berbew | 7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Size

93KB
MD5

b6b51af4787a03cf7e2c2ca6243ee74f
SHA1

2b6d45809e81efaf11e29cc09a48ed848d166fd9
SHA256

7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a
SHA512

63d51ca08a95f12a4fe2dbf58b9f88b3dbc0ddee780abf497e9c99e0c5d42ef0b734c331cd00b6023c763a43e719af4baa32e1ce1065a5c9d9499da93d33e126
SSDEEP

1536:V6FLQv3ZLDXRlkofD7Q8B64yLzhwywrjrpZGkk51DaYfMZRWuLsV+1D:EFEvZLDXRmznwBrjrp8kk5gYfc0DV+1D

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 18 IoCs

pid	Process
4040	Cmnpgb32.exe
4172	Cdhhdlid.exe
4368	Cjbpaf32.exe
3472	Calhnpgn.exe
2480	Dhfajjoj.exe
2716	Djdmffnn.exe
324	Dmcibama.exe
1496	Dhhnpjmh.exe
2520	Dobfld32.exe
1692	Delnin32.exe
3424	Dfnjafap.exe
4960	Dodbbdbb.exe
2180	Deokon32.exe
460	Dhmgki32.exe
4196	Dkkcge32.exe
968	Daekdooc.exe
216	Dhocqigp.exe
888	Dmllipeg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3452	888	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4040	5004	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe	83
PID 5004 wrote to memory of 4040	5004	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe	83
PID 5004 wrote to memory of 4040	5004	7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe	83
PID 4040 wrote to memory of 4172	4040	Cmnpgb32.exe	84
PID 4040 wrote to memory of 4172	4040	Cmnpgb32.exe	84
PID 4040 wrote to memory of 4172	4040	Cmnpgb32.exe	84
PID 4172 wrote to memory of 4368	4172	Cdhhdlid.exe	85
PID 4172 wrote to memory of 4368	4172	Cdhhdlid.exe	85
PID 4172 wrote to memory of 4368	4172	Cdhhdlid.exe	85
PID 4368 wrote to memory of 3472	4368	Cjbpaf32.exe	86
PID 4368 wrote to memory of 3472	4368	Cjbpaf32.exe	86
PID 4368 wrote to memory of 3472	4368	Cjbpaf32.exe	86
PID 3472 wrote to memory of 2480	3472	Calhnpgn.exe	87
PID 3472 wrote to memory of 2480	3472	Calhnpgn.exe	87
PID 3472 wrote to memory of 2480	3472	Calhnpgn.exe	87
PID 2480 wrote to memory of 2716	2480	Dhfajjoj.exe	88
PID 2480 wrote to memory of 2716	2480	Dhfajjoj.exe	88
PID 2480 wrote to memory of 2716	2480	Dhfajjoj.exe	88
PID 2716 wrote to memory of 324	2716	Djdmffnn.exe	89
PID 2716 wrote to memory of 324	2716	Djdmffnn.exe	89
PID 2716 wrote to memory of 324	2716	Djdmffnn.exe	89
PID 324 wrote to memory of 1496	324	Dmcibama.exe	90
PID 324 wrote to memory of 1496	324	Dmcibama.exe	90
PID 324 wrote to memory of 1496	324	Dmcibama.exe	90
PID 1496 wrote to memory of 2520	1496	Dhhnpjmh.exe	91
PID 1496 wrote to memory of 2520	1496	Dhhnpjmh.exe	91
PID 1496 wrote to memory of 2520	1496	Dhhnpjmh.exe	91
PID 2520 wrote to memory of 1692	2520	Dobfld32.exe	92
PID 2520 wrote to memory of 1692	2520	Dobfld32.exe	92
PID 2520 wrote to memory of 1692	2520	Dobfld32.exe	92
PID 1692 wrote to memory of 3424	1692	Delnin32.exe	93
PID 1692 wrote to memory of 3424	1692	Delnin32.exe	93
PID 1692 wrote to memory of 3424	1692	Delnin32.exe	93
PID 3424 wrote to memory of 4960	3424	Dfnjafap.exe	94
PID 3424 wrote to memory of 4960	3424	Dfnjafap.exe	94
PID 3424 wrote to memory of 4960	3424	Dfnjafap.exe	94
PID 4960 wrote to memory of 2180	4960	Dodbbdbb.exe	95
PID 4960 wrote to memory of 2180	4960	Dodbbdbb.exe	95
PID 4960 wrote to memory of 2180	4960	Dodbbdbb.exe	95
PID 2180 wrote to memory of 460	2180	Deokon32.exe	96
PID 2180 wrote to memory of 460	2180	Deokon32.exe	96
PID 2180 wrote to memory of 460	2180	Deokon32.exe	96
PID 460 wrote to memory of 4196	460	Dhmgki32.exe	97
PID 460 wrote to memory of 4196	460	Dhmgki32.exe	97
PID 460 wrote to memory of 4196	460	Dhmgki32.exe	97
PID 4196 wrote to memory of 968	4196	Dkkcge32.exe	98
PID 4196 wrote to memory of 968	4196	Dkkcge32.exe	98
PID 4196 wrote to memory of 968	4196	Dkkcge32.exe	98
PID 968 wrote to memory of 216	968	Daekdooc.exe	99
PID 968 wrote to memory of 216	968	Daekdooc.exe	99
PID 968 wrote to memory of 216	968	Daekdooc.exe	99
PID 216 wrote to memory of 888	216	Dhocqigp.exe	100
PID 216 wrote to memory of 888	216	Dhocqigp.exe	100
PID 216 wrote to memory of 888	216	Dhocqigp.exe	100

C:\Users\Admin\AppData\Local\Temp\7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe
"C:\Users\Admin\AppData\Local\Temp\7ba9df497d8de5ceac5a52d5fd02bca8800d64395cc9533c3ed58cad52184b9a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\Cmnpgb32.exe
  C:\Windows\system32\Cmnpgb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\Cdhhdlid.exe
    C:\Windows\system32\Cdhhdlid.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SysWOW64\Cjbpaf32.exe
      C:\Windows\system32\Cjbpaf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 404
        20⤵
        Program crash
        
        PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 888 -ip 888
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
93KB

MD5
85b6e5a15512699c74d77704b96cf113

SHA1
a91ba7ef9cb11b288bc2344c4bb2e4fa33174499

SHA256
96e111cc5ed8fa04665bb16728e059f8a991e334af6e2ed6d90ca83287e5abbd

SHA512
067c50ccfcc56322294ade00058ad3fc166325394e092f6b5a43dc7d1883aac305c51a44d7c25538950e03284ecfb17eb18f0617acc003c51462ffc2bb263613

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
93KB

MD5
12c2901a4a0e3237f39405f515199963

SHA1
1b74563fd46dfc6d090e0408fd8351e108851ac0

SHA256
8a3146fb1b73a4e5c38b7a940f557bfafd2e9064748beb42d037d17bd9989df5

SHA512
5820a67125c928366778c28d3cd129ddc8290cc836e5e06bc15937e8b1a0fa9e9615407065dce2723ec830cb39338038670d75d27d1c0a667857e90c0584ac1e

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
93KB

MD5
5790420d4d61a78397cc3cf00f2430e2

SHA1
e8c6066aa6fa8ea1107d416a0c35508a58ddd534

SHA256
462c81d748a6b7e9c4c9c1ec0e8ca6a8556ab92b98da50e833d9e5c66c784475

SHA512
b2455b2a86d8b5dd3cbe4f19e47d0ce17ff90f9df4b9826a6b0de0d4a1ff31a35f22fcbc531675da0871568388e93c43b318a6d0e9cd530103b928b0ffc64283

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
93KB

MD5
496490cc2c0e7074bd3652470145c318

SHA1
ea8bad0beb2136463896b24231a158f473e96628

SHA256
b3789bd2a4d812dd8eab125d63c1bf7c7c23468e9d509f5266b9c61aa8b549d0

SHA512
0537b43521249d4669f105964d3ec157dc16ba9abfdfc20dc5d82faa8cba1a320bfba7226e6d649b53f73d0f89165dbb0d80e3c942e06ec8621f16904cfbb438

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
fd3e41aa9a144f8a430a4e969552d8c5

SHA1
a234cbf13412d8965a615d86ffcda1e147c62474

SHA256
a28d74be41a57bb1c941fb37467e0c9d996d083051bde4f0b17a73414cd19c14

SHA512
8c46fe79f4fb99a85812827c1272f8fc1d972d0433c78e9ab3f375de788852ee0cc9eafb3823f1fb0a41201a66e50230a950dc29818754274ab369626b2e6799

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
ed51228e0a915453044d142e82518e95

SHA1
ddef6b8e3a6f4bacd4f579d43be8233ca81acbf6

SHA256
a35ea59b4e65682a2cd49b8e18e9daf53d8bd0c60bb68096df2be52ba95797e8

SHA512
b4ff0ae18cfe226bf7a57550eb85b50bd56146018d6a4c39eb9fc57a2e950c60106c0916f34433b1aa7e252b1026560d5b24a97d5528f0a00a9f75e4a6167bca

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
6de36c784841c7085a551e070ff5c5a1

SHA1
dba00f06193913ec3a13115abe4ace358f62824b

SHA256
02f3895b4cdc83a9e8db60a54b3093a27a0681156390f1bb3ba019f08ffd6c7d

SHA512
2931afbb5bf5a8ca0c6577e986c6344047d9c4ce0d1e0505eed1854777362e1498fc54300973fb49362f40b87734bac6234530fb0bc0552f5045455d3f9ffccb

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
93KB

MD5
489829d4dd14060c0926d1d08358e8d7

SHA1
e2e8f34a3d4b2ef641402d3ab0c9edf303d063bb

SHA256
a00df87ec79a4a629c8906e496025057f237d8142885f98c833166a3732ba7a1

SHA512
dd9eef3db7b04fb2253f4e8a7858f164bd7530d9087ac233f53e74f13cfed1c558600eb76e040cf700a46dece595fdfe3c26033f9711c0b7d6b352fdc05263ad

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
93KB

MD5
14a81642d153169da74b4a38ba308bec

SHA1
f8dee7b034bc82a13befdb9d6a22683fd4001ccf

SHA256
26757fea37847ae53a8d510bf367b76a96ceac190863b995a0607900e359f07e

SHA512
d91855e059be3a8fa3b0c3d75c7e056e3fff2619a0d0f2d423609a6dd64bbd2115eb276ab90bcce926ef50d7d74df7578ad49119a68929a6fcd5c9f11fc77239

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
cd3211e9b46c7232158fa83b83660797

SHA1
e7bf4ebbf925a81b3853eb1292d19f43d7c91574

SHA256
c263b2f9b163283f4c3236b306ed28b82463fa8b1bf8e838b5a7797c3442240a

SHA512
c57d6539406e9bc735a9e138bb2623ba8a61429a2f675c2192eced0fc9775d0c972b93e31cd8e59b5756330fc94e4cbdf474f951daacc6ecccaf3635d551a014

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
a7d9a0d6fa79c4c95e3849f147e02ce5

SHA1
5e26dea34d055731994b3cb758e75b8c07133c31

SHA256
47ab1b83586c581620cc15c52041bad559dbcbfa03bb33b46c166ffb5f83f780

SHA512
e56b6598a08284168ccb8135b6d83c4dce3735fdb61d0b480dfe61ad30cd04f0c751284d24604be7e78e85b95e4c2daa6828f1f3690cfccbcd7c4f6a255d45b3

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
9706fa8bcec6bbbd6d3292d4d7dbf7d4

SHA1
058169847c81ee89fc818b01b652d3b3a24c69db

SHA256
bf70e469548734568e61eaef60f99e5d307a0bd576be5274af6d511239ae7f7c

SHA512
5c87425fc24a7241f9618352438704b71bd5b84c67d44ac9cfe252ebcacb0c569ccbf46042bd64df5e0fa01c5c8174bbd18778ffe55c03de20cb20793fe1b889

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
93KB

MD5
d933be94426bc6924a812f38a1ac6f51

SHA1
aeb6999801810f25fdacc83d6ef0e1b44a188624

SHA256
5669e3e0dd94c8de4c812a0fbf1b32c5ac6e0f6630e8756cfa8c9254f9cefa3c

SHA512
4f9c28f0b4351492059996831e046f7a837eae91a8459d9470fe76cc0c01e0e2d66af2935681f2587107d56edaa12ca1d8629f9a446ca506ab38564cfd2e097e

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
93KB

MD5
d62306b2c4334becba56a1baaf65b060

SHA1
d3979faf07faf219d02a400217be7ca150de2386

SHA256
2bb13c659692ae649a7539766d93e74472b37ca1d68080548fa3d3366eb5708e

SHA512
702a62f15f91733bd279d85fedfaa20ad22fb862bd0266810eec4521dc9bf85052239eedacf5f0ba3894a3c636564b73f2cb9675b74beac3d470e2ae65ad3b64

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
65c7f6cff9f6230898ea32987fb0cc23

SHA1
777fd47531da18754158c2323010b21b392bea4d

SHA256
f65c2dcd1ae663012f67e30c5e468e55b4556fb45ab151efe96e1d13de0b10c6

SHA512
58e611d925d65e1dd07f8ac92a00155a738144bbbb4f86df813921e0b99d7b877f6c4f487bf725c8358a9cbf44c83a2508e0930a7142255315bb1c785c0a63e9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
4f0ad4c8e8de8fd6ece001d25829fb83

SHA1
f084b5f89e1d79f05fc9a5692445000e6dad64d9

SHA256
6de6f7c498f42efa44e5f54a277a7f98e30a8b0ef6d89eca1f7d6ac12ae88a82

SHA512
63cf52c2b358f8491242df51f4f4e8cd26a72f62761f6200f5aaba95dd3d40cf49d8f59867026d3540d696e22e25c851eb498765a1cd660e05725a589551db27

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
93KB

MD5
9531bd87cefb4fea0cce8f4b9d4ca8ba

SHA1
90bc66ebd1c2404e4e7748b07e6377b9e8ca6796

SHA256
44d1a0274320b4475515a90163d021f7a5d5fafebe060678de97e390363a1d0f

SHA512
a4b18ed629222d56e7fdb063f82877d0ff6ca97aeb57d208495240b1353354cb5fdb459908103fdd07dee47c6977a8caa38202bec10b6853d5ef42d5d54acbb5

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
93KB

MD5
6038632613100e874d9070a0577e8dd7

SHA1
a952217901989e273d47daccdba6bf02f0072113

SHA256
b08f21c1add59c71ccbcb54f7a54024f5db4450aee0c0a986c9d20c1de32d1f7

SHA512
b14d1d05a0a76b3745435d1a4fadd96891dee454b6cdc110ecee2104633572c6b643db3ec76ab286cdc511c8225a9c850cd95f4cae9ab955f563324a3e3d8834

Download Submit
memory/216-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads