berbew | 669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98

Analysis

max time kernel
74s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Size

64KB
MD5

6a58b49c07ed025cbd9ddfa88a156d79
SHA1

31ef6f05801f5f485132844e6762c299bc495f95
SHA256

669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98
SHA512

a2c64b174b1b7214b25cdb8d5d5c53d8ce6d9aa10b0c53d155edaac42d6cd755ba90d7fa1c95dc10b65444c3b6a6d81d0af41c8e8dd46fc18b035ebdc283400f
SSDEEP

1536:nUenGhHMN3oiJo+YLWvAWyHrPFW2iwTbWf:nU0GhsNYi0PXjFW2VTbWf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
2344	Bffbdadk.exe
2900	Bmpkqklh.exe
2284	Bbmcibjp.exe
2864	Bmbgfkje.exe
2840	Cbppnbhm.exe
1716	Cenljmgq.exe
2612	Cfmhdpnc.exe
1120	Cgoelh32.exe
2884	Cebeem32.exe
2792	Cgaaah32.exe
2824	Cjonncab.exe
536	Caifjn32.exe
1848	Clojhf32.exe
2212	Calcpm32.exe
2308	Djdgic32.exe
1680	Dpapaj32.exe

Loads dropped DLL 35 IoCs

pid	Process
1628	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
1628	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
2344	Bffbdadk.exe
2344	Bffbdadk.exe
2900	Bmpkqklh.exe
2900	Bmpkqklh.exe
2284	Bbmcibjp.exe
2284	Bbmcibjp.exe
2864	Bmbgfkje.exe
2864	Bmbgfkje.exe
2840	Cbppnbhm.exe
2840	Cbppnbhm.exe
1716	Cenljmgq.exe
1716	Cenljmgq.exe
2612	Cfmhdpnc.exe
2612	Cfmhdpnc.exe
1120	Cgoelh32.exe
1120	Cgoelh32.exe
2884	Cebeem32.exe
2884	Cebeem32.exe
2792	Cgaaah32.exe
2792	Cgaaah32.exe
2824	Cjonncab.exe
2824	Cjonncab.exe
536	Caifjn32.exe
536	Caifjn32.exe
1848	Clojhf32.exe
1848	Clojhf32.exe
2212	Calcpm32.exe
2212	Calcpm32.exe
2308	Djdgic32.exe
2308	Djdgic32.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alecllfh.dll	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgaaah32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
552	1680	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2344	1628	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe	31
PID 1628 wrote to memory of 2344	1628	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe	31
PID 1628 wrote to memory of 2344	1628	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe	31
PID 1628 wrote to memory of 2344	1628	669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe	31
PID 2344 wrote to memory of 2900	2344	Bffbdadk.exe	32
PID 2344 wrote to memory of 2900	2344	Bffbdadk.exe	32
PID 2344 wrote to memory of 2900	2344	Bffbdadk.exe	32
PID 2344 wrote to memory of 2900	2344	Bffbdadk.exe	32
PID 2900 wrote to memory of 2284	2900	Bmpkqklh.exe	33
PID 2900 wrote to memory of 2284	2900	Bmpkqklh.exe	33
PID 2900 wrote to memory of 2284	2900	Bmpkqklh.exe	33
PID 2900 wrote to memory of 2284	2900	Bmpkqklh.exe	33
PID 2284 wrote to memory of 2864	2284	Bbmcibjp.exe	34
PID 2284 wrote to memory of 2864	2284	Bbmcibjp.exe	34
PID 2284 wrote to memory of 2864	2284	Bbmcibjp.exe	34
PID 2284 wrote to memory of 2864	2284	Bbmcibjp.exe	34
PID 2864 wrote to memory of 2840	2864	Bmbgfkje.exe	35
PID 2864 wrote to memory of 2840	2864	Bmbgfkje.exe	35
PID 2864 wrote to memory of 2840	2864	Bmbgfkje.exe	35
PID 2864 wrote to memory of 2840	2864	Bmbgfkje.exe	35
PID 2840 wrote to memory of 1716	2840	Cbppnbhm.exe	36
PID 2840 wrote to memory of 1716	2840	Cbppnbhm.exe	36
PID 2840 wrote to memory of 1716	2840	Cbppnbhm.exe	36
PID 2840 wrote to memory of 1716	2840	Cbppnbhm.exe	36
PID 1716 wrote to memory of 2612	1716	Cenljmgq.exe	37
PID 1716 wrote to memory of 2612	1716	Cenljmgq.exe	37
PID 1716 wrote to memory of 2612	1716	Cenljmgq.exe	37
PID 1716 wrote to memory of 2612	1716	Cenljmgq.exe	37
PID 2612 wrote to memory of 1120	2612	Cfmhdpnc.exe	38
PID 2612 wrote to memory of 1120	2612	Cfmhdpnc.exe	38
PID 2612 wrote to memory of 1120	2612	Cfmhdpnc.exe	38
PID 2612 wrote to memory of 1120	2612	Cfmhdpnc.exe	38
PID 1120 wrote to memory of 2884	1120	Cgoelh32.exe	39
PID 1120 wrote to memory of 2884	1120	Cgoelh32.exe	39
PID 1120 wrote to memory of 2884	1120	Cgoelh32.exe	39
PID 1120 wrote to memory of 2884	1120	Cgoelh32.exe	39
PID 2884 wrote to memory of 2792	2884	Cebeem32.exe	40
PID 2884 wrote to memory of 2792	2884	Cebeem32.exe	40
PID 2884 wrote to memory of 2792	2884	Cebeem32.exe	40
PID 2884 wrote to memory of 2792	2884	Cebeem32.exe	40
PID 2792 wrote to memory of 2824	2792	Cgaaah32.exe	41
PID 2792 wrote to memory of 2824	2792	Cgaaah32.exe	41
PID 2792 wrote to memory of 2824	2792	Cgaaah32.exe	41
PID 2792 wrote to memory of 2824	2792	Cgaaah32.exe	41
PID 2824 wrote to memory of 536	2824	Cjonncab.exe	42
PID 2824 wrote to memory of 536	2824	Cjonncab.exe	42
PID 2824 wrote to memory of 536	2824	Cjonncab.exe	42
PID 2824 wrote to memory of 536	2824	Cjonncab.exe	42
PID 536 wrote to memory of 1848	536	Caifjn32.exe	43
PID 536 wrote to memory of 1848	536	Caifjn32.exe	43
PID 536 wrote to memory of 1848	536	Caifjn32.exe	43
PID 536 wrote to memory of 1848	536	Caifjn32.exe	43
PID 1848 wrote to memory of 2212	1848	Clojhf32.exe	44
PID 1848 wrote to memory of 2212	1848	Clojhf32.exe	44
PID 1848 wrote to memory of 2212	1848	Clojhf32.exe	44
PID 1848 wrote to memory of 2212	1848	Clojhf32.exe	44
PID 2212 wrote to memory of 2308	2212	Calcpm32.exe	45
PID 2212 wrote to memory of 2308	2212	Calcpm32.exe	45
PID 2212 wrote to memory of 2308	2212	Calcpm32.exe	45
PID 2212 wrote to memory of 2308	2212	Calcpm32.exe	45
PID 2308 wrote to memory of 1680	2308	Djdgic32.exe	46
PID 2308 wrote to memory of 1680	2308	Djdgic32.exe	46
PID 2308 wrote to memory of 1680	2308	Djdgic32.exe	46
PID 2308 wrote to memory of 1680	2308	Djdgic32.exe	46

C:\Users\Admin\AppData\Local\Temp\669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe
"C:\Users\Admin\AppData\Local\Temp\669f81759ab0e4d0e3e4965728c3bfcf9dbb7311d29a6b46a7295a1b68d1af98.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\Bffbdadk.exe
  C:\Windows\system32\Bffbdadk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Bmpkqklh.exe
    C:\Windows\system32\Bmpkqklh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Bbmcibjp.exe
      C:\Windows\system32\Bbmcibjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 144
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
64KB

MD5
9965334a4f94446541fe466886855434

SHA1
da190f453fc52e9d53589b3636c45da7a9698993

SHA256
5c97cdab0ed33f4bb2b7113206749382d306e81e94ffe9601b90d39f35148b15

SHA512
7816aad3effb263d81839d9d1ecb53c9ee2ebbf17901d7a950436221faeef89a8bc5b661bfa2ee8ef830cf012b822a9d606367611447430d73940ba4b0857bef

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
64KB

MD5
55e67368124dc489372e093249cfaf77

SHA1
fb07eb8ff7091e25ffab47b19fbdafb939e2f739

SHA256
6303ba4c8ba71b909bf5bc563b915ffe9d103888d858e37680ab9024784bbce7

SHA512
72d585d9f50acd62bce06d1c3194840936c894adc05ecceafcd6617574d67c718c1b5e3f5a31c097d4ff50adcf6238bc07e9b9109537ac37c2e23227efef9b3b

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
64KB

MD5
95ebfa22f8ae20256cb9bf0dcbdca15c

SHA1
163f51947ffea222546b892a6c64140b47158810

SHA256
c02471e3d2d384768bb9ee1ec749c5422270f32ffe13d54cfa425a7233bf588c

SHA512
e3b5214b94a3da8fd44098a1a8fe81f13883f726ac9b02421dbab909fa8dc8d02aba46b9cfb4e822f7fba9ae31be24f9becbb50348901432c8b8f03370f31ad1

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
64KB

MD5
c31f993d0d01b9d583b74ea05453eafd

SHA1
e89ed0afa9386acbb18ef8d56921b32f327292e4

SHA256
e3d92dc2f69e51214003024ff6fd96d1c086a1629fe37e4361ce68b63506f7ef

SHA512
8933ebb18007bc27895727f0642e624c3a0b97e77f7476d118c6e983c3d02d5deb0a15f9a68b501b2312e5eaba858d176eafbe459ef9939db62646d2e5ac2303

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
64KB

MD5
9c3d13411574260f716fa5f2020b4433

SHA1
7e90ce78997173372bb4033d85b85f6efd085419

SHA256
586e1ef64f65a5304229eedf6c21c1e72b13a1e6871448664620d8ec618c8b64

SHA512
7feafdb44ce5847d4ac6aa84e49e47c8fc20e2f8ae9c7f91e8d63113ef8a4869ca323f065855b1a59f4de6164b2626c27044e2d7c2e74402bc6e19679f36adc7

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
64KB

MD5
14e8385e3b8c381d381d1cb48a362503

SHA1
9ebaa599b45b3370345cc9ceecf0c1a03ef3da1b

SHA256
adb5429de818e3b1e34d5c7f4737c0b3c5d38577007ef60a9a44a073de6153a5

SHA512
25734b69e022e5d1ae9a089c1372ea15ee52f516dcf02a71216ceee69586b80ad4a096192d2927b395e1000541e7af5146b87d5a7c30dbac926f63ee596da3b4

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
64KB

MD5
53c862759c790c15596ba98d523f42f0

SHA1
5b40097324ae035aea00c21a072270a3eea2ff5f

SHA256
4bc2909d334e06d9bb6dd80304b9c70a530011cb0b489814c4637d1e43fc9cfc

SHA512
ce959a83419b718b013ad0b014586e72764f6c0fda2996cf3d9a829b42e8150580124d84ea729b30f50595d4e9aa16b8b3dcc1cf33a484c190d13b73b9aac697

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
64KB

MD5
03c4be949f88f9bf9b37e4a86423d06b

SHA1
8424bcf3b18a254be4d4de9f157d25fa2242d29c

SHA256
ac79a994b815682acfa08b03e36cba1b953ea1fd518133132509e4d289ac4bfa

SHA512
4958dd87e76d055119710a16601a6c7974128051284287decc83259b953168fdab8ee99a59f2bd9406e7895568e8696f1df4fb5c846e608adfa155cf07c65134

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
64KB

MD5
cf625ed4d145b1669e24904086ff66d9

SHA1
763deb09fa14e250670d47441ff2d4c4bfbdb996

SHA256
62d89979a4cce712b3d05237d13fd06f0a6229b601faf361275c7bfa4017f5cc

SHA512
a514490d8a4754bf71a6498e5d3f7ac74810cd1a0f6ccebecc0cfdb0a344fa3a19047a54e4d83f378316dd5bdf65d669387e2a1c13c8ab13309f06293942d746

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
64KB

MD5
86632bdee3c558384d9ef9dd25d830be

SHA1
8dec980e374dc8e3bb1ae5af3954d66e4415fa57

SHA256
dccf40218d4740537c3da0c216414b6845c475d4cc15371570b31f77062a1b96

SHA512
6325a252f03731e222f4f86f87f6c19b88b3fb81e363076017d08aed9ff26a35e991f906e2f2e08803c57365220d18a0488d951d081ac32de0179b561095255b

Download Submit
\Windows\SysWOW64\Cgaaah32.exe

Filesize
64KB

MD5
87df0730db746be47b859b6713306875

SHA1
04e7b10eb48bbb4aa6feda9d16e94e3e3c48a6c8

SHA256
05af86bbcba59f8a4b8fb3cd24b2932d87ec6e99f1af1e14c004cc399e39197c

SHA512
5c6ceef0a1a9491e741743a5fca310e231165b5f5227899fc9883935fa6bff21d1c6cbb763f4d079b33ca760c1291690b4b0baae0bfcb5be116370d933ea339e

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
64KB

MD5
8106112e87a79f7b7429b684e13a71bd

SHA1
fc3ead944c2a8e2620b34cb20b629be3efb0eadf

SHA256
6f80c962aa01b7a71134ad13bb89c415de34586ed3b9af68548a530bbbd94243

SHA512
8e81704bc15acc5f0cd58eea7a0f2887a3415163291891e67e69551bbde8fc8997a86b5eefa84a611562f2147474ddf30b1b75878b8f9ac5b4c12ed28d4eed83

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
64KB

MD5
3908753f89114b85fe319d72dcc8a7a8

SHA1
5654e92a0f2b2f98ad3a1a8bc09723c4b4d17a95

SHA256
d9929be99b61a1ca97377a94778401d334126fedb385801e702fa52ad753a413

SHA512
82999099ed209135d912d1b0d5facffc50d53c1754b6928c0e17f2a8ebff34dae156d6ed136c8f8bc4619dd344e3f757c3e16942bc1c3b6dbd701d9ad9b73d23

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
64KB

MD5
58bc03b66bb1a18f1ad57167144ea587

SHA1
8dd1db9f2f432308abf9d4e7d7568ecdb1c23d25

SHA256
370854d87875486b25419cb5fd73382510e0f4d29a57dbfe12a8a3977f0a4910

SHA512
b1029badfb1f3ea9c698617346dc37594d3861fd8f06ed0f04d26279ac53d2de299c60d85ab806d4fc2a670147718c64c395e23643d31fb2735a2e62888a8a0b

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
64KB

MD5
9b8955527b473ac66d443535cb45d825

SHA1
69226f8428294df97a3e6c39e76083927b8e04e0

SHA256
fc0f86e469de54d47b25918e58f40b59ecb4e48aaba7b32589aea3a4ec419e71

SHA512
f9338aabf69f10c44d3cb042ef56e1b555e1a3dde21647211d86105613cc0d51d89adc4e81cee53ebc27e59e2db2245a3de268ed39b91f5e56cfa455afaa1ec9

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
efc3640fb43e23aeeb94c9c981c12bde

SHA1
fc489b89dd9df7a9178718e5b717d8025f090b69

SHA256
393816a340105bf30fd739489b44db6cac4eb6cb6d451841c59708e04be4d141

SHA512
c6f5dd95670917b902d512405dafe59f19d7e29a502f3a0d5c03c4a7d50df42cbbc104bc47a5f6055f13e5bf96b52488e5b608b0bd7ba948acc7b20fba8307c5

Download Submit
memory/536-244-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/536-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/536-192-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/536-185-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/1120-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1120-129-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1120-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1120-177-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1628-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-53-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-12-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1680-239-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1680-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1716-92-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/1716-99-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/1716-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1848-245-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1848-247-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/1848-193-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1848-209-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/2212-223-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2212-248-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2212-246-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2212-218-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2212-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2284-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2284-97-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2308-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2344-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2344-13-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2612-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2612-168-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/2612-113-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/2612-100-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-154-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2792-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-161-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2792-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-217-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2824-171-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2824-230-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2840-82-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2840-77-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2840-76-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2840-125-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2864-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2864-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-144-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2884-146-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2884-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-202-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2900-73-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2900-39-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2900-33-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2900-26-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads