berbew | 18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Size

250KB
MD5

8b8c6309d211814c0ff603cc157dc798
SHA1

2b8e2442294cedbc583ea94525db40062028f3b1
SHA256

18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f
SHA512

679265d396fb3316f7fa4425fff0a739b1b556adc98798fd3bb1d9b166ecf4aede5ba757664ac2a7e06f360b2c750472d29539f1fd5f78f0ebb829304955deb5
SSDEEP

6144:/SvcyDvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:/Iy

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 17 IoCs

pid	Process
4728	Adkqoohc.exe
2312	Bdmmeo32.exe
1792	Bgkiaj32.exe
4252	Bobabg32.exe
3340	Bdagpnbk.exe
3100	Bklomh32.exe
4448	Baegibae.exe
5088	Bpkdjofm.exe
5048	Chiblk32.exe
2816	Ckgohf32.exe
1064	Chkobkod.exe
3068	Ckjknfnh.exe
4144	Cpfcfmlp.exe
1468	Dpiplm32.exe
2404	Dhphmj32.exe
4264	Dnmaea32.exe
1592	Dkqaoe32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chkobkod.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bdagpnbk.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjknfnh.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bdagpnbk.exe
File opened for modification	C:\Windows\SysWOW64\Baegibae.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Pcmdgodo.dll	Chkobkod.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bobabg32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bklomh32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cpfcfmlp.exe
File opened for modification	C:\Windows\SysWOW64\Dpiplm32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
File created	C:\Windows\SysWOW64\Ifaohg32.dll	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Bdagpnbk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4012	1592	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4728	880	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe	84
PID 880 wrote to memory of 4728	880	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe	84
PID 880 wrote to memory of 4728	880	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe	84
PID 4728 wrote to memory of 2312	4728	Adkqoohc.exe	86
PID 4728 wrote to memory of 2312	4728	Adkqoohc.exe	86
PID 4728 wrote to memory of 2312	4728	Adkqoohc.exe	86
PID 2312 wrote to memory of 1792	2312	Bdmmeo32.exe	87
PID 2312 wrote to memory of 1792	2312	Bdmmeo32.exe	87
PID 2312 wrote to memory of 1792	2312	Bdmmeo32.exe	87
PID 1792 wrote to memory of 4252	1792	Bgkiaj32.exe	88
PID 1792 wrote to memory of 4252	1792	Bgkiaj32.exe	88
PID 1792 wrote to memory of 4252	1792	Bgkiaj32.exe	88
PID 4252 wrote to memory of 3340	4252	Bobabg32.exe	90
PID 4252 wrote to memory of 3340	4252	Bobabg32.exe	90
PID 4252 wrote to memory of 3340	4252	Bobabg32.exe	90
PID 3340 wrote to memory of 3100	3340	Bdagpnbk.exe	91
PID 3340 wrote to memory of 3100	3340	Bdagpnbk.exe	91
PID 3340 wrote to memory of 3100	3340	Bdagpnbk.exe	91
PID 3100 wrote to memory of 4448	3100	Bklomh32.exe	92
PID 3100 wrote to memory of 4448	3100	Bklomh32.exe	92
PID 3100 wrote to memory of 4448	3100	Bklomh32.exe	92
PID 4448 wrote to memory of 5088	4448	Baegibae.exe	95
PID 4448 wrote to memory of 5088	4448	Baegibae.exe	95
PID 4448 wrote to memory of 5088	4448	Baegibae.exe	95
PID 5088 wrote to memory of 5048	5088	Bpkdjofm.exe	96
PID 5088 wrote to memory of 5048	5088	Bpkdjofm.exe	96
PID 5088 wrote to memory of 5048	5088	Bpkdjofm.exe	96
PID 5048 wrote to memory of 2816	5048	Chiblk32.exe	98
PID 5048 wrote to memory of 2816	5048	Chiblk32.exe	98
PID 5048 wrote to memory of 2816	5048	Chiblk32.exe	98
PID 2816 wrote to memory of 1064	2816	Ckgohf32.exe	99
PID 2816 wrote to memory of 1064	2816	Ckgohf32.exe	99
PID 2816 wrote to memory of 1064	2816	Ckgohf32.exe	99
PID 1064 wrote to memory of 3068	1064	Chkobkod.exe	100
PID 1064 wrote to memory of 3068	1064	Chkobkod.exe	100
PID 1064 wrote to memory of 3068	1064	Chkobkod.exe	100
PID 3068 wrote to memory of 4144	3068	Ckjknfnh.exe	101
PID 3068 wrote to memory of 4144	3068	Ckjknfnh.exe	101
PID 3068 wrote to memory of 4144	3068	Ckjknfnh.exe	101
PID 4144 wrote to memory of 1468	4144	Cpfcfmlp.exe	102
PID 4144 wrote to memory of 1468	4144	Cpfcfmlp.exe	102
PID 4144 wrote to memory of 1468	4144	Cpfcfmlp.exe	102
PID 1468 wrote to memory of 2404	1468	Dpiplm32.exe	103
PID 1468 wrote to memory of 2404	1468	Dpiplm32.exe	103
PID 1468 wrote to memory of 2404	1468	Dpiplm32.exe	103
PID 2404 wrote to memory of 4264	2404	Dhphmj32.exe	104
PID 2404 wrote to memory of 4264	2404	Dhphmj32.exe	104
PID 2404 wrote to memory of 4264	2404	Dhphmj32.exe	104
PID 4264 wrote to memory of 1592	4264	Dnmaea32.exe	105
PID 4264 wrote to memory of 1592	4264	Dnmaea32.exe	105
PID 4264 wrote to memory of 1592	4264	Dnmaea32.exe	105

C:\Users\Admin\AppData\Local\Temp\18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
"C:\Users\Admin\AppData\Local\Temp\18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\Adkqoohc.exe
  C:\Windows\system32\Adkqoohc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\Bdmmeo32.exe
    C:\Windows\system32\Bdmmeo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Bgkiaj32.exe
      C:\Windows\system32\Bgkiaj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 412
        19⤵
        Program crash
        
        PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1592 -ip 1592
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
250KB

MD5
0828dd5ffaa41d9ea0094951fa5609d4

SHA1
20e429c4f2190a2aebe71d082ddeef6fabc9f6f7

SHA256
1a8675f91b34ef4f7b24015906580a9bcb1d071b2c2a9c4beac210ce106d351e

SHA512
e7a16585477cef1f87cea16083b39ce85c026ebbce5a8280ba1b668b2f40ae1c0bd729c5491bd58c16fe11513ac4a0a0e8627ec680ec9542024f0fd10ed653b8

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
250KB

MD5
3fe10b1c193755e7c8e7e9814ad98dc9

SHA1
d305a9d8e8a3dc2ed6dccc7f8af388ca1acb2c65

SHA256
be2e48a423663e175f8dbffa3b86c85e991cbd562a230ed776dff9cae11183d9

SHA512
2eeffcab94f990d9b46e2ebd1bd7b6e708fcf0c684b3e0f9e89a5e6e643ff5b9ba78ea6952fbf58f0b98dcaeb12b04e3fb5326f22ad7ffa5b8d76952ae56fb94

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
250KB

MD5
e31c588db3501598345d2155b5962d70

SHA1
d3cd55c22a7a3000418deaea2f11586c54c39b38

SHA256
e7af6812a2a72781843a5e59ae0a98032555adb628c3cac951f83bf2cc78851d

SHA512
42394cbfc188f39f411cf1e60b9d4d30669f831f5b724525907aff18bfad729d3ea5dfb088cd2147c821deaad179207ee1a082992efe82491c3fb8b9466958f8

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
250KB

MD5
dd21b1ef805c39c0286e6ca2d2026a89

SHA1
a3aa20eae17b150efe7ae415a69658b88e9a0165

SHA256
f235602d447b8c13b75d7547705c70181f9a67c48acbe2156cdd2e74bb39af89

SHA512
c0abe87f9f54dbb092fc33e6ee3ca7749ae82fa1bf47be612363e4d94ab694dbec4d92ff9ed4de232b608e053f37c10703a2cbf839f1626abd8f9f5b62213d54

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
250KB

MD5
b3205be188defe83190ed6b19e78cd4a

SHA1
1f7082dc077e16980e58c1aba0939c7cf54db27e

SHA256
a040044948e9986e29058ff7536810d0d9ea665dcbbd81befe0df1f5b71152d2

SHA512
5307b9150931c49fc5c28fb87519737f02a1bdd1428fb60712c712d47554e83cbae7a9a292808f4a197601eb85d3ce59982f8fce7a16ac31ac069840fb6b860e

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
250KB

MD5
835dd1bcaeb87ee794c8c5afb6ab9e51

SHA1
2443f76cbe9bf66f3424baa8e4bb907ae838e090

SHA256
d8e785261a83a309a2bfed4b20ac60f1388a82ba6bc81509b977e04dfbfb1021

SHA512
c543a01059586b4200ba2a802f18d6f39c1c952966224faf084f9390847038ac6691aec46deaed57ef1427d5545b63dfe57413beec75ba7f4fa19ef048242336

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
250KB

MD5
def7cce6610f9bebea5cd0d77da6bc77

SHA1
f8244c9df2d275dfc46eee3bb8cd4959aab5d418

SHA256
3b5956a4abc80110a0f76266fba95aa1c6b9b8fc104234cdebe9e9dc3b7aef51

SHA512
db2cc6510dbd9c9df7a61c339a29ad31bb845a330b98081e11f5f38410eb96758c7f93d9237f17bbb5a6ac62171ce31fcaa755e3e84ecf8091539c9cbf121953

Download Submit
C:\Windows\SysWOW64\Bpkdjofm.exe

Filesize
250KB

MD5
edd84b31d113acb576646da8ec3c3e82

SHA1
1a2c2313a9d2b49cdebfe143381db5a759b53c34

SHA256
0443dc7dedb2a07bdc7c645b84e33c71466419e41fbe2780dea9ae243c42aed7

SHA512
70640b79257e782f4330374481374b5a47cb530ed4b1058ea205635239927009720eb58f5102b139c27f72af012e6a29e90c83ccf3c6c900a547e9639f7aa21b

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
250KB

MD5
7a29ac54f1e810d1d9a59adffaf0f110

SHA1
eb9c47030e5c3cf85919a887393a1ae3c067b11f

SHA256
126c952e84921da7f6936a7477551a9b62f593005de7cae8ed8e094189954271

SHA512
678bcb84ecc3e75e46b88157d58ec6b5b8b7e334537f863be6c4b8f3d06e23988ca7bcbcdd32e2d0d819c2e17495c652355e2b280618fd8c39f69af4d25d1c08

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
250KB

MD5
8e62c7984b35f1eb983aeedda4b50573

SHA1
f0be4713f180b0b4751b5376bffed117a37fb3fb

SHA256
815e29c008bdfd5846b6396fd150b9301dccfc81eb4f5da388abea7f98fd61e7

SHA512
390f441b03d03685da45f91d1435a18b18d6905abd86ae583a56f44d35255f23d4c187148da9840eb8f735c2cba65e6ec0c33e276daf9cff2fba1c6608d308ca

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
250KB

MD5
2869b3b8604029231aad4616210c0ffc

SHA1
df2fc9416a8561a8c2fb782a776e6d3cf82d85c7

SHA256
fb59779650731648848898980d6eb0646bf8d32a67fcd763cf81781e370d0043

SHA512
625fa328de8e7c435fd26578503db15b8e073f5dd4fe37be576645a87ee2e9f4d3adfcd6056d8ac3a3fcce016eca66ace57085b25e689f0029a5b2a83b09afe3

Download Submit
C:\Windows\SysWOW64\Ckjknfnh.exe

Filesize
250KB

MD5
c2476b343698c175a59d6c63b1e9677b

SHA1
35e1fc377d15ffdf0322e2e207e85de992e1ce5d

SHA256
41929d4656708bbcdf2e73faabde01c23ac4e89d167a2a9d8fb6de75029bde79

SHA512
38034fb179dfb0b2eadd2a1d2e81c4a84bf3e0eb6f35ae5dc3e0d41d693a4805016b228ba6a62cf5917539f0ec755b304a4a8ffff29cab43049b4d43b6c9e106

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
250KB

MD5
20ce164d678d9af6887f9c996e0a326b

SHA1
b906687f75db9027aa315d751a65221e0ea6d05b

SHA256
caea68234b30091328e22f76938c2045e39931aad1bd9be869fd49e0dc1721f1

SHA512
96005a890a2fc28d117988ff67ef8a115f0cde6019a9deee5ad3c894b44e7aff46e05a23257f553b512edcefc870a5f6e5c19efb48b7eb3a5ac0fb3feb705cc7

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
250KB

MD5
76cce4486124880b588ccf7bdda2c1e7

SHA1
b768230b538a48951a3c379543eee516155151f6

SHA256
02bd23908e630930690e318525bb5de15f51fdd965102c23fb542a9dfeef7292

SHA512
79159ea54ae40f150af2bf855012947b035beb83d62c8dc131733e26f83bb3f195548fd75a2b819f5cab905f22d3645eca18a4210252b9e698a6116ffd068ff4

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
250KB

MD5
5030e4a0d9749a1bdac272a62170574f

SHA1
ee0a03af00903e9e4021496609edf97ea2dba863

SHA256
1ac4a2322e66933851abb6a59655a47c88717cbf79cc147f9a2e863f04fead0b

SHA512
fb6458e21a40aca7dc2f67b3c49211553c3f08c1e9a932ccd56dbf849810fcf6f3f02877479137270bf9d511ed51969b4f922cb6261498f74a2775f80de5628b

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
250KB

MD5
650803d1bcc6d08aad96f45f25983392

SHA1
5fc0ebb1024a8d451831cb95dbc6621d84bbc0e0

SHA256
c9e267fa39536363a034b5c5ab27074df28e60b9c965fac841cf4744296bf4cf

SHA512
a61e975cf48ca2a4500b543495488dcc933fd0b2fec27bd279a6af8ef5ad74b0d7770c317081867d7069f62b20cd606400c0aae79ed59b66597f07df249074b2

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
250KB

MD5
0180b1d76587072e3d42187c7cc036f5

SHA1
c5143137f5329707db90fea01dc10859d34be563

SHA256
89a66f32f85363d081abaea932bed913dedc2e9347c6841af45d44f4bd933607

SHA512
c6f14066551bff14d01843e4416c79b386af38f3786a29314177d558fc4912be35ef65166af592b86703b7821f8cc0fefacf07ba687021891c34f8ea6ec63119

Download Submit
memory/880-172-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/880-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1064-150-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1064-87-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1468-145-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1468-111-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-141-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1792-166-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1792-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2312-168-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2312-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2404-143-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2404-119-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2816-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2816-152-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3068-96-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3068-147-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3100-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3100-160-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3340-39-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3340-162-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4144-103-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4144-148-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4252-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4252-164-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4264-139-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4264-128-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4448-158-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4448-55-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4728-170-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4728-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5048-154-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5048-71-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5088-156-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5088-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads