berbew | ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651c

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Size

90KB
MD5

d1976ae738ff8a2fe39ba82d767b4b80
SHA1

3aaf46c39210e34755951d399d9d6583228465c8
SHA256

ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651c
SHA512

36a54211d3e3233d675fcf7ca4e0cc7946b9eaf409ca5bde0a45e43cd4cc64b3ee2f8e3c992b95279b4fce4f8d1c53b84c1be3b82371e0af1d23fa3f02cae5ed
SSDEEP

1536:jSalIMkc+IIFmcx40fZ5rQN5PzeeKI9yVnQQC4fl8k/7TZP:OalIMk1lFb4IZ5QoeK83T498a7TZP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
3544	Dhhnpjmh.exe
2484	Djgjlelk.exe
4576	Dmefhako.exe
4044	Delnin32.exe
4816	Dhkjej32.exe
2144	Dfnjafap.exe
4748	Dkifae32.exe
3104	Dodbbdbb.exe
4876	Dmgbnq32.exe
2316	Ddakjkqi.exe
1284	Dhmgki32.exe
2240	Dkkcge32.exe
1880	Dmjocp32.exe
3400	Daekdooc.exe
456	Dhocqigp.exe
3432	Dmllipeg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3996	3432	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 3544	344	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe	82
PID 344 wrote to memory of 3544	344	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe	82
PID 344 wrote to memory of 3544	344	ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe	82
PID 3544 wrote to memory of 2484	3544	Dhhnpjmh.exe	83
PID 3544 wrote to memory of 2484	3544	Dhhnpjmh.exe	83
PID 3544 wrote to memory of 2484	3544	Dhhnpjmh.exe	83
PID 2484 wrote to memory of 4576	2484	Djgjlelk.exe	84
PID 2484 wrote to memory of 4576	2484	Djgjlelk.exe	84
PID 2484 wrote to memory of 4576	2484	Djgjlelk.exe	84
PID 4576 wrote to memory of 4044	4576	Dmefhako.exe	85
PID 4576 wrote to memory of 4044	4576	Dmefhako.exe	85
PID 4576 wrote to memory of 4044	4576	Dmefhako.exe	85
PID 4044 wrote to memory of 4816	4044	Delnin32.exe	86
PID 4044 wrote to memory of 4816	4044	Delnin32.exe	86
PID 4044 wrote to memory of 4816	4044	Delnin32.exe	86
PID 4816 wrote to memory of 2144	4816	Dhkjej32.exe	87
PID 4816 wrote to memory of 2144	4816	Dhkjej32.exe	87
PID 4816 wrote to memory of 2144	4816	Dhkjej32.exe	87
PID 2144 wrote to memory of 4748	2144	Dfnjafap.exe	88
PID 2144 wrote to memory of 4748	2144	Dfnjafap.exe	88
PID 2144 wrote to memory of 4748	2144	Dfnjafap.exe	88
PID 4748 wrote to memory of 3104	4748	Dkifae32.exe	89
PID 4748 wrote to memory of 3104	4748	Dkifae32.exe	89
PID 4748 wrote to memory of 3104	4748	Dkifae32.exe	89
PID 3104 wrote to memory of 4876	3104	Dodbbdbb.exe	90
PID 3104 wrote to memory of 4876	3104	Dodbbdbb.exe	90
PID 3104 wrote to memory of 4876	3104	Dodbbdbb.exe	90
PID 4876 wrote to memory of 2316	4876	Dmgbnq32.exe	91
PID 4876 wrote to memory of 2316	4876	Dmgbnq32.exe	91
PID 4876 wrote to memory of 2316	4876	Dmgbnq32.exe	91
PID 2316 wrote to memory of 1284	2316	Ddakjkqi.exe	92
PID 2316 wrote to memory of 1284	2316	Ddakjkqi.exe	92
PID 2316 wrote to memory of 1284	2316	Ddakjkqi.exe	92
PID 1284 wrote to memory of 2240	1284	Dhmgki32.exe	93
PID 1284 wrote to memory of 2240	1284	Dhmgki32.exe	93
PID 1284 wrote to memory of 2240	1284	Dhmgki32.exe	93
PID 2240 wrote to memory of 1880	2240	Dkkcge32.exe	94
PID 2240 wrote to memory of 1880	2240	Dkkcge32.exe	94
PID 2240 wrote to memory of 1880	2240	Dkkcge32.exe	94
PID 1880 wrote to memory of 3400	1880	Dmjocp32.exe	95
PID 1880 wrote to memory of 3400	1880	Dmjocp32.exe	95
PID 1880 wrote to memory of 3400	1880	Dmjocp32.exe	95
PID 3400 wrote to memory of 456	3400	Daekdooc.exe	96
PID 3400 wrote to memory of 456	3400	Daekdooc.exe	96
PID 3400 wrote to memory of 456	3400	Daekdooc.exe	96
PID 456 wrote to memory of 3432	456	Dhocqigp.exe	97
PID 456 wrote to memory of 3432	456	Dhocqigp.exe	97
PID 456 wrote to memory of 3432	456	Dhocqigp.exe	97

C:\Users\Admin\AppData\Local\Temp\ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe
"C:\Users\Admin\AppData\Local\Temp\ab5d2f6f367ef0912c48f836afcfd56d6533d6a1bf3f3d9fc7585e6b75c8651cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SysWOW64\Dhhnpjmh.exe
  C:\Windows\system32\Dhhnpjmh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\Djgjlelk.exe
    C:\Windows\system32\Djgjlelk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\Dmefhako.exe
      C:\Windows\system32\Dmefhako.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 396
        18⤵
        Program crash
        
        PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3432 -ip 3432
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
90KB

MD5
62529558c4d556da93ed6c963b03507c

SHA1
a45a6d868321ea2060121121bf7f822939b18bcd

SHA256
7576afc582aa41c48431f911d0a7e71131701e96ac87f6d815f1eddb27ee4503

SHA512
f6bf835472520c7e7362dcd0352d812a2f3f360c483c06be04a7994d94fa9aa8f49d24d524c3f8403b8e78d42ec522813cf00ebf563b2f0691e0bc1407f9765f

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
90KB

MD5
2026de118a40fdf35e16e304e941f4bc

SHA1
99d64d7df45f20650fb78fae70e61a9332732208

SHA256
5d2b13be4aa4e174b6f35b236872c1544a5eda239ef729c93bac32b164fbf1c1

SHA512
39d486e77913e1c4a5513859c0e53b33fbc757ce3eb52b14d98606262531a7958c1e6c324fd1e228db8141c7d47f3c918f5908f034edea5bb81809675d7d7b66

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
90KB

MD5
48de0a239daff56139604f7bb3b9b7f6

SHA1
15e3ca4e072ebb7aa03a38d82107b591dd2625de

SHA256
671e4114022b20efe1bdb1daab4d1600f0fcd42130e2bf1389e6230bbc44c3c6

SHA512
a6f8927d147d7b15c14b6fe3083798c0669f8618a6211094272097e2bfd718df66c344ddfc639520e5ee5ed9f81163e3e227994eecf5a9d46e1cf5259f588efb

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
90KB

MD5
09ae3d6cbeff0f99c95dd5c0cdf52007

SHA1
ee605680e1c28eda47e8c1eed8e8f0ef0a30713b

SHA256
66c9cd5e5b93bfaac2f72e95f7e14c819e6dc3516bbe25b76201f172f3397227

SHA512
135638a8336cb993a8a50b21b7be3758a6fafeb2b3797ae4eefaf9a1fac8c94c548e25a5d758a34905faf7731d329e6f961325d2a8bead07cb47951c64c32fd0

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
90KB

MD5
1d58feacf3db3ebb8b57868feba90002

SHA1
ef8d824b590a3974a7f4dd2b9170576420b4b94b

SHA256
1250db006d9c792bf4addbe64e993aba821e67a992ba48ce8b8811b9ebd1dd1f

SHA512
2dbef2fb8b6017c32df310d2df92c914c886f2ad1a0df7780315ee880a713d9ae74e4fbaa42adb6a7f2001328cbe0f7f02c0073473df3ff0c8f481ddd22c3cb6

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
90KB

MD5
7c2051775619f4107a1cb94d9e601e79

SHA1
f0997789ff2aaa5522c201c5692daf6c65066b4b

SHA256
026ea38f1f328174c71825ee335f057f27477582a1a3e66508156868a575a2dc

SHA512
2c84bee8b1550edf9f88131f727b5754252030e65a8ad43e2b63fa4a7c66d218109283667173902244f959e700e297978c742d6e8a6b6d30a29829abc46c82ab

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
90KB

MD5
5e8dc263d50dc59f8c4a1c0f630c36c5

SHA1
80c0b35bc217f33d0d965a4c140704a11c52fd0c

SHA256
ae47063d14beddd5373545d53f1288fe5bac114ed6ad1f125448c2fdcf06f521

SHA512
945efe422d4d966f88e9cecf883d1d1f5b7ac248356a85be71fac82ff5d263b39087730a42cccad7fdfde2cddbda4dd417896e85b25a648fb4208c98da71eae0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
90KB

MD5
c65c0bc66cb45072a4bca095bd70a3cc

SHA1
ab30b47d0cc90a3ff7cfd95806a2915c8d94255a

SHA256
77f64a4308f007f5c229a3eb280b6d9234bb02743366e12aeabb903bfa2d1d3c

SHA512
a02ed4ffad3375f45297a7938e29da83de61e4155c996dccf9feb3ed36a49211403b6403d1cbd4ce468f08a913bad474daca21e623f4fd13a1af6a307a99a3da

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
90KB

MD5
56904f4c08ed60fae4fa8a3a08fd8c39

SHA1
9a72e49883633a3ab1a27b2a8cfba68a89bf95cd

SHA256
a9af9085e8b112b4b58aa804363e56239e6a47342de5b636659537590f1c59de

SHA512
c70bb1cbfc914664abc4495b8712c79f36c7ee2e2b346003d435efb2df0e507afd301fa1d168a85cc20a5de56c45c35befce1a0d26dc7cf8cad318abc56400fc

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
90KB

MD5
380cc850a5cd0cb9912537b38380a959

SHA1
ac66ebbd2d4f00e15a132ebf1e864b99b347a08f

SHA256
508d249d91c821190e9143edcb3696c72ad6af5dd289510a6e170246fcbe57a9

SHA512
a5c9f7f7384921d9c1962da8cbe7d6c5562d33179e6a7cddba2a094b372496df68892c40a94692faa118c399429843a7ade1444055ccddeba59a10dda5d40a99

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
90KB

MD5
ec92fe33447de8fb31428e916a33ea55

SHA1
5304b11aa91274762c6aa4f62047541df459b2cf

SHA256
c7a3de158d239f4708d6786862e4eba17c846acbfd865a582ffdd1390f2b5518

SHA512
e5f7d71d6a7b4db435e5b9f4aa857532ac4806fed1513138b079856424a42f060a513032898821fff7fdfa1b649d05d2ae25dcdfbee21bb4709556d41e713d3c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
90KB

MD5
77b14a09c8b9e97ede11b96439478a24

SHA1
1d197224d513937223966dcd0c0536e9391e6662

SHA256
b56eb9fcdb79e221d7213622955da69f7f335d88ffae1da942259bb25a2f38fe

SHA512
b59879f8edace03ea0b8aa5e06713f3da53c364da9778348e3c09c88b943dae9920c48af3667c286766e5762687576c1010f6113fa449b4afae7eb8c95f23f3b

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
90KB

MD5
b9ce305841bf51823dfdfd4aeab6a388

SHA1
2132cfc9bd31a1e210384fa74b74e3694e4e6646

SHA256
faef5ee7b1a372337e95e0a0ca78eb23216d43ee7214ca55bb7c8c17958ec520

SHA512
fc5fbc2d0954ebcc11b89bef99194ba3a1a8454c168e50ed0d97b2d935ded11e1a7dcc471f740db6d6d9107c51bf504704f81d565ad1c7caf37500deb391e8c0

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
90KB

MD5
ed9906b4eb61012f36056a21fd5a400c

SHA1
6abd15ca103adfc9b6f0aad1269333d2c3784142

SHA256
f1647b356a2b015f86d3b0fe4da88fcfd8d46949e45dc913f20be64f9417b94f

SHA512
c3130e8cb1a329fb1fdb4c77b893de1209820d998216e252fdb571bfaa554954b27a4a986c4225a6d504ba3d722e5a40f9f562885b38215d285fe0dcc693baaf

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
90KB

MD5
ab97a4829e41f4c31542f1d2d2a5acfc

SHA1
4d9ea5b7a5c4d57b34cd696ccad50c77d14a5670

SHA256
0979e18d838a4820e10393743c433953fc6c196908bcdc528e5463629e0d2369

SHA512
46fa290e8c8af00e5ac681205dbcc3bc6c5de23c7962e63755b93822a793e87b52fd26d4859703019f7bcf103f4988adfc19ad9b868455d86b0c5b28fa812390

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
90KB

MD5
a41e2f1cbb4aa1a6c8aabb5390a41740

SHA1
f626d3f61a07e054964d5d2666bd288059769f32

SHA256
03d96ac06d73e57e35df756468cdbb039384e606af9a6a62fa6a2bb3ebf74f1e

SHA512
04b5c98d3011a505edb3e21cd3b3d51a190c3eef60d0b6ec97790e61a8e70b84641bdef4a9b807d1b277f852b91857c8e5a5472627d3dd7ea8503c5cd1a2937c

Download Submit
memory/344-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/344-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads