19

SHA1
b959150cb22bc3a386671adbd8cefc4244788e9c

SHA256
4f4b21695c177702952378c32a479468ebb2ebb2b3bd3ca44e4555288fce832b

SHA512
f42b7ede088d39934ade5ce7b88ccb7f555689a0407f22668db3176d6d477f05ad85bdeafd6f5233aecb7ef7ae489491efc41fb058877d03ca0f42708cab31de

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
76KB

MD5
bb96fd01343833df675428f647ac5bea

SHA1
c2ad7ef55f6491ad7810ad20ac56f3c13e09f7e3

SHA256
86bc67635000f85ff3a76826bccc899e7421bcf353a42583689789d433f9d61e

SHA512
5d2859db508988a45f0e258eb8bb15c7467b6959c402679b083e35f34efb11881bab6dc283b701c04ea71b1de3c593d62a01630c11d8cd1738ee28182e648ca7

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
76KB

MD5
d4a9aa312a210136875c6ee4d6fb37c1

SHA1
ca8dbb634d0fad34f82d231d03dc28d5db3caae3

SHA256
0fc96665424caa0fd54f0ec6f80b37cebcd3f0ce2d8c0063d8cbddac0e03fada

SHA512
3e9f80373c23e1b1736eca381fb7752057be172ffda398fcc5e23bdbfa4c74d74ee3ace6d71c29830c263255800dd2d2520d15edaa8b1a136a97942f8552c0a6

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
76KB

MD5
9b5607ea0ced2bb653531d83125a112e

SHA1
c7c5e606f1ae18ccb29ab4084e6d20b0d0369cb0

SHA256
d0b577196f3540d9c537140997377e019a2150230e88826ee15b726ac8ffcfa7

SHA512
13deefa22c783de496263872da6c38019e994ef44cccedc243f8aaaff13909714490750a61d8727745b7bb85b8a1ff5c3319b337a4eb3240e6b6cbc6b8678345

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
76KB

MD5
e95b494936c08f578fe2a693e0379152

SHA1
eac070cf39708d332d2c158e6bbbe20a278ac86e

SHA256
4981d1e9c8e3d29df5aa84df3597a39e57b3ff3ecde94a7b46882a4c0a1f6648

SHA512
0c638593dd3d88ea285535a8a4fcfac43237952139bdfc85850afca617278a51c68f38fadf1ee31d3860a9b76e580f1c4e8ad86f295ab1f12ea664c990b55617

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
76KB

MD5
c13ce0f2c527c7fa690ac20e5147476a

SHA1
f672a92350d2a617087a5e1347d5c4811eee8ef5

SHA256
e6f373f4ec296ee7ceab9ba49252fee2c0144a4a35ae4ff57c6055e656f2d7c8

SHA512
ffcd537d41be73dc601973294388901ed2b8d479ada62db6ef7b3dadb48174f9721a328daeef856a027e7ba6df9cce4353e4eb99c649ed0034d00ec740adefa0

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
76KB

MD5
72a08ff4b1fa03d778249801867cbcdb

SHA1
369f07f8d729efc02edaed6c7ad5834a9a52534d

SHA256
7af8d9a4e0497cdcb03b461dc11f48589dd836245a0b917d7cbc8b99eec038af

SHA512
05a36180012161a6cb53f0e37c3c654b49f330c2a835dc1a0befd472af8e51d6d64acfaebade31ff0056fd2e3834caeebf380561859e4fc4714c8583daee0c6b

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
76KB

MD5
7fd9e42be61d95001b6bb1499203cd45

SHA1
0537458ca31d4e6c4dde9fd78386add1f9ab4d94

SHA256
ed307512f5e187ae9d65830ba8ac525a77678590329aa7947cd5d6839b01967b

SHA512
edc2f9f6e7d8d4c377a079771b15de57239e09693e26b2c7bf396e4e5643028b9b0796eccb2fdd57ba41f3325e5f9cca08d2dae57ede51bc049ba4bba523e912

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
76KB

MD5
0dffde8a43830c564fd1d319fa977995

SHA1
49de2960168e3f551ceb33168c92e640bdfe5290

SHA256
663d1ce6cdba6dadc588f3cf564179046ac8ff2dc7691620c80953657adf46c0

SHA512
15326de470a95b883a1d48cd2c31a0c149dcbe619a082bc4422e91a1783ae3f20ef89e8948002b0f765861123998298773c97e9d64fac6fb9e1ab4a34f0edc11

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
76KB

MD5
38135c0704208846dfd24f68fbd09cb9

SHA1
175a2fdf7359803b447682b922335c90831dd6af

SHA256
f83630d92f14bba852f2ad6c09abc7aecf080bc860496033bb4be0c47709ed99

SHA512
c386bffe97e2728deca7a1a077c772fab683643e2e36439d2f7365718e4f54ef40cfbe330aa038caf816f2b537c498ace66f3712cd3274678113fbd4422fa585

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
76KB

MD5
1347fc776965525582665a05b9de611f

SHA1
43c47ec96953b1e8dbb3740b4240dacf08682a1f

SHA256
21820d6c6554156957c94bd797f6a7712024e1db74d6ab46be2bd6081c300561

SHA512
93cca04ecca239f6676173501370e7530c7f15728a54158d9a7d761b3ba09b68d0c2c05090394d4cc1e7bfe60731e19bed37f740676bf7cb431e35f83a24da26

Download Submit
memory/744-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2932-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads