berbew | 404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Size

69KB
MD5

83036043f41b05ec32a2ae9f898e54aa
SHA1

6a42c264e8e98ae625074b68a29584fad0c816a3
SHA256

404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f
SHA512

d6e5715ed122352306b87abe093ed18c1ead44a676c67f0f110df852cdf41ccffae52e8fb69912f62bfdb3436c5f714f443bf7293872c88ddb4f2972cb5ffe10
SSDEEP

1536:6N1cQ/40zsWmPTS/k5Atev22CuvqGoYXa7:6A+40zs1TS/k5AtuCuvloYXa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
3504	Ddmaok32.exe
1696	Dfknkg32.exe
4376	Djgjlelk.exe
2172	Dobfld32.exe
3476	Dmefhako.exe
2960	Ddonekbl.exe
3736	Dhkjej32.exe
796	Dkifae32.exe
4752	Dmgbnq32.exe
2908	Deokon32.exe
440	Ddakjkqi.exe
4656	Dfpgffpm.exe
880	Dkkcge32.exe
8	Daekdooc.exe
2780	Deagdn32.exe
4992	Dhocqigp.exe
1512	Dknpmdfc.exe
4404	Dmllipeg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe

Program crash 1 IoCs

pid	pid_target	Process
4876	4404	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 3504	4268	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe	85
PID 4268 wrote to memory of 3504	4268	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe	85
PID 4268 wrote to memory of 3504	4268	404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe	85
PID 3504 wrote to memory of 1696	3504	Ddmaok32.exe	86
PID 3504 wrote to memory of 1696	3504	Ddmaok32.exe	86
PID 3504 wrote to memory of 1696	3504	Ddmaok32.exe	86
PID 1696 wrote to memory of 4376	1696	Dfknkg32.exe	87
PID 1696 wrote to memory of 4376	1696	Dfknkg32.exe	87
PID 1696 wrote to memory of 4376	1696	Dfknkg32.exe	87
PID 4376 wrote to memory of 2172	4376	Djgjlelk.exe	88
PID 4376 wrote to memory of 2172	4376	Djgjlelk.exe	88
PID 4376 wrote to memory of 2172	4376	Djgjlelk.exe	88
PID 2172 wrote to memory of 3476	2172	Dobfld32.exe	89
PID 2172 wrote to memory of 3476	2172	Dobfld32.exe	89
PID 2172 wrote to memory of 3476	2172	Dobfld32.exe	89
PID 3476 wrote to memory of 2960	3476	Dmefhako.exe	90
PID 3476 wrote to memory of 2960	3476	Dmefhako.exe	90
PID 3476 wrote to memory of 2960	3476	Dmefhako.exe	90
PID 2960 wrote to memory of 3736	2960	Ddonekbl.exe	91
PID 2960 wrote to memory of 3736	2960	Ddonekbl.exe	91
PID 2960 wrote to memory of 3736	2960	Ddonekbl.exe	91
PID 3736 wrote to memory of 796	3736	Dhkjej32.exe	92
PID 3736 wrote to memory of 796	3736	Dhkjej32.exe	92
PID 3736 wrote to memory of 796	3736	Dhkjej32.exe	92
PID 796 wrote to memory of 4752	796	Dkifae32.exe	94
PID 796 wrote to memory of 4752	796	Dkifae32.exe	94
PID 796 wrote to memory of 4752	796	Dkifae32.exe	94
PID 4752 wrote to memory of 2908	4752	Dmgbnq32.exe	95
PID 4752 wrote to memory of 2908	4752	Dmgbnq32.exe	95
PID 4752 wrote to memory of 2908	4752	Dmgbnq32.exe	95
PID 2908 wrote to memory of 440	2908	Deokon32.exe	96
PID 2908 wrote to memory of 440	2908	Deokon32.exe	96
PID 2908 wrote to memory of 440	2908	Deokon32.exe	96
PID 440 wrote to memory of 4656	440	Ddakjkqi.exe	97
PID 440 wrote to memory of 4656	440	Ddakjkqi.exe	97
PID 440 wrote to memory of 4656	440	Ddakjkqi.exe	97
PID 4656 wrote to memory of 880	4656	Dfpgffpm.exe	99
PID 4656 wrote to memory of 880	4656	Dfpgffpm.exe	99
PID 4656 wrote to memory of 880	4656	Dfpgffpm.exe	99
PID 880 wrote to memory of 8	880	Dkkcge32.exe	100
PID 880 wrote to memory of 8	880	Dkkcge32.exe	100
PID 880 wrote to memory of 8	880	Dkkcge32.exe	100
PID 8 wrote to memory of 2780	8	Daekdooc.exe	101
PID 8 wrote to memory of 2780	8	Daekdooc.exe	101
PID 8 wrote to memory of 2780	8	Daekdooc.exe	101
PID 2780 wrote to memory of 4992	2780	Deagdn32.exe	102
PID 2780 wrote to memory of 4992	2780	Deagdn32.exe	102
PID 2780 wrote to memory of 4992	2780	Deagdn32.exe	102
PID 4992 wrote to memory of 1512	4992	Dhocqigp.exe	103
PID 4992 wrote to memory of 1512	4992	Dhocqigp.exe	103
PID 4992 wrote to memory of 1512	4992	Dhocqigp.exe	103
PID 1512 wrote to memory of 4404	1512	Dknpmdfc.exe	105
PID 1512 wrote to memory of 4404	1512	Dknpmdfc.exe	105
PID 1512 wrote to memory of 4404	1512	Dknpmdfc.exe	105

C:\Users\Admin\AppData\Local\Temp\404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe
"C:\Users\Admin\AppData\Local\Temp\404378b706fdc3575a668c7333b1e7f987f299a64961f075172f6e27e6bb153f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SysWOW64\Ddmaok32.exe
  C:\Windows\system32\Ddmaok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\Dfknkg32.exe
    C:\Windows\system32\Dfknkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\Djgjlelk.exe
      C:\Windows\system32\Djgjlelk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 404
        20⤵
        Program crash
        
        PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4404 -ip 4404
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
69KB

MD5
02c75f0f951432fdd6998d628923a8bd

SHA1
58e3be02e89be60efff167c8b6bad36774327529

SHA256
2205a7bcf647371ff90febb26bfcec08ae445c54a7be39843be316ee9566ce62

SHA512
9af89e58a5307110822cc594eb39419a9b0ee971432730448ce457ae86711432e63f4e5646f76b70c549ce25506057869997ad84c633dd1fc7b563ff3c18275c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
69KB

MD5
172cef4a196c2af87e2a80e30ac560b5

SHA1
cfe286039942a42e4d7e559553bdae9e93aedc42

SHA256
fa16f3f33aee10e45f1ee5d8283e343f2586bf6985848dbe12d43ba1e6f11f85

SHA512
5c6b36d348c663646d9690ad5c2010917a4aad0378d777480b85491114008062756e8e31a9fd6d040d673a84589ca2ffbee8b027db6e53994cbbc148abf1f06b

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
69KB

MD5
8693508e3719972809572c6ec259befe

SHA1
58c0725c922883c0a5d0595794ed10b36e780693

SHA256
a61d60e01e8dda9168a9ad08f15ce0cd7e15781606ab2b0d11c74be3f45f1a47

SHA512
993b6dcb25a7be94630942aacac068e7083729113da0c615d60b80619e4b67e1352fad770b28bc3a5c8e795acf4eee58a65a714f0fa080d4e1db8157d7fbb4e2

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
69KB

MD5
f34cdc8f1129ceb2a19b4c8c3199d118

SHA1
e1d5201108f57983d4178be0e7db497f58449cad

SHA256
6e9d422822dd9d97482966e362757dff75d9e7ff35775eb5cdcd6fb6aaa0d78c

SHA512
5a15acbe9cd69377e5c7116c05e5e6b5f00b4255678afd2116760df8779ae219a7184201be893b6fb0a75d057def3b1f6421edd210989369c5670d19c21ab9d0

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
69KB

MD5
331442fc5a2c5fe5130df8c45699a2db

SHA1
d8b022e2d1a55d50b114bbf1ec6cdbd9f8f1a87e

SHA256
2cb55d62cf46e69a19aad87b5ff0fe3552071d92176a3ae2e730959bbe35ed2a

SHA512
18705852fdce1019f2de94d95c28eac3ae7ba3d6e751d6f342150ef82d22a14d61d1e7902d2656e60caa5a327934af38724db442c284a9050b029ef11a32a1a0

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
69KB

MD5
728433b5efe3073465d3b53139a76343

SHA1
825b375c6a19c42d3faf621108750cd3e15d1fc8

SHA256
0df7c66e9407f7d23cf458ee29e6cac0054c9ce96cbc0df6fcf5628d08bdee3f

SHA512
960392b0d6a187b0a8d694ab18edfb41166447e0ece4f3cfc87a6cf6b3fb735ae6ec27e1706944b7e4fa6a95d16c66b666fca54c34b17284572d80d9054af542

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
69KB

MD5
dcb5677ce14e2cf11423906b671db1e5

SHA1
64664e94950f72878759ca731bc271dfdc28843f

SHA256
ce7675f72ad4545c1bec59e8fd073efdfa2f426cb49a60cc3028b2854d0f4405

SHA512
5aa898deaf9df80e374f1f661d873a75eb3a1613d85cacf62299fa5dfd9a82681f316ccfd8f7d6bc7ae3e1f122dcc59bf0e25444a27416d7bf49ac448b6ce966

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
69KB

MD5
1a52ba704190465ba959f0cfc458f022

SHA1
6dfff2e3ad363fef747b0a704fc9d99bbc359631

SHA256
c8641a5d50a4cbf012dc2bebde7c3b74458111a7a818a9218aa014b0a8cd89f2

SHA512
a0cbd04b5270e91e37c5f1b2d33dae6862e9011afbf708dec8268a528f617ae55786cb617203bd851f487b9f9a65b6edd4f0783dac2a6ebe4cd2dbd24c0ac885

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
69KB

MD5
47c707b76403afee0d10c326bf266ccc

SHA1
6d3c9ec4fc03f3fb82c9ca1f75b4a613f34f5e80

SHA256
806884c8ad69ab63dbcfe7fb3bccd837b9de42ced4c56e2c409a6dbf6d2411b3

SHA512
15e9eddcb7980838fd4acdc5c46e426255b0103740034d0abcd5cb01ed0588308e87ba4c254ff319cac40aa32391654ef01e500db4f334d29504a873edbb57e0

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
69KB

MD5
21bbe5dbb4f72e4a04dc0390da54f88d

SHA1
37a1311bff0ebb84fafff1b46ef810c73e17fe46

SHA256
29c1470aa6061822eed804efdd89a62a733f56c7ca1e2ce0af9bbf46a28eb191

SHA512
68f495ea5d4906278464b7779bba90362a0dc7bca293ad2299f056db829d2cb2c7b7e6ad45167c6497b5c049f9023d6e38661e38f6358d8aac4c050952bfb1c0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
69KB

MD5
dabbe938b36a6100ea250bbf6352e3bd

SHA1
32779c59188f7fb083418d5a64812093e684e796

SHA256
2d4452fda1d00d71159a019da0449778d87c7b1d377b483bb0d7af66daf0064e

SHA512
47f5e838cdbda3cd5a17c23a28a6d933839db1376bebca4e4e67b59265f7c05210bde4e883b8200bddb17575048ecd26168f864d26cdfdd1bc65ef9d7f9a7148

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
69KB

MD5
111a3fde662c485c7a03172ad29dfc71

SHA1
e5ee859ae798f51c0721a076554b933ac07071c3

SHA256
8f6982a0a6d0aa2d42406af15040fc0efbd6c21ae90040e0f5c13be7cc8c9a63

SHA512
734cc9a8b7de04604f5ced9cd97de2e8d365502f6b8d98cc03f7ae5c8a7fb71ee7dc224d58a637499d16eb397f622672d3b35dbed25bcfc21ed0e9a48534ab52

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
69KB

MD5
dcaf15076b79e1c800a622233edb3c76

SHA1
49ac49ca047f8fd377b5e19e7b1d4732a3eccb02

SHA256
eb40a3c9db7d1fde8f581f3197125272c302e1434ab4dbb583cf72346467f36f

SHA512
7c8118988e0064776e33c867565cd007ead96ba235f9b8e8568b34fba03ff1f245a66f0e02fad6e218ea093f4dfa683d4f435a3a7240d5222fc4b456f185d325

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
69KB

MD5
0b64fd93eea06c5987a590fac964ec89

SHA1
08acb4e505493be93717e2aeba99563fc705b350

SHA256
87b63d2c65440c203218735603635d6d3a2d4ac1e1d8ed747c57399b43df6f19

SHA512
a83540439ef761bd76fa6e563fed1c780a4aafe6cf17d0b21033537d870603d2ad335f6fdc66be9ac851bbd4092bac76f5d7ea05a3397f74eb3ce7ed7bad0d2f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
69KB

MD5
37db78e40a2b324b7cb39811814be284

SHA1
f9483d4c651d30f2a67622fb27d742125c58ea2b

SHA256
c3f413a7e03091689e2129cdcbd8d620b18b7460cae48808e037ce46fd26670d

SHA512
872a92835a930778803008413749e5c02db63c9ed407501789b17a1e98352ed68b89da8076bdeb2d53487abf4ce194113e323170e6e7480ca74105af3d4dab87

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
69KB

MD5
746b21430bb7fec0af1ff47c3c67cc2b

SHA1
0584436024bc1079c43db7ba53cbc7865ac00a96

SHA256
2d414128ede16bc8f1be744d55accfc0e801c67f683d6374c63e0f962e3e0bc9

SHA512
a42d96e9b7fcc5244e26b59e7909c1a5b59010eaf546fc307cbfefac3e9546506084c39157d5604aede8d8596cd3afa8a9336301269e05196c19c3b46b585966

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
69KB

MD5
5fd0082dd5ad0e1da9278cbb02ebf965

SHA1
af240770fc845f1b31cc09c258c10492df60b469

SHA256
9af70e3effcb58d12b8aa8979fced3d37f9947a628a8e7c55e7e24da78994c39

SHA512
6416d69dc879e2f38fc382a844d1cfbef64da14c981b724a20c9403a5ee3385a66dab7d0a4e0a5ec578e1af7a3b29ed3f05726fd51a5b73516c62bbf623f0034

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
69KB

MD5
f851f4e52ed846bb6624c21d998c0820

SHA1
db7a85fbb0705606734c1795228cc35466e57b58

SHA256
cc349b45de835928c49d53c5b460ae31c8d52063776957b8a2023b4dc46cfdcf

SHA512
7a86904b12929a997abe2497b151de7cb2aea7345235bf13d776bc2c0fa941f1388b950ee11b72a35cee9824264f47d064165f23a26ea860ba9bd5c3c35a9d7f

Download Submit
memory/8-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/8-118-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4376-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4656-163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4656-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads