berbew | 0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Size

96KB
MD5

5b322caef83ebb8bc538a2582070f9d0
SHA1

dd2b655bd4abe8b29549ddc1097c10074b583816
SHA256

0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755
SHA512

d1f7e12c01d766c52e50e5ae8311155f79fb40798fa0974a39eed8a691c1d1a980469efc874da5bd3725d5f9c9f2031e29e94492af767de4ed19b4e3b22b57b2
SSDEEP

1536:/Def5CnpysIl3W5dPtChNQe2LG7RZObZUUWaegPYA:/DS5Cp5Ilqx0QjGClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 15 IoCs

pid	Process
2736	Biafnecn.exe
2916	Bhdgjb32.exe
2308	Blobjaba.exe
2656	Bhfcpb32.exe
264	Boplllob.exe
1588	Bejdiffp.exe
2680	Bobhal32.exe
1444	Baadng32.exe
1548	Cdoajb32.exe
2796	Cilibi32.exe
2960	Cpfaocal.exe
1752	Cklfll32.exe
1660	Cmjbhh32.exe
2324	Cbgjqo32.exe
2240	Ceegmj32.exe

Loads dropped DLL 34 IoCs

pid	Process
2844	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
2844	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
2736	Biafnecn.exe
2736	Biafnecn.exe
2916	Bhdgjb32.exe
2916	Bhdgjb32.exe
2308	Blobjaba.exe
2308	Blobjaba.exe
2656	Bhfcpb32.exe
2656	Bhfcpb32.exe
264	Boplllob.exe
264	Boplllob.exe
1588	Bejdiffp.exe
1588	Bejdiffp.exe
2680	Bobhal32.exe
2680	Bobhal32.exe
1444	Baadng32.exe
1444	Baadng32.exe
1548	Cdoajb32.exe
1548	Cdoajb32.exe
2796	Cilibi32.exe
2796	Cilibi32.exe
2960	Cpfaocal.exe
2960	Cpfaocal.exe
1752	Cklfll32.exe
1752	Cklfll32.exe
1660	Cmjbhh32.exe
1660	Cmjbhh32.exe
2324	Cbgjqo32.exe
2324	Cbgjqo32.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Cmjbhh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1756	2240	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cklfll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2736	2844	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe	30
PID 2844 wrote to memory of 2736	2844	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe	30
PID 2844 wrote to memory of 2736	2844	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe	30
PID 2844 wrote to memory of 2736	2844	0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe	30
PID 2736 wrote to memory of 2916	2736	Biafnecn.exe	31
PID 2736 wrote to memory of 2916	2736	Biafnecn.exe	31
PID 2736 wrote to memory of 2916	2736	Biafnecn.exe	31
PID 2736 wrote to memory of 2916	2736	Biafnecn.exe	31
PID 2916 wrote to memory of 2308	2916	Bhdgjb32.exe	32
PID 2916 wrote to memory of 2308	2916	Bhdgjb32.exe	32
PID 2916 wrote to memory of 2308	2916	Bhdgjb32.exe	32
PID 2916 wrote to memory of 2308	2916	Bhdgjb32.exe	32
PID 2308 wrote to memory of 2656	2308	Blobjaba.exe	33
PID 2308 wrote to memory of 2656	2308	Blobjaba.exe	33
PID 2308 wrote to memory of 2656	2308	Blobjaba.exe	33
PID 2308 wrote to memory of 2656	2308	Blobjaba.exe	33
PID 2656 wrote to memory of 264	2656	Bhfcpb32.exe	34
PID 2656 wrote to memory of 264	2656	Bhfcpb32.exe	34
PID 2656 wrote to memory of 264	2656	Bhfcpb32.exe	34
PID 2656 wrote to memory of 264	2656	Bhfcpb32.exe	34
PID 264 wrote to memory of 1588	264	Boplllob.exe	35
PID 264 wrote to memory of 1588	264	Boplllob.exe	35
PID 264 wrote to memory of 1588	264	Boplllob.exe	35
PID 264 wrote to memory of 1588	264	Boplllob.exe	35
PID 1588 wrote to memory of 2680	1588	Bejdiffp.exe	36
PID 1588 wrote to memory of 2680	1588	Bejdiffp.exe	36
PID 1588 wrote to memory of 2680	1588	Bejdiffp.exe	36
PID 1588 wrote to memory of 2680	1588	Bejdiffp.exe	36
PID 2680 wrote to memory of 1444	2680	Bobhal32.exe	37
PID 2680 wrote to memory of 1444	2680	Bobhal32.exe	37
PID 2680 wrote to memory of 1444	2680	Bobhal32.exe	37
PID 2680 wrote to memory of 1444	2680	Bobhal32.exe	37
PID 1444 wrote to memory of 1548	1444	Baadng32.exe	38
PID 1444 wrote to memory of 1548	1444	Baadng32.exe	38
PID 1444 wrote to memory of 1548	1444	Baadng32.exe	38
PID 1444 wrote to memory of 1548	1444	Baadng32.exe	38
PID 1548 wrote to memory of 2796	1548	Cdoajb32.exe	39
PID 1548 wrote to memory of 2796	1548	Cdoajb32.exe	39
PID 1548 wrote to memory of 2796	1548	Cdoajb32.exe	39
PID 1548 wrote to memory of 2796	1548	Cdoajb32.exe	39
PID 2796 wrote to memory of 2960	2796	Cilibi32.exe	40
PID 2796 wrote to memory of 2960	2796	Cilibi32.exe	40
PID 2796 wrote to memory of 2960	2796	Cilibi32.exe	40
PID 2796 wrote to memory of 2960	2796	Cilibi32.exe	40
PID 2960 wrote to memory of 1752	2960	Cpfaocal.exe	41
PID 2960 wrote to memory of 1752	2960	Cpfaocal.exe	41
PID 2960 wrote to memory of 1752	2960	Cpfaocal.exe	41
PID 2960 wrote to memory of 1752	2960	Cpfaocal.exe	41
PID 1752 wrote to memory of 1660	1752	Cklfll32.exe	42
PID 1752 wrote to memory of 1660	1752	Cklfll32.exe	42
PID 1752 wrote to memory of 1660	1752	Cklfll32.exe	42
PID 1752 wrote to memory of 1660	1752	Cklfll32.exe	42
PID 1660 wrote to memory of 2324	1660	Cmjbhh32.exe	43
PID 1660 wrote to memory of 2324	1660	Cmjbhh32.exe	43
PID 1660 wrote to memory of 2324	1660	Cmjbhh32.exe	43
PID 1660 wrote to memory of 2324	1660	Cmjbhh32.exe	43
PID 2324 wrote to memory of 2240	2324	Cbgjqo32.exe	44
PID 2324 wrote to memory of 2240	2324	Cbgjqo32.exe	44
PID 2324 wrote to memory of 2240	2324	Cbgjqo32.exe	44
PID 2324 wrote to memory of 2240	2324	Cbgjqo32.exe	44
PID 2240 wrote to memory of 1756	2240	Ceegmj32.exe	45
PID 2240 wrote to memory of 1756	2240	Ceegmj32.exe	45
PID 2240 wrote to memory of 1756	2240	Ceegmj32.exe	45
PID 2240 wrote to memory of 1756	2240	Ceegmj32.exe	45

C:\Users\Admin\AppData\Local\Temp\0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe
"C:\Users\Admin\AppData\Local\Temp\0d124f2b1d7e99f647c120e1ae2c67bc2df970f2de6dc7d38331262050bb5755N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Biafnecn.exe
  C:\Windows\system32\Biafnecn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Bhdgjb32.exe
    C:\Windows\system32\Bhdgjb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Blobjaba.exe
      C:\Windows\system32\Blobjaba.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
96KB

MD5
7d0b68a1bbaf0407965dac4452577683

SHA1
60ad3aeb447d1ba0cf800544d03d4a8fc4cbcd33

SHA256
fe20acf0d572d2fcf1815e5e3570e4738f309048478232859cf3bb0850ef636b

SHA512
9ff20114da0b8cb65eee1c77d451f48617c172dac060e5fb2d984b45221dc892101411d840f9b2c0d42f1168f9374a33f60a4099af6a1ed6bf89595a8f7bd0a5

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
96KB

MD5
5e2cda321f4f73e5195ca31549f24ae3

SHA1
b59dabc9f41e9bca33dedfb55d48e9d7af9427ba

SHA256
17eb078177a09d59a60fbd4baa0ae454e5590ccb95601b789ac55dc5b9352a74

SHA512
82998d40649b7d605c00ffaaa0c0639f804bb0c544c350b6a6f5dd124da3921dd0f744389dcafca325544ea6fdda8503a0982c069eb5df1ffa4ca081b05d5ad5

Download Submit
\Windows\SysWOW64\Baadng32.exe

Filesize
96KB

MD5
c0ae6a478b6ec28d86ebd3e045527201

SHA1
fb5b838bf6c95a8eacd000451266925d6bc430e2

SHA256
86e6e145601bc3513401c7dd36998f89c7c4022c32c521f5415730157ac21859

SHA512
1066b6be95d1e25f3fceee97af0ff8869314dbea57a0155b502d69e1e2a324bced0fda07ccf9f01d019401df3d91764b84205dd8e2183de66389d2acd96f4583

Download Submit
\Windows\SysWOW64\Bejdiffp.exe

Filesize
96KB

MD5
ee2a944fdb27743871d5cdad447e7fae

SHA1
b6b6d8200c0446350861750d8593498bf43e0a6d

SHA256
e4a6eec274d25692f2877300686f0a299eb63ee0d7740f4798b924faf5a4ff9f

SHA512
80e9b3cf75b0b6c7030ca81438dff6a308aeff7780627d474da3eea5f60ffb4dbfc1b4342f1616a9dca01933cd510ed41388a9bb9c3e52c6de403cf8430049a4

Download Submit
\Windows\SysWOW64\Bhfcpb32.exe

Filesize
96KB

MD5
c54020c6b373b910d2a9e4a3a62055fe

SHA1
ace04daeb30bf07031b54ac2c09e1f82295a85bf

SHA256
82807aa0bb4c959ac183a01e63aa1891b6ac19bdc245c98c03aea325df5d20ad

SHA512
1240d9bac8cff14c884ec8ca2e80a76995ed8a236b8cd79d2362fa185b2811585d3c11204374d2556ba233486164771e8ab07f7e51eac5b5420f43db27a89a30

Download Submit
\Windows\SysWOW64\Biafnecn.exe

Filesize
96KB

MD5
889edfcffe2dc3856790b56ec2a2970c

SHA1
4852f33b984c83d35ba54b09675ff73bbb19edbe

SHA256
77613f0d3897f0dcd5f81cf787fb702df6f605d072e07116a09a06f2dbfba34f

SHA512
76dfcbacb1d252cd25510532a9b14a7c6b69d42678ed357003b17df1eeb821d341df05c5c678691674b02b65b586748a1817662c4113e0593898b88704a5a5dc

Download Submit
\Windows\SysWOW64\Blobjaba.exe

Filesize
96KB

MD5
7243a9b27ae95f4ffde9e5e99b1f9915

SHA1
caf2901aeff7bed93cffc6209ac281663763d420

SHA256
09eb9298f4e385c4fb8dc554787707232601e5e9763bb917a8696e0720927fe1

SHA512
a7e175c4d75e61b7a3768909f05dd1cb19ebb142257e24f920bec1a6a5073eeee7d90ce88b8ab6cf59375e2f6049e0172b5b618aa0487e7c91f49a732c75994f

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
96KB

MD5
bba2f2cabb9fde8d0a6a436ed10b0371

SHA1
ff355c03369046be432112635748442fb1744b32

SHA256
771f192d2f579c357dfc7dd0856d9b2b3957d44c5f8c8ee05a2ffcc4b470f099

SHA512
caa4914967f712c639ee46febc3a525f758df30fd0852bce412a1b1cdd9667adfc003ab8511495e3a7e50171a2e823e62d583cd91dc0f439d6e79439a49b4d02

Download Submit
\Windows\SysWOW64\Boplllob.exe

Filesize
96KB

MD5
2f4c4d2bd9c9386cb919b5acb323d163

SHA1
7fcfe04d5ee5512dbec2425b1cee4febf002451d

SHA256
5a36c10ae6a958c03a48343ce768c7d1b88cd296f5b7af44a31b01d8305464dc

SHA512
4086c6294fa889435ca835897a5a5b9b8e96b709f7cdda39b375385437877c0fd0758c0a115dfd056292bab2b19c485606788a3df27a661082f5f86548a28503

Download Submit
\Windows\SysWOW64\Cbgjqo32.exe

Filesize
96KB

MD5
9def340aae5e5e87b898a4f9efdb3e22

SHA1
230b5c206bb1e8454d9dc1f3aa62660f428b7810

SHA256
1171f0c8d83a019469741559e1d2b0fd6b495eb37a2c258c9bc189a9dddb3fe1

SHA512
b1840d814f4afd6dc0b2c733126a2d7e8299614b2bdced0b52237fa26889235917b1e761b62b9e4d97897bf87e946c0c78711d635b61e4d3656d132001960486

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
96KB

MD5
964c0d3d08ec05de5df045e1fd3c2b15

SHA1
86b91bee3c10b4e674934fdf670388f6f44b2fda

SHA256
2e98f4e5bc6b41d31ed06cfa96fb8f2415e5ee823d1a892ca76583ceb8709d89

SHA512
68e98711b2b732aa81eb9b5f7c5bafef826360ef3ef5e77ea141aa6f2d993a1c8e1f6f16ec4d1cfe7d90726382243cd3db3f2509b01d9b371baf427e1b9d061c

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
96KB

MD5
51b435232f9ce6185e7d408026691809

SHA1
a09a96f83ad33d9151e166144a4521a5385b3ca9

SHA256
37c277812af00df2bf855136dba49029366b4c9315aad04488dab90e04eaf4c2

SHA512
f3c684b721f7746122ee0065c780dc9d31f612991be26486f4b4774b26e3c35af351a75320a4bbcaf95a50a56f164d1f170a7d03ce078ebdbb7dcd2270545229

Download Submit
\Windows\SysWOW64\Cilibi32.exe

Filesize
96KB

MD5
d5e3e8cbd7b68fce97a0e559a185e723

SHA1
a23c5df81ff18b92e3edac08bef681adaf736e85

SHA256
deee86aced5243699beb94690e59668abe6fc0615c5edbc76c5081d1622f2f8d

SHA512
6b570cfce26e19561591babdae7836f6e5ad1798f7c120bfdab577863ae54d5651aa29dc5e892272e81c4d539b04454e2ba17eba996a1fba1d267dc97171955f

Download Submit
\Windows\SysWOW64\Cklfll32.exe

Filesize
96KB

MD5
20cda265181adb4763f90791b11bf5f3

SHA1
8f6c24eac2ba1d14b04f3a6d85fe3bb1c2ea95ca

SHA256
3d4905d7ed871bf1e851a3edbd72c175a2eecc0d7e916a77b4466f4ef021a44c

SHA512
868b9d8a9ce153edded7ccb57b180c611ce749fae02dca970a94165638ded9a7aedda19d2af715326897d452148cfd3abf83e88ffad64e53f23ed311a31cecc8

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
96KB

MD5
df7af5bfe95fd3b314996dd7f430d6bf

SHA1
a82dcec0e888930bf1e263525e8edda6b9dc77d6

SHA256
04e8db79f7c02debda3bc06bf6436c4de19d2fc7554e663f905861690d063475

SHA512
56c8759288c4dc6991517d647fcd25e623e7fb11e3a70f2a40105aa723834c7d304a1d50a6f174e20331070f4a97fd8f9d5a9352dc57cd86e56d7c6a0f2ca9ea

Download Submit
memory/264-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/264-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-132-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1548-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-52-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2308-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-53-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2308-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-67-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2680-106-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2680-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-11-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2844-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-12-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2844-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-156-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2960-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads