berbew | f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85ccc

Analysis

max time kernel
85s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Size

337KB
MD5

b4eaf14259553df2cfaad29a7cdcd030
SHA1

ba108ffb6c2ebec5a444c7f790c2ecf87d6985b9
SHA256

f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85ccc
SHA512

df7f998c28df29c31c1e1d8b35649a2e573c5696a0bfe29921ba80588c9393133d72c0496c65dd0ef6447303470f14aa9e348c6b8401215e84a9df2c16ca1cd9
SSDEEP

3072:f42uw6YASgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:LAS1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 15 IoCs

pid	Process
2052	Akfkbd32.exe
2880	Andgop32.exe
2776	Aqbdkk32.exe
2700	Bgllgedi.exe
2356	Bkhhhd32.exe
2508	Bnknoogp.exe
2448	Bbmcibjp.exe
1552	Coacbfii.exe
2616	Cmedlk32.exe
2060	Cbblda32.exe
2020	Cnimiblo.exe
1740	Ckmnbg32.exe
2144	Cnkjnb32.exe
1396	Cmpgpond.exe
1952	Dpapaj32.exe

Loads dropped DLL 33 IoCs

pid	Process
2280	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
2280	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
2052	Akfkbd32.exe
2052	Akfkbd32.exe
2880	Andgop32.exe
2880	Andgop32.exe
2776	Aqbdkk32.exe
2776	Aqbdkk32.exe
2700	Bgllgedi.exe
2700	Bgllgedi.exe
2356	Bkhhhd32.exe
2356	Bkhhhd32.exe
2508	Bnknoogp.exe
2508	Bnknoogp.exe
2448	Bbmcibjp.exe
2448	Bbmcibjp.exe
1552	Coacbfii.exe
1552	Coacbfii.exe
2616	Cmedlk32.exe
2616	Cmedlk32.exe
2060	Cbblda32.exe
2060	Cbblda32.exe
2020	Cnimiblo.exe
2020	Cnimiblo.exe
1740	Ckmnbg32.exe
1740	Ckmnbg32.exe
2144	Cnkjnb32.exe
2144	Cnkjnb32.exe
1396	Cmpgpond.exe
1396	Cmpgpond.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Andgop32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bbmcibjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1324	1952	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2052	2280	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe	31
PID 2280 wrote to memory of 2052	2280	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe	31
PID 2280 wrote to memory of 2052	2280	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe	31
PID 2280 wrote to memory of 2052	2280	f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe	31
PID 2052 wrote to memory of 2880	2052	Akfkbd32.exe	32
PID 2052 wrote to memory of 2880	2052	Akfkbd32.exe	32
PID 2052 wrote to memory of 2880	2052	Akfkbd32.exe	32
PID 2052 wrote to memory of 2880	2052	Akfkbd32.exe	32
PID 2880 wrote to memory of 2776	2880	Andgop32.exe	33
PID 2880 wrote to memory of 2776	2880	Andgop32.exe	33
PID 2880 wrote to memory of 2776	2880	Andgop32.exe	33
PID 2880 wrote to memory of 2776	2880	Andgop32.exe	33
PID 2776 wrote to memory of 2700	2776	Aqbdkk32.exe	34
PID 2776 wrote to memory of 2700	2776	Aqbdkk32.exe	34
PID 2776 wrote to memory of 2700	2776	Aqbdkk32.exe	34
PID 2776 wrote to memory of 2700	2776	Aqbdkk32.exe	34
PID 2700 wrote to memory of 2356	2700	Bgllgedi.exe	35
PID 2700 wrote to memory of 2356	2700	Bgllgedi.exe	35
PID 2700 wrote to memory of 2356	2700	Bgllgedi.exe	35
PID 2700 wrote to memory of 2356	2700	Bgllgedi.exe	35
PID 2356 wrote to memory of 2508	2356	Bkhhhd32.exe	36
PID 2356 wrote to memory of 2508	2356	Bkhhhd32.exe	36
PID 2356 wrote to memory of 2508	2356	Bkhhhd32.exe	36
PID 2356 wrote to memory of 2508	2356	Bkhhhd32.exe	36
PID 2508 wrote to memory of 2448	2508	Bnknoogp.exe	37
PID 2508 wrote to memory of 2448	2508	Bnknoogp.exe	37
PID 2508 wrote to memory of 2448	2508	Bnknoogp.exe	37
PID 2508 wrote to memory of 2448	2508	Bnknoogp.exe	37
PID 2448 wrote to memory of 1552	2448	Bbmcibjp.exe	38
PID 2448 wrote to memory of 1552	2448	Bbmcibjp.exe	38
PID 2448 wrote to memory of 1552	2448	Bbmcibjp.exe	38
PID 2448 wrote to memory of 1552	2448	Bbmcibjp.exe	38
PID 1552 wrote to memory of 2616	1552	Coacbfii.exe	39
PID 1552 wrote to memory of 2616	1552	Coacbfii.exe	39
PID 1552 wrote to memory of 2616	1552	Coacbfii.exe	39
PID 1552 wrote to memory of 2616	1552	Coacbfii.exe	39
PID 2616 wrote to memory of 2060	2616	Cmedlk32.exe	40
PID 2616 wrote to memory of 2060	2616	Cmedlk32.exe	40
PID 2616 wrote to memory of 2060	2616	Cmedlk32.exe	40
PID 2616 wrote to memory of 2060	2616	Cmedlk32.exe	40
PID 2060 wrote to memory of 2020	2060	Cbblda32.exe	41
PID 2060 wrote to memory of 2020	2060	Cbblda32.exe	41
PID 2060 wrote to memory of 2020	2060	Cbblda32.exe	41
PID 2060 wrote to memory of 2020	2060	Cbblda32.exe	41
PID 2020 wrote to memory of 1740	2020	Cnimiblo.exe	42
PID 2020 wrote to memory of 1740	2020	Cnimiblo.exe	42
PID 2020 wrote to memory of 1740	2020	Cnimiblo.exe	42
PID 2020 wrote to memory of 1740	2020	Cnimiblo.exe	42
PID 1740 wrote to memory of 2144	1740	Ckmnbg32.exe	43
PID 1740 wrote to memory of 2144	1740	Ckmnbg32.exe	43
PID 1740 wrote to memory of 2144	1740	Ckmnbg32.exe	43
PID 1740 wrote to memory of 2144	1740	Ckmnbg32.exe	43
PID 2144 wrote to memory of 1396	2144	Cnkjnb32.exe	44
PID 2144 wrote to memory of 1396	2144	Cnkjnb32.exe	44
PID 2144 wrote to memory of 1396	2144	Cnkjnb32.exe	44
PID 2144 wrote to memory of 1396	2144	Cnkjnb32.exe	44
PID 1396 wrote to memory of 1952	1396	Cmpgpond.exe	45
PID 1396 wrote to memory of 1952	1396	Cmpgpond.exe	45
PID 1396 wrote to memory of 1952	1396	Cmpgpond.exe	45
PID 1396 wrote to memory of 1952	1396	Cmpgpond.exe	45
PID 1952 wrote to memory of 1324	1952	Dpapaj32.exe	46
PID 1952 wrote to memory of 1324	1952	Dpapaj32.exe	46
PID 1952 wrote to memory of 1324	1952	Dpapaj32.exe	46
PID 1952 wrote to memory of 1324	1952	Dpapaj32.exe	46

C:\Users\Admin\AppData\Local\Temp\f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe
"C:\Users\Admin\AppData\Local\Temp\f41156c59ff7be75919f2881c8c239c617a8377105dec37eceee71507fc85cccN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Akfkbd32.exe
  C:\Windows\system32\Akfkbd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Andgop32.exe
    C:\Windows\system32\Andgop32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\Aqbdkk32.exe
      C:\Windows\system32\Aqbdkk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 144
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Andgop32.exe

Filesize
337KB

MD5
1876bea52b83e1904b401276f6d392ab

SHA1
ab447d5efcd1551ac65cbfb7f3a031554afb0c4e

SHA256
96471762e6059f04ba22df4ec4744d416639e983f9b4688dcfefff5286e0d7be

SHA512
50c5368b61a6999b1b59cc001b25f39f7c1a17641d59a808da5c5df526fa2c3d92eb0b89562d87e2b208313347688e78bcd2037c8dda874dc0a74e5e91e62dbf

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
337KB

MD5
6f76c03f5cfd847ae325aa8c1fc5618b

SHA1
3e43015c53434b730e8b0cc3d64fbb4e2f091b82

SHA256
49c2a2ed83b1b05fd0ee8d17402b25b95d670686656f620d80e1a0b651987596

SHA512
a32d21adc5578b464f6b961adc5a26d753c38068ff04bae385b3f00ac520125d8ba5cd559d9a34b1be09a3d1bb4b637b4d3040e8ac0dfe03213f07cbc010431d

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
337KB

MD5
39f4adc8929bd0e2146a7e8a8c8cad72

SHA1
6adfc5d878868af29f518f5bbb661c2662d55136

SHA256
81085de75d4de5b3f37616a294896cc67f5e5a3235372ef57dbf40d0d0a16315

SHA512
0d7c3f2834ae849da2324c6d2a54d79437a23bce487b9264a88dd9ca4ff3c0905da1c1cafc2acff0e487b7b43ef5796dc8919178c402f346b5749472c38c69c0

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
337KB

MD5
2adafe250c3e82213833b5f34fd2d995

SHA1
f6faaa15a25d22c07679a284927093492a0d8b67

SHA256
d8322a19111eeb972a2eba80c2128939550bb07109b0e255be5e76ac3a80e485

SHA512
034278a2be609de9fb3f704fcc48994a4470e5ae14dc17a1a57bf4243772fa04ff25d6cac0f18d61a93aeae1fbaff57c48fdcac5eca13e6fe0b6aebc5a237326

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
337KB

MD5
b3bfc9203388fb5c8da8a2aaef9935ab

SHA1
6bc6cbe995251649ecb00607b63a7b6be734f54e

SHA256
a1e9bedf1ae70940e116d2b11bc2093719afb4d9ad8c9932b60dce7330d3d52a

SHA512
016b3650273786769de7a09580ed384ead614a2869462b15b5b3308f650531641d0daf118c3f06e481fd178dbb2936d3a83e2f127b357a4a1e00ba34570afb26

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
337KB

MD5
300e5b62ba47ffe57999e878f63220ac

SHA1
6fee86ed9c15d01fe87181eebe445a93051581b1

SHA256
2208bc43240a401c0155f9c8e6b199a38e4e177f5d45ead6d78cf4b3b36ecea9

SHA512
4d2016db2d33330710e93844563ee880dc373b66dac81f45c440561e4b577d8cbd5159847a38bfbd52ee8832e466fa6cc5ee916754f8e926649b8aa5392afee9

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
337KB

MD5
771a7de336af83b6a5a44d3f30ac8bca

SHA1
eebf1449e4447dbc3c28bf7e9e1f0040282c0bf2

SHA256
417b487cc8881b5fea4f02d94793b0a54a21b4ad9c72aef81a6af5115c576f5e

SHA512
c18850cfb6cf624c246c556aec3aa098f550d84cf58995bfd254c5be9050f7b00ec60d110e23681a992121b93ec51815a1797339dfd0cf57920e69cddd5368f1

Download Submit
\Windows\SysWOW64\Akfkbd32.exe

Filesize
337KB

MD5
ed8db756da2f21db02181013a7078e75

SHA1
fc7c45184f060be1713d2b2e6c25d13de6e9944c

SHA256
fad22b23e44344534e413556464eb5e981f8ab15b455ff8af482f272907c8cf6

SHA512
c09b5ddad985c5e51c0f9c78b0c2adb19363dbdba96ef0bafe834c26a8cda197468dea850c209952bdbba146c2a6e30fb054012a72d0c82eb61dca93c37859ed

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
337KB

MD5
e9d45eb678c877fba69d3831f3b16afb

SHA1
9adb8296ee32640866e7696f25976373de8d70f1

SHA256
fca9fb4251b7528bbbb65337b9a948ff900a065d3ff85269556bbf828edfbeae

SHA512
5682bba67c38ac0ba8db234c59416f06871e6824a3d979034609d4ecd78d2e947922b1ee06c7cac4d8299aa5a6c19b37b699db12d33cc5d39f248bae3602e3ff

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
337KB

MD5
8bbcaf93f50fb177731df11b5ad59a09

SHA1
3dfd147b0296c94fe693900b63ca2b4f0a109c48

SHA256
7fe0d1178e50e4b61d2b4eb93eba94387bed801a7c9a6ff74cabc71d4cf989d1

SHA512
a5dc8c78699c91e0149e651c55c7880d64e7bf35e40756c479a74d684d1f01cf96ed976cc2dfa397761d0d13bbe1175e2c13a408342716a3083a6a965d49e383

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
337KB

MD5
2fb46e78dc2e5ec9e92707bc1fa6c74d

SHA1
2481120a687df72514ea306e70447b40c0fbe9af

SHA256
cbeb12334858b9e25d30ce637d05d17438af280753390ffbd86ad0767231c4df

SHA512
4de21fa94d8322ebf02f22fc3c2109f93c9b4a580b65288fc08237b204fbaf77632b4a177b04fbf90685c18003e5e3c259057bc63362483954da513dce532f46

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
337KB

MD5
5e107d4fc40ee9eaadb8a6605ac29c4b

SHA1
eed15cd8e2e6588034a149c6d72f7deca5b0253a

SHA256
829668184567b64a88d31c17bf9fff45a4622509a71027fe18fd966194fc1017

SHA512
6a5616c07ddb9505d98bbc23a4fd5c08c7ed9286544338584b73968b8509f9846c3f73d2dee1b78dac9559925f1588761d41c9c01bd6259e98f91ae8f0801566

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
337KB

MD5
72bcc19c3ccc4fbc39fe5af814307064

SHA1
502f94eaab5447cc50fca9fa7ef996ab2bc7cf15

SHA256
3b5d8e1f536585eea6687649f47f4a7e0962a4ea6c1fbba38e512164a2c4adeb

SHA512
8675e01a1a0b37b19b73a1f35a78c3848a2d368213eae2d4a2998d4f6b4a3d271b697fd8b8b8a1d2d00bc49f048965505bba31a0017e7168e6c6d2b3dd67aef1

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
337KB

MD5
f25d48c88fd047cb1737b13f943c51e1

SHA1
d8309d887c7edbfe6d86d6374a0e18f53a04dbce

SHA256
80d6da565f055f5463ce8334c2bc11f0bd2f409e282583477267aa68eec5e796

SHA512
729b96383cb5e9fb86e3809d937ce4cf1316d544602b75a7f0b683fedb100a283e5de3303fb480508ffbb9f38eb91aa1e9cb19f2aa75c42ade5fd5614b7f29d2

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
337KB

MD5
330f3cff49d27a529fa11f43bf5ee1de

SHA1
e52c340f5087e00191c1632ea7998a132629bd42

SHA256
386afc82cea0085fb1a4fe9261a4eb4e6e65948b979c1b299e82bfab3cad7ef2

SHA512
583764ac619baa306a96ff453f447774a59c7f2a222e4d5f47ab0304a1aeef70166e76e3aaf4e630683af415ef86fb5a7a614836ec88233b7a74ddb564a8d8f8

Download Submit
memory/1396-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-199-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1396-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-114-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1552-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-167-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1952-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-147-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2060-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-12-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2280-14-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2280-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2448-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-88-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2616-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-60-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2776-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads