berbew | 3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681

Analysis

max time kernel
92s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Size

64KB
MD5

0e2b2fe6301e23e9ad86abbfa9798963
SHA1

eca8f2e4ec5f069d7aa48460e4ef0fcf45ea1f7f
SHA256

3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681
SHA512

932c92c6179904a25433aff3d2d4f12e7af93fc21d0edde4212625966d5ba15266e15dd183933beb5059ced32c988c8381a7cedf1cf53a378e3a073f62e76cc0
SSDEEP

768:ik0vHO3UNkivqXjVw0BsBXwr+QpIzsMigg7k2p/1H5iXdnh0Usb0DWBi:B0fAUWzzC0BHr+QezsMZT2LOrDWBi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
4880	Chjaol32.exe
1568	Cndikf32.exe
1188	Cdabcm32.exe
3288	Cfpnph32.exe
4508	Caebma32.exe
2820	Cdcoim32.exe
3564	Cfbkeh32.exe
2016	Cmlcbbcj.exe
1948	Cdfkolkf.exe
228	Cmnpgb32.exe
4916	Chcddk32.exe
3492	Dhmgki32.exe
5016	Dkkcge32.exe
2256	Dmjocp32.exe
2328	Dgbdlf32.exe
904	Dmllipeg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Chcddk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	904	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4880	2668	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe	85
PID 2668 wrote to memory of 4880	2668	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe	85
PID 2668 wrote to memory of 4880	2668	3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe	85
PID 4880 wrote to memory of 1568	4880	Chjaol32.exe	86
PID 4880 wrote to memory of 1568	4880	Chjaol32.exe	86
PID 4880 wrote to memory of 1568	4880	Chjaol32.exe	86
PID 1568 wrote to memory of 1188	1568	Cndikf32.exe	87
PID 1568 wrote to memory of 1188	1568	Cndikf32.exe	87
PID 1568 wrote to memory of 1188	1568	Cndikf32.exe	87
PID 1188 wrote to memory of 3288	1188	Cdabcm32.exe	88
PID 1188 wrote to memory of 3288	1188	Cdabcm32.exe	88
PID 1188 wrote to memory of 3288	1188	Cdabcm32.exe	88
PID 3288 wrote to memory of 4508	3288	Cfpnph32.exe	89
PID 3288 wrote to memory of 4508	3288	Cfpnph32.exe	89
PID 3288 wrote to memory of 4508	3288	Cfpnph32.exe	89
PID 4508 wrote to memory of 2820	4508	Caebma32.exe	90
PID 4508 wrote to memory of 2820	4508	Caebma32.exe	90
PID 4508 wrote to memory of 2820	4508	Caebma32.exe	90
PID 2820 wrote to memory of 3564	2820	Cdcoim32.exe	91
PID 2820 wrote to memory of 3564	2820	Cdcoim32.exe	91
PID 2820 wrote to memory of 3564	2820	Cdcoim32.exe	91
PID 3564 wrote to memory of 2016	3564	Cfbkeh32.exe	92
PID 3564 wrote to memory of 2016	3564	Cfbkeh32.exe	92
PID 3564 wrote to memory of 2016	3564	Cfbkeh32.exe	92
PID 2016 wrote to memory of 1948	2016	Cmlcbbcj.exe	93
PID 2016 wrote to memory of 1948	2016	Cmlcbbcj.exe	93
PID 2016 wrote to memory of 1948	2016	Cmlcbbcj.exe	93
PID 1948 wrote to memory of 228	1948	Cdfkolkf.exe	94
PID 1948 wrote to memory of 228	1948	Cdfkolkf.exe	94
PID 1948 wrote to memory of 228	1948	Cdfkolkf.exe	94
PID 228 wrote to memory of 4916	228	Cmnpgb32.exe	95
PID 228 wrote to memory of 4916	228	Cmnpgb32.exe	95
PID 228 wrote to memory of 4916	228	Cmnpgb32.exe	95
PID 4916 wrote to memory of 3492	4916	Chcddk32.exe	97
PID 4916 wrote to memory of 3492	4916	Chcddk32.exe	97
PID 4916 wrote to memory of 3492	4916	Chcddk32.exe	97
PID 3492 wrote to memory of 5016	3492	Dhmgki32.exe	98
PID 3492 wrote to memory of 5016	3492	Dhmgki32.exe	98
PID 3492 wrote to memory of 5016	3492	Dhmgki32.exe	98
PID 5016 wrote to memory of 2256	5016	Dkkcge32.exe	99
PID 5016 wrote to memory of 2256	5016	Dkkcge32.exe	99
PID 5016 wrote to memory of 2256	5016	Dkkcge32.exe	99
PID 2256 wrote to memory of 2328	2256	Dmjocp32.exe	100
PID 2256 wrote to memory of 2328	2256	Dmjocp32.exe	100
PID 2256 wrote to memory of 2328	2256	Dmjocp32.exe	100
PID 2328 wrote to memory of 904	2328	Dgbdlf32.exe	101
PID 2328 wrote to memory of 904	2328	Dgbdlf32.exe	101
PID 2328 wrote to memory of 904	2328	Dgbdlf32.exe	101

C:\Users\Admin\AppData\Local\Temp\3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe
"C:\Users\Admin\AppData\Local\Temp\3c04ea102dae11aaa046fa86b27d6f25f8fbbd26d4a6df08877962770b24f681.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\Chjaol32.exe
  C:\Windows\system32\Chjaol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\Cdabcm32.exe
      C:\Windows\system32\Cdabcm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 400
        18⤵
        Program crash
        
        PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 904 -ip 904
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
f3a7996112252d46ae7666c051157938

SHA1
0a1864cc7ed164812a3f64242b5b211871cd5b3f

SHA256
db07e75c25f631ddb867106a14a5768f5537c1f429a01461375e44b4d7cdde45

SHA512
9a457a72c6de659ed172b2e63e6ff7fda30be419fa7dca67934b52c7dd939df336d6e3aec8250639e2a930eaa29796a189941560be97cdb84d79a3361fe3cacc

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
927fbc40ee11e3974c27b88e5f6c0392

SHA1
6c8ce70be9ffeb3482b6ce96111124ce4a679e18

SHA256
4c3e2d916492cb92f0ec370b90c70773647a0a23c46d190e589aa7fb75da6f4d

SHA512
55bf2b5264ffb26daf5e4e6e3fff5f591be2a3ae29926cd6af9d5b7eb2462d3818d1f76edc56be182aeb95de6a5e1cfc5a2661ce6893a2ad9aaf4fef7fad1852

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
28b19f70c060ae8191fb8c207c253a5e

SHA1
8b16de03fe82612a8b2e374d25cb549110db37bb

SHA256
1c37d519fe23f59207a5df9e4bf9faefc8dcb3b2e00836fbdaccc581e755760d

SHA512
0149b15103fe85f2dfdb1b2a0669770c678bdb16c342d3a67adeee22ccf50c0d8409efc95ff41a6b6958e72669ac4cdf7af87f470344c32e5068530bcfac3530

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
8e089100cc13170b2579f8e2718a62c9

SHA1
2aa7412fb662e2566b5e343fc1eb27e1a2e4e087

SHA256
c48465e5bd7c1df9e44ca46371ff4e2f719a3ec82e8811ba3bcaaf60fb577a8d

SHA512
ebaeac1ce02223e189afe2ff3e405a1b7a8d5a6b4ea1f774012e472fb04393ef8fc1cb2266dc804a461a17fa949d20aea9e5db5caeff4b0ae6eb3645271dfdad

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
5a7f4f2cf3996b8c81816933fc1fc7e5

SHA1
2cebb2e5784be16b54747ef4b22f586fd6d21509

SHA256
95b69d2d11375873a935d8127b3fdc6ea7114948030961a86d5f2effd6387795

SHA512
cb36f5f1dd546cf7d29514d73bb0849c05cb9da276804f16de837eab0031708f41b3f3570dadb1d39153c071b4912729b046fd3b879c53220e897f7224900739

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
6a7de9f26045b6fcd7f5549dfd5a3212

SHA1
d3af2bbeb5e7901d594748ce3af5b553a071424d

SHA256
296ca1d97928f9b941f6ae68a6fab70f1b4fffeb919e0dc69e8ba17b2eda6cc4

SHA512
79f982a52a27ed3310cb16c824bf8d15d4f20b805554ff8f76aa3e33d5018975e2c50ac22ad77c74f46e30366173a3ffab877c4050918a9f7f888092885def62

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
4c8f3265eac0af3ff6f90320037144a2

SHA1
9de54ec9a13c44852a5b3d4ac20b5c7a8f07eac0

SHA256
7b01e370c204f4180665aa7176d62134eca7e30fe7c97d88aed4ad43a956546c

SHA512
c1a3a892a96f9fee89aaa82b0626e0e836766970563e9757ab651baf0af020bdcc76b167068da40d52b37fbfd39c6380562b97c74da8826da1bc103ddab63294

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
64KB

MD5
20fede6381e6fd05ba258e76f4c45652

SHA1
1c72c7640d5d2c39ff06d13134ff819df162f40d

SHA256
e8b093db7ce1fd99f9fd8ffe1866359285a28af04f928c122039796b9cc29458

SHA512
ec9030d8997cc33f36e817c852594ac30376619c4abd19f0a69d13cc0e7f74852d62a4174b0f963b0c78b72b0377ac0dfd960c82abdda1b2a5b067dcd8fac7a4

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
ad3a8595c2d8546ae39f22c4b2b997a1

SHA1
ffa91fd0c92461e4ba43f85cdb634fd5440c4e38

SHA256
c238ce94c2ec8afcf7e74b6422a986c0216d27035df6430ec66e9c90243f8524

SHA512
aaa6493b4639473607209c9ba95c64e6580eaf54a9c27aa669f51f35693dbaa6ff5b2ac5a0baac8af7fe8877077e35661a24571e6c13977a2e884541b655c724

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
a5615808448f7278df08868ce46ce6ab

SHA1
7b1b461fe7020acd0ea4a23f7f84fbe29017e896

SHA256
ffedfdd75a42ad539eaaf6f5c5626d60c3a1bd6053591163dc03fbfcea70327e

SHA512
fd1b256347e726f3c804537320354dba072e1614ed0f94c84a7ad49bd587321e6f08cb99c7e98221c919d69aa66fa8da61f12e3926a7ee6de325b8568a71527d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
64KB

MD5
337e7fb03d8b205c9ecb9d39a20a4e83

SHA1
e3fd0647bdd3ee565455926c15763be94002445f

SHA256
a24130cbecc5fc95efa4aca25966f0112ed24492af18a3a9daedd79cbc4e9122

SHA512
51d83c07d8c7a69aaaaacf1e74a76aac2dd25e6540a999d7917cdb557fde860135a562d305e80534396c221980be16e249d254298694ebe8ea7b6a138c47ed6d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
e47f4d7afdf9ed6525404372e8215683

SHA1
46ab5f3af75c01daccca67e27fed411560b4530b

SHA256
f7bc1d18b1a4c6a87f7afe2246c054f285187f7c4311f7ed0409c41ed50552fc

SHA512
4a920387e6b1b32a8e10c24c00426cabb59f91a53f7a85832c599b4506a0b91d8af62d07495837bdd15d373f5d308e651d1cfcc233c98eba206c10813af09d8c

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
ae0457fe55020e48bee1d1b8bbb4f81b

SHA1
72e0e66c0e9154a68f8092289a663fa998d7752d

SHA256
6e6003b6e3cab9d180478fbf02e764b99ef8bf12d710314f04b71da9859bbcd1

SHA512
9a7c02fcdd4e6dc9d947b523a625e6028576ebff4d66afff1141baf41ea38f08c6a8d4f316ea93722b4a575642b3a9dc3a7cb1724e9530597ef1d86ae1000e67

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
4537295d85ab4d14759fa76d86aaeecc

SHA1
96c6ce0f0b21723b6eac375f5163d4ebc5a07fff

SHA256
e4e4b6669780139ada0ee5e254458b59c893039f4b0faf44fb3f0fe4df247564

SHA512
b3b7deaa0844064d0e4decdd791c8baf1cc0806387a0a842952fbd6e163734eead7548fd7ef7205cd75f158b27612fa5c2b61910bb12b2c1f59f69d0c8fa3610

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
3abc844168d74e5e41819cb3776cb3f5

SHA1
1665b3a7a3e8d6722d2d38be2de763c4f7c91a04

SHA256
7e151e00aa8547b096136aaeed3a098d59719080757e25369ef587a77b1db9db

SHA512
cd0df48600758c8b073e26068f9306cf9c2945b2b1e14303be1dc1580f55d721319ca949dc935431e880e4eded8abc19e6e1010906409ef5325a6ba0694599f0

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
2ce6fc4e6e2f818e4b25a7eeeffa4250

SHA1
830cae06008f27990717013bc3b549680b41c4a4

SHA256
de2688226e5ddfb6f093a32b3234b793fce278e50d085ae61c0ed7f971badf48

SHA512
8c7215db8b216b188d0f1a19645a5fa81cc8bb8f0c3ebefd92e41c7ff23bef276460f8930962bd31442b778c4880fe1e5e95aa0853c0eb6c329ca8fde8c8d9d7

Download Submit
memory/228-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2668-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads