berbew | 057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65

Analysis

max time kernel
113s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Size

55KB
MD5

4a532df7fd6e2444635f641f0282d9c0
SHA1

e9217976161705e12cae5b94ef2c21ce031ff151
SHA256

057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65
SHA512

f7f1f23fc5e62b8c89624c9ac756d7c30a356f6348b8be21fec93d11fa64fb3e40fd6fe9524bd14c8e8dc939ae2fbe7b97e01ea1cb7c9453d22f6caedc38af70
SSDEEP

1536:+lNNOtU/mCNSI0gzDn84brtJdQ0eyWnat5:+3NmU/Hi4vtJdQ0eyWnat5

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogpfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciebdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobjmq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caepdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpkmehol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjnhnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjnhnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caepdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajiok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjikaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobjmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpaceg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coiqmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpkmehol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dajiok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpaceg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 15 IoCs

pid	Process
2868	Bcoffd32.exe
2908	Bacgohjk.exe
2956	Bcdpacgl.exe
2696	Bjnhnn32.exe
2716	Ciebdj32.exe
2588	Cobjmq32.exe
1892	Cjikaa32.exe
2768	Caepdk32.exe
3068	Coiqmp32.exe
1480	Cpkmehol.exe
3064	Dajiok32.exe
2656	Dkbnhq32.exe
1060	Dpaceg32.exe
2052	Dogpfc32.exe
2076	Eceimadb.exe

Loads dropped DLL 34 IoCs

pid	Process
2752	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
2752	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
2868	Bcoffd32.exe
2868	Bcoffd32.exe
2908	Bacgohjk.exe
2908	Bacgohjk.exe
2956	Bcdpacgl.exe
2956	Bcdpacgl.exe
2696	Bjnhnn32.exe
2696	Bjnhnn32.exe
2716	Ciebdj32.exe
2716	Ciebdj32.exe
2588	Cobjmq32.exe
2588	Cobjmq32.exe
1892	Cjikaa32.exe
1892	Cjikaa32.exe
2768	Caepdk32.exe
2768	Caepdk32.exe
3068	Coiqmp32.exe
3068	Coiqmp32.exe
1480	Cpkmehol.exe
1480	Cpkmehol.exe
3064	Dajiok32.exe
3064	Dajiok32.exe
2656	Dkbnhq32.exe
2656	Dkbnhq32.exe
1060	Dpaceg32.exe
1060	Dpaceg32.exe
2052	Dogpfc32.exe
2052	Dogpfc32.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bacgohjk.exe	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Bcdpacgl.exe	Bacgohjk.exe
File created	C:\Windows\SysWOW64\Coiqmp32.exe	Caepdk32.exe
File opened for modification	C:\Windows\SysWOW64\Coiqmp32.exe	Caepdk32.exe
File created	C:\Windows\SysWOW64\Dajiok32.exe	Cpkmehol.exe
File opened for modification	C:\Windows\SysWOW64\Dpaceg32.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Nkpbdj32.dll	Dpaceg32.exe
File created	C:\Windows\SysWOW64\Hbbhogeg.dll	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
File created	C:\Windows\SysWOW64\Ciebdj32.exe	Bjnhnn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjikaa32.exe	Cobjmq32.exe
File created	C:\Windows\SysWOW64\Nadann32.dll	Cobjmq32.exe
File created	C:\Windows\SysWOW64\Paebkkhn.dll	Cjikaa32.exe
File created	C:\Windows\SysWOW64\Lhgmgc32.dll	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Dogpfc32.exe
File opened for modification	C:\Windows\SysWOW64\Eceimadb.exe	Dogpfc32.exe
File created	C:\Windows\SysWOW64\Ipojic32.dll	Bacgohjk.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Dogpfc32.exe
File created	C:\Windows\SysWOW64\Lcophb32.dll	Caepdk32.exe
File created	C:\Windows\SysWOW64\Caepdk32.exe	Cjikaa32.exe
File opened for modification	C:\Windows\SysWOW64\Cobjmq32.exe	Ciebdj32.exe
File opened for modification	C:\Windows\SysWOW64\Caepdk32.exe	Cjikaa32.exe
File opened for modification	C:\Windows\SysWOW64\Cpkmehol.exe	Coiqmp32.exe
File created	C:\Windows\SysWOW64\Dpaceg32.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Bcoffd32.exe	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
File created	C:\Windows\SysWOW64\Bjnhnn32.exe	Bcdpacgl.exe
File opened for modification	C:\Windows\SysWOW64\Bjnhnn32.exe	Bcdpacgl.exe
File created	C:\Windows\SysWOW64\Hnfkhnhf.dll	Bcdpacgl.exe
File created	C:\Windows\SysWOW64\Jleide32.dll	Ciebdj32.exe
File created	C:\Windows\SysWOW64\Cjikaa32.exe	Cobjmq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkbnhq32.exe	Dajiok32.exe
File created	C:\Windows\SysWOW64\Dogpfc32.exe	Dpaceg32.exe
File opened for modification	C:\Windows\SysWOW64\Bacgohjk.exe	Bcoffd32.exe
File opened for modification	C:\Windows\SysWOW64\Ciebdj32.exe	Bjnhnn32.exe
File created	C:\Windows\SysWOW64\Cpkmehol.exe	Coiqmp32.exe
File created	C:\Windows\SysWOW64\Eejqea32.dll	Cpkmehol.exe
File created	C:\Windows\SysWOW64\Cdmbfk32.dll	Dajiok32.exe
File opened for modification	C:\Windows\SysWOW64\Dogpfc32.exe	Dpaceg32.exe
File created	C:\Windows\SysWOW64\Gadflkok.dll	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Hbfaod32.dll	Coiqmp32.exe
File opened for modification	C:\Windows\SysWOW64\Dajiok32.exe	Cpkmehol.exe
File created	C:\Windows\SysWOW64\Dkbnhq32.exe	Dajiok32.exe
File created	C:\Windows\SysWOW64\Cobjmq32.exe	Ciebdj32.exe
File opened for modification	C:\Windows\SysWOW64\Bcdpacgl.exe	Bacgohjk.exe
File created	C:\Windows\SysWOW64\Fdakhmhh.dll	Bjnhnn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoffd32.exe	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2368	2076	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpkmehol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpaceg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogpfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacgohjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciebdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobjmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjikaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caepdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoffd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjnhnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbnhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcdpacgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coiqmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfkhnhf.dll"	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleide32.dll"	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmbfk32.dll"	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipojic32.dll"	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcophb32.dll"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpaceg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjnhnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadann32.dll"	Cobjmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paebkkhn.dll"	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejqea32.dll"	Cpkmehol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dogpfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadflkok.dll"	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcdpacgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpbdj32.dll"	Dpaceg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgmgc32.dll"	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhogeg.dll"	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjnhnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjikaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caepdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpkmehol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakhmhh.dll"	Bjnhnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cobjmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cobjmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpaceg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacgohjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciebdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfaod32.dll"	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpkmehol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2868	2752	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe	30
PID 2752 wrote to memory of 2868	2752	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe	30
PID 2752 wrote to memory of 2868	2752	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe	30
PID 2752 wrote to memory of 2868	2752	057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe	30
PID 2868 wrote to memory of 2908	2868	Bcoffd32.exe	31
PID 2868 wrote to memory of 2908	2868	Bcoffd32.exe	31
PID 2868 wrote to memory of 2908	2868	Bcoffd32.exe	31
PID 2868 wrote to memory of 2908	2868	Bcoffd32.exe	31
PID 2908 wrote to memory of 2956	2908	Bacgohjk.exe	32
PID 2908 wrote to memory of 2956	2908	Bacgohjk.exe	32
PID 2908 wrote to memory of 2956	2908	Bacgohjk.exe	32
PID 2908 wrote to memory of 2956	2908	Bacgohjk.exe	32
PID 2956 wrote to memory of 2696	2956	Bcdpacgl.exe	33
PID 2956 wrote to memory of 2696	2956	Bcdpacgl.exe	33
PID 2956 wrote to memory of 2696	2956	Bcdpacgl.exe	33
PID 2956 wrote to memory of 2696	2956	Bcdpacgl.exe	33
PID 2696 wrote to memory of 2716	2696	Bjnhnn32.exe	34
PID 2696 wrote to memory of 2716	2696	Bjnhnn32.exe	34
PID 2696 wrote to memory of 2716	2696	Bjnhnn32.exe	34
PID 2696 wrote to memory of 2716	2696	Bjnhnn32.exe	34
PID 2716 wrote to memory of 2588	2716	Ciebdj32.exe	35
PID 2716 wrote to memory of 2588	2716	Ciebdj32.exe	35
PID 2716 wrote to memory of 2588	2716	Ciebdj32.exe	35
PID 2716 wrote to memory of 2588	2716	Ciebdj32.exe	35
PID 2588 wrote to memory of 1892	2588	Cobjmq32.exe	36
PID 2588 wrote to memory of 1892	2588	Cobjmq32.exe	36
PID 2588 wrote to memory of 1892	2588	Cobjmq32.exe	36
PID 2588 wrote to memory of 1892	2588	Cobjmq32.exe	36
PID 1892 wrote to memory of 2768	1892	Cjikaa32.exe	37
PID 1892 wrote to memory of 2768	1892	Cjikaa32.exe	37
PID 1892 wrote to memory of 2768	1892	Cjikaa32.exe	37
PID 1892 wrote to memory of 2768	1892	Cjikaa32.exe	37
PID 2768 wrote to memory of 3068	2768	Caepdk32.exe	38
PID 2768 wrote to memory of 3068	2768	Caepdk32.exe	38
PID 2768 wrote to memory of 3068	2768	Caepdk32.exe	38
PID 2768 wrote to memory of 3068	2768	Caepdk32.exe	38
PID 3068 wrote to memory of 1480	3068	Coiqmp32.exe	39
PID 3068 wrote to memory of 1480	3068	Coiqmp32.exe	39
PID 3068 wrote to memory of 1480	3068	Coiqmp32.exe	39
PID 3068 wrote to memory of 1480	3068	Coiqmp32.exe	39
PID 1480 wrote to memory of 3064	1480	Cpkmehol.exe	40
PID 1480 wrote to memory of 3064	1480	Cpkmehol.exe	40
PID 1480 wrote to memory of 3064	1480	Cpkmehol.exe	40
PID 1480 wrote to memory of 3064	1480	Cpkmehol.exe	40
PID 3064 wrote to memory of 2656	3064	Dajiok32.exe	41
PID 3064 wrote to memory of 2656	3064	Dajiok32.exe	41
PID 3064 wrote to memory of 2656	3064	Dajiok32.exe	41
PID 3064 wrote to memory of 2656	3064	Dajiok32.exe	41
PID 2656 wrote to memory of 1060	2656	Dkbnhq32.exe	42
PID 2656 wrote to memory of 1060	2656	Dkbnhq32.exe	42
PID 2656 wrote to memory of 1060	2656	Dkbnhq32.exe	42
PID 2656 wrote to memory of 1060	2656	Dkbnhq32.exe	42
PID 1060 wrote to memory of 2052	1060	Dpaceg32.exe	43
PID 1060 wrote to memory of 2052	1060	Dpaceg32.exe	43
PID 1060 wrote to memory of 2052	1060	Dpaceg32.exe	43
PID 1060 wrote to memory of 2052	1060	Dpaceg32.exe	43
PID 2052 wrote to memory of 2076	2052	Dogpfc32.exe	44
PID 2052 wrote to memory of 2076	2052	Dogpfc32.exe	44
PID 2052 wrote to memory of 2076	2052	Dogpfc32.exe	44
PID 2052 wrote to memory of 2076	2052	Dogpfc32.exe	44
PID 2076 wrote to memory of 2368	2076	Eceimadb.exe	45
PID 2076 wrote to memory of 2368	2076	Eceimadb.exe	45
PID 2076 wrote to memory of 2368	2076	Eceimadb.exe	45
PID 2076 wrote to memory of 2368	2076	Eceimadb.exe	45

C:\Users\Admin\AppData\Local\Temp\057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe
"C:\Users\Admin\AppData\Local\Temp\057aeb4b885228e8e719d8ab36f7bf1abe8c606f9a1564c43d3f41a0a79fde65N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Bcoffd32.exe
  C:\Windows\system32\Bcoffd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\Bacgohjk.exe
    C:\Windows\system32\Bacgohjk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\Bcdpacgl.exe
      C:\Windows\system32\Bcdpacgl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\SysWOW64\Bjnhnn32.exe
        
        C:\Windows\system32\Bjnhnn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Ciebdj32.exe
        
        C:\Windows\system32\Ciebdj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Cobjmq32.exe
        
        C:\Windows\system32\Cobjmq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Cjikaa32.exe
        
        C:\Windows\system32\Cjikaa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Caepdk32.exe
        
        C:\Windows\system32\Caepdk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Coiqmp32.exe
        
        C:\Windows\system32\Coiqmp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Cpkmehol.exe
        
        C:\Windows\system32\Cpkmehol.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dajiok32.exe
        
        C:\Windows\system32\Dajiok32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Dkbnhq32.exe
        
        C:\Windows\system32\Dkbnhq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Dpaceg32.exe
        
        C:\Windows\system32\Dpaceg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Dogpfc32.exe
        
        C:\Windows\system32\Dogpfc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoffd32.exe

Filesize
55KB

MD5
6d08d6ceafd2de0d4d9129839e5f5e90

SHA1
397d53af8f8ec44d8e8b4fafe675173502daceb0

SHA256
bf5be5dc228ce9bb59c5a2e02cc5ce6f493ffcf19915e80745ab5e2da1d22685

SHA512
ee9065c23791c63e2bc674d63a872e3fa1282010721969713368abb500f8a2408d69eccd4935bbabd6f1fabed07fafead85c8e96e22af59386d1b8042c72cef0

Download Submit
C:\Windows\SysWOW64\Dajiok32.exe

Filesize
55KB

MD5
d334107773006e225edda7f53bebd1e2

SHA1
9422100781f5dfd291e1c1c3de2442ec674ded72

SHA256
55683adcb447b0cf04130b6bedcb5e884a463371b296aaf5bd177ae0e40f3ae2

SHA512
e612b875b124a8bcc55f45fb8598be29d2080ff7a6808b6ea094e38bc91ee34684c9bec5178665942d9bd248b60b077623bf10c71209bb13235b2fe8726268fe

Download Submit
C:\Windows\SysWOW64\Dkbnhq32.exe

Filesize
55KB

MD5
e01863e9b0a09b522040a7444070b090

SHA1
a260b833e8bcef9ce7bce05111dd6638fc8e2356

SHA256
c553e3f2d57094bff082939f2dbdfa05d79f685a1be5aadbc420d77efc62dc16

SHA512
2b60f2178eabc95d2dfcca549d4e4bb60acaabbebf2c546101a89c3b468d979a676bc0bee5422107232f4b1b668adae5b15ba58dc95d4af0179e1de4667bf002

Download Submit
C:\Windows\SysWOW64\Dogpfc32.exe

Filesize
55KB

MD5
ee21e324654fb7255b0867b809436110

SHA1
0d7f44e0950b8d7a8022cf46f0104f00b1eaa0b5

SHA256
0f6db3cc0e171ce7b411c4e7702d69fc812055637ef7281e0b104c1e28751c25

SHA512
bc679f94a917f3b81248d90aa4da693724105166cde263e8efdeeebfbf06f777c932b919a87f1ff868f2d49855e50d15ead5a820023bb7cc17885ba2b3b0f293

Download Submit
\Windows\SysWOW64\Bacgohjk.exe

Filesize
55KB

MD5
1ac059e0b8395137e1983c55e12f8c05

SHA1
efa13676c680215e6e2faf076f1d8dec939bc61c

SHA256
070355d5b44c725290bdf587127d2a3a96e790a24879fa809f815f40ea4c8ef1

SHA512
81b46f54c0d7b618db68f74e0d1f6599d2f11d4687ea7e37c609f000517941d29a7e1ebc43ee6bbc645fc2ed686ecd702bba0307c410ef9f6e6deebb50204a3e

Download Submit
\Windows\SysWOW64\Bcdpacgl.exe

Filesize
55KB

MD5
80adf73f048586a73f53013e5f969f1b

SHA1
6287d215c19d900099b598542ba436f552b0bfe3

SHA256
3edf9d980828f81fc7f7bb3655ba39864b2ce9317b9f8a8213bb8140ec9e0757

SHA512
b1422fef7eeccc7e8358e7cff449cf255e19f88053cb3603f9b2ff47615cd20659395dcbd403564d15b0368df2a66c03c5bf9b3d1fbee0362cadc6114cfb8a2e

Download Submit
\Windows\SysWOW64\Bjnhnn32.exe

Filesize
55KB

MD5
8da3dcbef3784ae2fdb0f88f9690abc9

SHA1
f59ad9bb315b679f62b603981d0f5bdae83193a5

SHA256
e115dc872334add4772ccfe0efb1079776a82c067586ecbfe08b4aaafa1844bf

SHA512
8049dd810007958e565d635a0c29f1cf06459db73534f634e969c6584053cb8f1ddaeb79e13bd0afc70cc2a6c0b13af3b8dd0b6a7f4c64e0022566d1ec93f938

Download Submit
\Windows\SysWOW64\Caepdk32.exe

Filesize
55KB

MD5
ef516e9a532024eca223c8472891c9ee

SHA1
99b537951360585cce0e38c1e178e5c4dcc91340

SHA256
a02b55c869a35dec4f8e9b30889e99f3b38220ed6cb19c169e5d6debfe1a2c0c

SHA512
1ac6d4980b47b706ab18503be6fa0fc93e511163c1339c93ccf0e185e6113ee07d56a9c5df39eaa460066f3858e3dca99b8aed482ce0ac148e1231686e16cf4c

Download Submit
\Windows\SysWOW64\Ciebdj32.exe

Filesize
55KB

MD5
7f84152b76a2538e64ac5de8779ffdfb

SHA1
a8f4e0428299bf9b4df0457d492573faed3dab98

SHA256
ef9909ea7ee82455e86156ee94d5f56f0596517bd7d08ddf9d1a6485e281d237

SHA512
9eaef2e514d2b205babe222734223b2c853e83d2aa71acae8510bf2b0ed24ec087f32b68c9db85d65e6c879697e8a71ecc574c87285a1f6543c8a5f78fe53cda

Download Submit
\Windows\SysWOW64\Cjikaa32.exe

Filesize
55KB

MD5
3d43c0327bf6d81fd116bd4fc7663218

SHA1
5a610fdd411ae8acc869992015fee3e154a7a386

SHA256
f5ea6f8ecf5372d971536d8088c4657a0de9706019543ddb98c981638f943019

SHA512
90b5821a7b5e7fd2d0ce356effea488e8acef664fa27e2b5364ce22d082737d4c57d077b96e81441280ada71c73424599d67df8bd5d6459906ccea557e9b6c1f

Download Submit
\Windows\SysWOW64\Cobjmq32.exe

Filesize
55KB

MD5
9f3136b8b70cce79ec1b837c956d476d

SHA1
8a7077ce28bf35c53d171e30fad7d95b15cd0e5a

SHA256
24a8f0c2b24244ef331fb5339910f76ba37c88462914721cd725bc01271f58a0

SHA512
643e9020347fb88a4730d6c5f781623a155f72baa87c9a261b3e1e6f011d24c41e82c75c0c2983e433fd0cb76a7b991123e2d69e178298a26081ebae68487d7d

Download Submit
\Windows\SysWOW64\Coiqmp32.exe

Filesize
55KB

MD5
434d5d7c797c4aead8c985991f29de1d

SHA1
fcf953ba1e5d69083bf81558f2bef60c844fd1d1

SHA256
de93fea22eb7d721329ce45fed62795c53b97691b4946378a8de44345633e5da

SHA512
632d7b0e4ba475a7d43bf8c83114efa75c6eb853c5e0337dadeeb6e19068af3d20bddb9fb9cfbcb1fb5fcd8f315917c15d8cfa1bab99a9e4644db637fd50be57

Download Submit
\Windows\SysWOW64\Cpkmehol.exe

Filesize
55KB

MD5
e51199e807696ffcf15d4a1dd9002c46

SHA1
125d48079205eee6dfa0a4da6667b0d07e26f7b8

SHA256
2298f1c7bbd43b79e379da649d14e63d6cdc50d6f6600261fd662e0e0d342f15

SHA512
f6ca99265dcd5827f431c7e6648154e37144a2934bf1ceb1645913a07256c3e090786f63601d1353f6ebb2b09135102ac031eac9f3685eae3e31cef3ff319452

Download Submit
\Windows\SysWOW64\Dpaceg32.exe

Filesize
55KB

MD5
06123c8148e8f2bc5aa29fad05bbb60a

SHA1
57954978dc6ed1e8e5a37ef902f331b348d4fe64

SHA256
1b2ad365a0f72c173e55fe61546456557ba7c09ef964874f64bd19af9e99feba

SHA512
e6718ee8347791a089c3215ca141578787fefafdfed339a7605004f1ca830586a1b857ffbadbfbae812762a69ba57640532d7296496e7ad89261d877e08c4c45

Download Submit
\Windows\SysWOW64\Eceimadb.exe

Filesize
55KB

MD5
7978993506f441ea9a9d089753ad3970

SHA1
b2ccb843fd0f60a2feec747645c42a43763d073f

SHA256
56e8cdd2d17800812eeb10a131713814aff2da2bab3ec53a727bf019f5560287

SHA512
f73bedefc547ae705626a8dd9fcb986fac2c0f0c8ac6bed22b6d412f2d36ce0cf6d93a67503bb6b76d4733d820ec53da1a085605bf12f9db21e314358bd102a8

Download Submit
memory/1060-191-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1060-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-147-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/1480-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-63-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2696-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-77-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2716-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-83-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2752-13-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2752-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2752-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-123-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2768-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-22-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2908-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-40-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2908-41-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2956-49-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2956-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-161-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3068-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-137-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3068-136-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads