berbew | 4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Size

96KB
MD5

a02a88aada20d7cd5a112e71ef61daf2
SHA1

f1970a0023d236294681f69c2e3b5af9ed5b761e
SHA256

4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425
SHA512

2ed3e8c70b237834838fa99affc360731038cf1f0c0ae90386a4c074fad2406b3010632ea07b0c452514d72e9d02d276a9e8cb66095b174338b8122c0238e776
SSDEEP

1536:w/mUb6jJpxi6pX1zZ0cGNN/hKD1LDDtR3/LPERJtiq9W6Dki2Q1as/BOm3CMy0Q2:+H+tiq9q7T/4Dl3/baJtiq9W6Drl115t

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnminke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caokmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clilmbhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Empomd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Embkbdce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebockkal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elieipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Empomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlboca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdjno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caokmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffjagko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
2876	Bakaaepk.exe
664	Bhdjno32.exe
2172	Caokmd32.exe
2680	Clilmbhd.exe
2360	Cjoilfek.exe
1952	Cffjagko.exe
1800	Dlboca32.exe
2352	Dhiphb32.exe
2704	Dgnminke.exe
2996	Dbdagg32.exe
1104	Eddjhb32.exe
2416	Empomd32.exe
1180	Embkbdce.exe
1624	Ebockkal.exe
1540	Eepmlf32.exe
1776	Elieipej.exe
1732	Faijggao.exe
1636	Flnndp32.exe

Loads dropped DLL 40 IoCs

pid	Process
2872	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
2872	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
2876	Bakaaepk.exe
2876	Bakaaepk.exe
664	Bhdjno32.exe
664	Bhdjno32.exe
2172	Caokmd32.exe
2172	Caokmd32.exe
2680	Clilmbhd.exe
2680	Clilmbhd.exe
2360	Cjoilfek.exe
2360	Cjoilfek.exe
1952	Cffjagko.exe
1952	Cffjagko.exe
1800	Dlboca32.exe
1800	Dlboca32.exe
2352	Dhiphb32.exe
2352	Dhiphb32.exe
2704	Dgnminke.exe
2704	Dgnminke.exe
2996	Dbdagg32.exe
2996	Dbdagg32.exe
1104	Eddjhb32.exe
1104	Eddjhb32.exe
2416	Empomd32.exe
2416	Empomd32.exe
1180	Embkbdce.exe
1180	Embkbdce.exe
1624	Ebockkal.exe
1624	Ebockkal.exe
1540	Eepmlf32.exe
1540	Eepmlf32.exe
1776	Elieipej.exe
1776	Elieipej.exe
1732	Faijggao.exe
1732	Faijggao.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bhdjno32.exe	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Cjoilfek.exe	Clilmbhd.exe
File opened for modification	C:\Windows\SysWOW64\Empomd32.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	Dbdagg32.exe
File created	C:\Windows\SysWOW64\Empomd32.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Embkbdce.exe	Empomd32.exe
File created	C:\Windows\SysWOW64\Imbige32.dll	Empomd32.exe
File created	C:\Windows\SysWOW64\Dgnminke.exe	Dhiphb32.exe
File opened for modification	C:\Windows\SysWOW64\Dgnminke.exe	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Oamcoejo.dll	Dgnminke.exe
File created	C:\Windows\SysWOW64\Ebockkal.exe	Embkbdce.exe
File opened for modification	C:\Windows\SysWOW64\Ebockkal.exe	Embkbdce.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Kcacil32.dll	Bhdjno32.exe
File opened for modification	C:\Windows\SysWOW64\Clilmbhd.exe	Caokmd32.exe
File created	C:\Windows\SysWOW64\Cffjagko.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Bdnnjcdh.dll	Embkbdce.exe
File created	C:\Windows\SysWOW64\Elieipej.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Caokmd32.exe	Bhdjno32.exe
File created	C:\Windows\SysWOW64\Mhibidgh.dll	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Fhoedaep.dll	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Kfadkk32.dll	Elieipej.exe
File opened for modification	C:\Windows\SysWOW64\Bakaaepk.exe	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
File opened for modification	C:\Windows\SysWOW64\Cjoilfek.exe	Clilmbhd.exe
File created	C:\Windows\SysWOW64\Dhiphb32.exe	Dlboca32.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Bakaaepk.exe	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
File created	C:\Windows\SysWOW64\Bedoacoi.dll	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
File opened for modification	C:\Windows\SysWOW64\Cffjagko.exe	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Caokmd32.exe	Bhdjno32.exe
File opened for modification	C:\Windows\SysWOW64\Embkbdce.exe	Empomd32.exe
File created	C:\Windows\SysWOW64\Pdkooael.dll	Cffjagko.exe
File created	C:\Windows\SysWOW64\Kabgha32.dll	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Dbdagg32.exe	Dgnminke.exe
File created	C:\Windows\SysWOW64\Clilmbhd.exe	Caokmd32.exe
File created	C:\Windows\SysWOW64\Mlanmb32.dll	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Dlboca32.exe	Cffjagko.exe
File created	C:\Windows\SysWOW64\Doejph32.dll	Caokmd32.exe
File opened for modification	C:\Windows\SysWOW64\Eepmlf32.exe	Ebockkal.exe
File created	C:\Windows\SysWOW64\Ifhfbgmj.dll	Clilmbhd.exe
File opened for modification	C:\Windows\SysWOW64\Faijggao.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Jlpfci32.dll	Dlboca32.exe
File opened for modification	C:\Windows\SysWOW64\Eddjhb32.exe	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhiphb32.exe	Dlboca32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Faijggao.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Faijggao.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Faijggao.exe
File created	C:\Windows\SysWOW64\Fopknnaa.dll	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Dlboca32.exe	Cffjagko.exe
File created	C:\Windows\SysWOW64\Eepmlf32.exe	Ebockkal.exe
File opened for modification	C:\Windows\SysWOW64\Bhdjno32.exe	Bakaaepk.exe
File opened for modification	C:\Windows\SysWOW64\Dbdagg32.exe	Dgnminke.exe
File created	C:\Windows\SysWOW64\Bocjgfch.dll	Ebockkal.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2912	1636	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilmbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffjagko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlboca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Empomd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll"	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacil32.dll"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbige32.dll"	Empomd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffjagko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doejph32.dll"	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlboca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhibidgh.dll"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlanmb32.dll"	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll"	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Empomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamcoejo.dll"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll"	Embkbdce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clilmbhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll"	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Embkbdce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll"	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Empomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkooael.dll"	Cffjagko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caokmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlboca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfadkk32.dll"	Elieipej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2876	2872	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe	30
PID 2872 wrote to memory of 2876	2872	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe	30
PID 2872 wrote to memory of 2876	2872	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe	30
PID 2872 wrote to memory of 2876	2872	4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe	30
PID 2876 wrote to memory of 664	2876	Bakaaepk.exe	31
PID 2876 wrote to memory of 664	2876	Bakaaepk.exe	31
PID 2876 wrote to memory of 664	2876	Bakaaepk.exe	31
PID 2876 wrote to memory of 664	2876	Bakaaepk.exe	31
PID 664 wrote to memory of 2172	664	Bhdjno32.exe	32
PID 664 wrote to memory of 2172	664	Bhdjno32.exe	32
PID 664 wrote to memory of 2172	664	Bhdjno32.exe	32
PID 664 wrote to memory of 2172	664	Bhdjno32.exe	32
PID 2172 wrote to memory of 2680	2172	Caokmd32.exe	33
PID 2172 wrote to memory of 2680	2172	Caokmd32.exe	33
PID 2172 wrote to memory of 2680	2172	Caokmd32.exe	33
PID 2172 wrote to memory of 2680	2172	Caokmd32.exe	33
PID 2680 wrote to memory of 2360	2680	Clilmbhd.exe	34
PID 2680 wrote to memory of 2360	2680	Clilmbhd.exe	34
PID 2680 wrote to memory of 2360	2680	Clilmbhd.exe	34
PID 2680 wrote to memory of 2360	2680	Clilmbhd.exe	34
PID 2360 wrote to memory of 1952	2360	Cjoilfek.exe	35
PID 2360 wrote to memory of 1952	2360	Cjoilfek.exe	35
PID 2360 wrote to memory of 1952	2360	Cjoilfek.exe	35
PID 2360 wrote to memory of 1952	2360	Cjoilfek.exe	35
PID 1952 wrote to memory of 1800	1952	Cffjagko.exe	36
PID 1952 wrote to memory of 1800	1952	Cffjagko.exe	36
PID 1952 wrote to memory of 1800	1952	Cffjagko.exe	36
PID 1952 wrote to memory of 1800	1952	Cffjagko.exe	36
PID 1800 wrote to memory of 2352	1800	Dlboca32.exe	37
PID 1800 wrote to memory of 2352	1800	Dlboca32.exe	37
PID 1800 wrote to memory of 2352	1800	Dlboca32.exe	37
PID 1800 wrote to memory of 2352	1800	Dlboca32.exe	37
PID 2352 wrote to memory of 2704	2352	Dhiphb32.exe	38
PID 2352 wrote to memory of 2704	2352	Dhiphb32.exe	38
PID 2352 wrote to memory of 2704	2352	Dhiphb32.exe	38
PID 2352 wrote to memory of 2704	2352	Dhiphb32.exe	38
PID 2704 wrote to memory of 2996	2704	Dgnminke.exe	39
PID 2704 wrote to memory of 2996	2704	Dgnminke.exe	39
PID 2704 wrote to memory of 2996	2704	Dgnminke.exe	39
PID 2704 wrote to memory of 2996	2704	Dgnminke.exe	39
PID 2996 wrote to memory of 1104	2996	Dbdagg32.exe	40
PID 2996 wrote to memory of 1104	2996	Dbdagg32.exe	40
PID 2996 wrote to memory of 1104	2996	Dbdagg32.exe	40
PID 2996 wrote to memory of 1104	2996	Dbdagg32.exe	40
PID 1104 wrote to memory of 2416	1104	Eddjhb32.exe	41
PID 1104 wrote to memory of 2416	1104	Eddjhb32.exe	41
PID 1104 wrote to memory of 2416	1104	Eddjhb32.exe	41
PID 1104 wrote to memory of 2416	1104	Eddjhb32.exe	41
PID 2416 wrote to memory of 1180	2416	Empomd32.exe	42
PID 2416 wrote to memory of 1180	2416	Empomd32.exe	42
PID 2416 wrote to memory of 1180	2416	Empomd32.exe	42
PID 2416 wrote to memory of 1180	2416	Empomd32.exe	42
PID 1180 wrote to memory of 1624	1180	Embkbdce.exe	43
PID 1180 wrote to memory of 1624	1180	Embkbdce.exe	43
PID 1180 wrote to memory of 1624	1180	Embkbdce.exe	43
PID 1180 wrote to memory of 1624	1180	Embkbdce.exe	43
PID 1624 wrote to memory of 1540	1624	Ebockkal.exe	44
PID 1624 wrote to memory of 1540	1624	Ebockkal.exe	44
PID 1624 wrote to memory of 1540	1624	Ebockkal.exe	44
PID 1624 wrote to memory of 1540	1624	Ebockkal.exe	44
PID 1540 wrote to memory of 1776	1540	Eepmlf32.exe	45
PID 1540 wrote to memory of 1776	1540	Eepmlf32.exe	45
PID 1540 wrote to memory of 1776	1540	Eepmlf32.exe	45
PID 1540 wrote to memory of 1776	1540	Eepmlf32.exe	45

C:\Users\Admin\AppData\Local\Temp\4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe
"C:\Users\Admin\AppData\Local\Temp\4311efc44a92d3ec4fffe62dc299de90ea94274ae7261d5f88601556f6730425.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\Bakaaepk.exe
  C:\Windows\system32\Bakaaepk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\Bhdjno32.exe
    C:\Windows\system32\Bhdjno32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Caokmd32.exe
      C:\Windows\system32\Caokmd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\Clilmbhd.exe
        
        C:\Windows\system32\Clilmbhd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Cffjagko.exe
        
        C:\Windows\system32\Cffjagko.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Dlboca32.exe
        
        C:\Windows\system32\Dlboca32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Dbdagg32.exe
        
        C:\Windows\system32\Dbdagg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Empomd32.exe
        
        C:\Windows\system32\Empomd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhdjno32.exe

Filesize
96KB

MD5
089919be0429696bf81c9c6340f2181f

SHA1
448b1bf72688008699a4fcfe5381562feffd1321

SHA256
9743c9e00b2b3c3317b12262685d731a58db1e1ebdf6c3aa3d189d2fec8bbabd

SHA512
23992ddbcc30652925a8d5a283e924ce3a56a810e3156877534944e12b984ccc2d173f3193827beac5a3847a6d9539b1697edcd521ac71315f120f3ff572ab8e

Download Submit
C:\Windows\SysWOW64\Clilmbhd.exe

Filesize
96KB

MD5
a20be03fdaeebe514fad0d4466e5e43c

SHA1
7ade9c9523097501854664877a2f2d8b001a6ef6

SHA256
f9bfb3e8d05265528d9787241dac20ffa4a4e48202308f6cc34e9db3caef51b4

SHA512
c826b6dd9327d70eea4dd9469f9c635eda0be3d855ee245c366c3a8f719e7083f64ed2d45ca7bfb70c6ce14ba033fe9a45be1537c277b44232a31e356863a7b9

Download Submit
C:\Windows\SysWOW64\Dbdagg32.exe

Filesize
96KB

MD5
fb883486d5ec6bb79389387712354500

SHA1
a3410b650538f1ea8a52452e2dfcc89b8f6b5345

SHA256
2e71538ef6a2f33d5c3bb48197867aaaf6c2419bc5d1400dc98268cd009804dc

SHA512
aaa48894c687e904e205d3319c2b7083bd8987f8791c792e2cdeaf66f018acbd69ecbe409d3aaa43dfcc7d0c17d74811ed202b9e335d2a4180e85e4cc20c3de9

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
96KB

MD5
bfd66deff48d94d9d0ac9cb8f1d25e57

SHA1
65a16a0fb97d30640a6ea5044b47f81ef74d70ea

SHA256
253144b2369e4af02a9e42bf40c7e8ccec9bc481da5794c9ec933117710251d5

SHA512
744b73960aa93dd2a3a135f29c62e15b861ab34259374b0f1280f0dd733d7714270bddcae5ffacbef5f4d1b4ac67927307bd4455abbca1a83adaae0d6bbd3cd7

Download Submit
C:\Windows\SysWOW64\Eddjhb32.exe

Filesize
96KB

MD5
704e7d9b48e91ceebd367b3924d55208

SHA1
296e3b1e52846a27b0b34249dea1c3185e93015e

SHA256
86ed2d283f74fb9111efe1d973cb4a094f77ccb4324df9e29d61bc8ed6b8ec0a

SHA512
7495852a2e0fa7fdf3e7324f8cbe093765af3255080a0a5a1b9fb35dadcf40d4932e72e671e2fca7001aaa8fe3c4cdd888091306a6755b30dcb1d5a5e0e663ce

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
96KB

MD5
887e9c845de3dce9519e485eb99d301d

SHA1
5f9294695de0fbed5a7a17644000ba524d1e2bf9

SHA256
5195ac9a4fd1963ca7a3065c2d8cb9a824e1ae2aa67b8e1eca730b47a9d6e519

SHA512
dae1e9d687e9c2bce93cd4d5af8884fe33f2c56b2d207392949bb09f726088bfb678ab4a88457fe2e030f8de7a1fb4d8b74d25a109b32cc8eb6c081ea1225d68

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
96KB

MD5
306bd14ac3c2d2759254ab545568075a

SHA1
107f2fbabc2a0d6166975c74606ff3e2b7d5bdbc

SHA256
23ce978b61c3377c407b0e21828548571d3adc62cbe3c69ceebf994d35adb873

SHA512
1ac5f0db82173224d33629a370c4101ca3e20e5b7de595f3baa835fd7259f678fedcc7bb2aa4c00b296f437e0b5a33ad0ca84a9a0a7c4d969d74809d2397f1fc

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
96KB

MD5
5c7b68bb30e7ed77d884ac0ce037e4f7

SHA1
cf6ed25d52819a5277f9f6318b439d850428b52a

SHA256
46438c9c2af83e0c69ad9a48c613f4af5f3d00b20cb6328de1abee8d2298caa8

SHA512
5bf0f044235e66b5ca721f0ec85ed0e129d91cb3b26b0112ffc2655f9fb702547ba7bead7e176eeff859f986f7f5d2e3c170f950b0a96a41f530ee6716c21c1d

Download Submit
C:\Windows\SysWOW64\Ifhfbgmj.dll

Filesize
7KB

MD5
987738e66b53c6d0a57556ba20591d35

SHA1
dfa9930194932d6a7aa6021315e9bfb4b8a174c1

SHA256
0fd92b3268ac3b0474cc3048e84f9a21b4abc5789cc296360e4470bbde484fd2

SHA512
9959bcb423849244a0511c601d3a3ecda68c17de5455d9230bbab26c3b6060a198b97cd132961aee7d622d2c5cd8fe1d61b7286020a6195f30c7543150dc07a0

Download Submit
\Windows\SysWOW64\Bakaaepk.exe

Filesize
96KB

MD5
129fcbe834a437f566d3db0f045f0c63

SHA1
95b1e7bcf6b5d68679dd9479042e55214053fad5

SHA256
e559ffbe50511839aa1a453225c5870d18acbdbc9aa7b356cea90560508a1ac5

SHA512
10d7c9c185eec952e295aa01692859f48130c17b6cd33329d73307ee5c1e77706d2698ec2c5f9bb510eb031e47aaded03b872996ab6a0f8c8d54dfd4a0a1a11f

Download Submit
\Windows\SysWOW64\Caokmd32.exe

Filesize
96KB

MD5
960dea0a2d07967ac32d658b4836fa1c

SHA1
c080427568a1d5b2a36ac8302a098360358ee4cb

SHA256
6599a5a46205ecf9e3dc55262888e88933ab9ee5ccc715ee43670fd340a8cc1f

SHA512
a017e363db3462902902178f64764aceee65993b935c36a325c363277759798e3bd3b7277e07ea1fddabed7d601a83f9f239169f70389fdaae29ec55713ff0d1

Download Submit
\Windows\SysWOW64\Cffjagko.exe

Filesize
96KB

MD5
eeb1b5dacf35d5ce4aa323cc9c29e74f

SHA1
3c492895457c7df1cf0cb6311214d2231e30f0eb

SHA256
ffcbe7a2572b0ecb8c398d649a6adaccca9e1e769d820abd5f3794e00a7152ea

SHA512
fa4fd51619dda83553c1ddb78ffcd9ea5f08dc2d3fe890593e3bbdb7ef6d35302caf5b795d6d996079e9c4d1e0513c5f3761cdd80635fbea190be95852e46d12

Download Submit
\Windows\SysWOW64\Cjoilfek.exe

Filesize
96KB

MD5
07644120443cea060a05a6c375d87ab7

SHA1
54352b656837f35ab1f3d47a3a651c99803b5fac

SHA256
d61d027db0da39cce99080b9f5d76547dff3fa6da064bf2fb62d4914e8989c48

SHA512
78168bf312a9447a072253c39e52b96fadace7b6e6f443c8e0fcdd729d9ac5199ce0c4b966e7c1e2b0a3972bc5262ab0c125043eef3a742b28fce2571b28d8a8

Download Submit
\Windows\SysWOW64\Dgnminke.exe

Filesize
96KB

MD5
c86efcb51890ce5ec4652e863ba256f0

SHA1
219fe1c0bed6480289266d118328baf0caa6559e

SHA256
808f6504797ed8a284108ea58b85fd3b716d02d26d08155eec1d67fab6ce33c7

SHA512
92a890bedc5d7753432c4c8caa0b22562838f41390ef59287b08be5ec4afbd92eba5532fe483e67e05b4436bed7ca68e92c74f2cf22173cc83e50e532355e836

Download Submit
\Windows\SysWOW64\Dhiphb32.exe

Filesize
96KB

MD5
f90d99ba6d16383d89b1fa42b00676bb

SHA1
d16f8a2db30a02599fa18eba84d0ad8873d2061f

SHA256
63694b11e2eaadf2a6485486deeecedb56376b349e880d3d39f651874e9f7685

SHA512
a515336440cbf84da32d07564a9bb56a0cdfa6553e5975a7b4304ee22a9284ea7f6ad682a490b288a51cdcbedf52cca90499cfcf73a795fe7a545bedbd9dedae

Download Submit
\Windows\SysWOW64\Dlboca32.exe

Filesize
96KB

MD5
cf407458f434a90eb449c72f39797d61

SHA1
87d23b40fafc3ae76c66d069cbdb55ec5753ed68

SHA256
4e37bf90d03f0f32f5b1d4cb1c16e9d8a478e3597cdc3551b254c6fe5a024a0e

SHA512
67be4b0de8601c97ea22fbe555a61f3069f6ed8cd3cb4bc0a396989257b4d56d1d533101c2b8dfaee9d8be01cdd2602f9027b4ff72313e9ae9398f61423e1ecf

Download Submit
\Windows\SysWOW64\Eepmlf32.exe

Filesize
96KB

MD5
07938c9357b064c7bbb0a912b63cd545

SHA1
6f528c11d631fae990411f94a96056aac7f73400

SHA256
5e584dd9530537aa15a0a4ba534f7fbca4664705c0ec4da824bb5d1d3d3f276b

SHA512
dca29cc2f70688de32af5dd0f94191417bafa0bd87397aa7a54d3e10a665f47696fdbe24b7b57dea549d00271b447c9460ea4765d4b33a50e194a48822277599

Download Submit
\Windows\SysWOW64\Embkbdce.exe

Filesize
96KB

MD5
9048a3c209c51fe1802022f008d0359d

SHA1
139b9a9163265eb599a89065a8c2d59f0fd6c9f4

SHA256
41bc6b8df35fce3813ed7a40d3a523de73eef55b6da8d29939fbecc7c24b7b8a

SHA512
19ac8d99876907807a2f8f7f33c7713be0be5e5520865c8b7d1712070f4f2599c2874da72789cd5c108e4d5e4a9e5ef9466cd0ec20d0229a78dcd8c0f5d3f01f

Download Submit
\Windows\SysWOW64\Empomd32.exe

Filesize
96KB

MD5
44029f7c80fc532b2d2ed070897b4f8d

SHA1
f7c010dee7898db8c9bb990d204c30ac7db6ddca

SHA256
c528ad4e282152ac60ed149ad5c29fdd3bb89bcce52889c56098e66de02e0509

SHA512
09a24bc06d3546a42f0ae23938376f4652b533572979bb57b8269ba59fd63c8941643db50178c7de3bd673caf97b1efc0aa3af5c7787628611af121a977094db

Download Submit
memory/664-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/664-86-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/664-36-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/664-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1104-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1104-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1104-229-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1104-176-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1180-259-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1180-258-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1180-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1180-211-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1180-210-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1540-230-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1540-243-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1540-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-227-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/1636-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1732-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1732-271-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1732-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-257-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1776-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-260-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1800-115-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/1800-117-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/1800-110-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-96-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1952-161-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2172-53-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2172-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-101-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2352-132-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2352-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-187-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2352-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-133-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2360-81-0x00000000003C0000-0x00000000003FF000-memory.dmp

Filesize
252KB

Download
memory/2360-77-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-188-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2416-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-195-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2416-245-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2416-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-58-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-66-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2680-127-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2704-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-197-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/2704-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-196-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/2872-57-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2872-12-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2872-18-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2872-56-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2872-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-26-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2876-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-213-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2996-162-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2996-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads