berbew | f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Size

105KB
MD5

c3fe93674631768a8ae5803fc5276b3f
SHA1

ef81a2654283b9efddcce834acc9d8edb29b4585
SHA256

f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823
SHA512

67e2928be111ce2e9549a36e7d229df2f8c9aba2daaa8c8009289c2ee891c08e25f41c22862fa98f3fbef744aac9bc1e88ea88fffe930a458fb3efa1685981a7
SSDEEP

3072:xtNoFLCeplAarVsRxPcxkdeGZl2NkzwH5GJks8WYlOWeE:CdpuiaxEbY9zwZ9s8Sm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiqjao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Almihjlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobleeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pajeanhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aljmbknm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almihjlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aljmbknm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkojoghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkojoghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobleeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pajeanhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfkgdd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
1396	Pajeanhf.exe
2920	Pkojoghl.exe
2328	Qfkgdd32.exe
1752	Aljmbknm.exe
2692	Almihjlj.exe
2728	Aiqjao32.exe
2624	Aicfgn32.exe
2940	Bobleeef.exe
3008	Bpfebmia.exe
2344	Bmjekahk.exe
2196	Bgdfjfmi.exe
780	Bopknhjd.exe
2368	Celpqbon.exe
1944	Ccpqjfnh.exe
1624	Coindgbi.exe

Loads dropped DLL 30 IoCs

pid	Process
564	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
564	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
1396	Pajeanhf.exe
1396	Pajeanhf.exe
2920	Pkojoghl.exe
2920	Pkojoghl.exe
2328	Qfkgdd32.exe
2328	Qfkgdd32.exe
1752	Aljmbknm.exe
1752	Aljmbknm.exe
2692	Almihjlj.exe
2692	Almihjlj.exe
2728	Aiqjao32.exe
2728	Aiqjao32.exe
2624	Aicfgn32.exe
2624	Aicfgn32.exe
2940	Bobleeef.exe
2940	Bobleeef.exe
3008	Bpfebmia.exe
3008	Bpfebmia.exe
2344	Bmjekahk.exe
2344	Bmjekahk.exe
2196	Bgdfjfmi.exe
2196	Bgdfjfmi.exe
780	Bopknhjd.exe
780	Bopknhjd.exe
2368	Celpqbon.exe
2368	Celpqbon.exe
1944	Ccpqjfnh.exe
1944	Ccpqjfnh.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Celpqbon.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Qfkgdd32.exe	Pkojoghl.exe
File created	C:\Windows\SysWOW64\Lflppehm.dll	Aljmbknm.exe
File created	C:\Windows\SysWOW64\Qamnbhdj.dll	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Aiqjao32.exe	Almihjlj.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Celpqbon.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Pkojoghl.exe	Pajeanhf.exe
File created	C:\Windows\SysWOW64\Dmpgan32.dll	Pajeanhf.exe
File created	C:\Windows\SysWOW64\Fmdkki32.dll	Qfkgdd32.exe
File created	C:\Windows\SysWOW64\Kdgfnh32.dll	Almihjlj.exe
File created	C:\Windows\SysWOW64\Mkhanokh.dll	Aicfgn32.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	Bobleeef.exe
File created	C:\Windows\SysWOW64\Bopknhjd.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Cbiphidl.dll	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Pajeanhf.exe	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
File opened for modification	C:\Windows\SysWOW64\Pkojoghl.exe	Pajeanhf.exe
File created	C:\Windows\SysWOW64\Aljmbknm.exe	Qfkgdd32.exe
File created	C:\Windows\SysWOW64\Bmjekahk.exe	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Bmjekahk.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Pfapgnji.dll	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Gjbcnmen.dll	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
File created	C:\Windows\SysWOW64\Almihjlj.exe	Aljmbknm.exe
File created	C:\Windows\SysWOW64\Hmecge32.dll	Aiqjao32.exe
File opened for modification	C:\Windows\SysWOW64\Bopknhjd.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Ccpqjfnh.exe	Celpqbon.exe
File opened for modification	C:\Windows\SysWOW64\Ccpqjfnh.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Nhjpkq32.dll	Pkojoghl.exe
File opened for modification	C:\Windows\SysWOW64\Aicfgn32.exe	Aiqjao32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	Bobleeef.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Qfkgdd32.exe	Pkojoghl.exe
File opened for modification	C:\Windows\SysWOW64\Aljmbknm.exe	Qfkgdd32.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	Bobleeef.exe
File created	C:\Windows\SysWOW64\Ggqbii32.dll	Celpqbon.exe
File created	C:\Windows\SysWOW64\Pajeanhf.exe	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
File opened for modification	C:\Windows\SysWOW64\Almihjlj.exe	Aljmbknm.exe
File opened for modification	C:\Windows\SysWOW64\Aiqjao32.exe	Almihjlj.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Aicfgn32.exe	Aiqjao32.exe
File created	C:\Windows\SysWOW64\Bobleeef.exe	Aicfgn32.exe
File opened for modification	C:\Windows\SysWOW64\Bobleeef.exe	Aicfgn32.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pajeanhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aljmbknm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celpqbon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicfgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccpqjfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjekahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobleeef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopknhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkojoghl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkgdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almihjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiqjao32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhanokh.dll"	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll"	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflppehm.dll"	Aljmbknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdgfnh32.dll"	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkojoghl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapgnji.dll"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpgan32.dll"	Pajeanhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkojoghl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Celpqbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aljmbknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aljmbknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbcnmen.dll"	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpkq32.dll"	Pkojoghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobleeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbiphidl.dll"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pajeanhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll"	Aiqjao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobleeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	Bobleeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pajeanhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqbii32.dll"	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aiqjao32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1396	564	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe	30
PID 564 wrote to memory of 1396	564	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe	30
PID 564 wrote to memory of 1396	564	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe	30
PID 564 wrote to memory of 1396	564	f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe	30
PID 1396 wrote to memory of 2920	1396	Pajeanhf.exe	31
PID 1396 wrote to memory of 2920	1396	Pajeanhf.exe	31
PID 1396 wrote to memory of 2920	1396	Pajeanhf.exe	31
PID 1396 wrote to memory of 2920	1396	Pajeanhf.exe	31
PID 2920 wrote to memory of 2328	2920	Pkojoghl.exe	32
PID 2920 wrote to memory of 2328	2920	Pkojoghl.exe	32
PID 2920 wrote to memory of 2328	2920	Pkojoghl.exe	32
PID 2920 wrote to memory of 2328	2920	Pkojoghl.exe	32
PID 2328 wrote to memory of 1752	2328	Qfkgdd32.exe	33
PID 2328 wrote to memory of 1752	2328	Qfkgdd32.exe	33
PID 2328 wrote to memory of 1752	2328	Qfkgdd32.exe	33
PID 2328 wrote to memory of 1752	2328	Qfkgdd32.exe	33
PID 1752 wrote to memory of 2692	1752	Aljmbknm.exe	34
PID 1752 wrote to memory of 2692	1752	Aljmbknm.exe	34
PID 1752 wrote to memory of 2692	1752	Aljmbknm.exe	34
PID 1752 wrote to memory of 2692	1752	Aljmbknm.exe	34
PID 2692 wrote to memory of 2728	2692	Almihjlj.exe	35
PID 2692 wrote to memory of 2728	2692	Almihjlj.exe	35
PID 2692 wrote to memory of 2728	2692	Almihjlj.exe	35
PID 2692 wrote to memory of 2728	2692	Almihjlj.exe	35
PID 2728 wrote to memory of 2624	2728	Aiqjao32.exe	36
PID 2728 wrote to memory of 2624	2728	Aiqjao32.exe	36
PID 2728 wrote to memory of 2624	2728	Aiqjao32.exe	36
PID 2728 wrote to memory of 2624	2728	Aiqjao32.exe	36
PID 2624 wrote to memory of 2940	2624	Aicfgn32.exe	37
PID 2624 wrote to memory of 2940	2624	Aicfgn32.exe	37
PID 2624 wrote to memory of 2940	2624	Aicfgn32.exe	37
PID 2624 wrote to memory of 2940	2624	Aicfgn32.exe	37
PID 2940 wrote to memory of 3008	2940	Bobleeef.exe	38
PID 2940 wrote to memory of 3008	2940	Bobleeef.exe	38
PID 2940 wrote to memory of 3008	2940	Bobleeef.exe	38
PID 2940 wrote to memory of 3008	2940	Bobleeef.exe	38
PID 3008 wrote to memory of 2344	3008	Bpfebmia.exe	39
PID 3008 wrote to memory of 2344	3008	Bpfebmia.exe	39
PID 3008 wrote to memory of 2344	3008	Bpfebmia.exe	39
PID 3008 wrote to memory of 2344	3008	Bpfebmia.exe	39
PID 2344 wrote to memory of 2196	2344	Bmjekahk.exe	40
PID 2344 wrote to memory of 2196	2344	Bmjekahk.exe	40
PID 2344 wrote to memory of 2196	2344	Bmjekahk.exe	40
PID 2344 wrote to memory of 2196	2344	Bmjekahk.exe	40
PID 2196 wrote to memory of 780	2196	Bgdfjfmi.exe	41
PID 2196 wrote to memory of 780	2196	Bgdfjfmi.exe	41
PID 2196 wrote to memory of 780	2196	Bgdfjfmi.exe	41
PID 2196 wrote to memory of 780	2196	Bgdfjfmi.exe	41
PID 780 wrote to memory of 2368	780	Bopknhjd.exe	42
PID 780 wrote to memory of 2368	780	Bopknhjd.exe	42
PID 780 wrote to memory of 2368	780	Bopknhjd.exe	42
PID 780 wrote to memory of 2368	780	Bopknhjd.exe	42
PID 2368 wrote to memory of 1944	2368	Celpqbon.exe	43
PID 2368 wrote to memory of 1944	2368	Celpqbon.exe	43
PID 2368 wrote to memory of 1944	2368	Celpqbon.exe	43
PID 2368 wrote to memory of 1944	2368	Celpqbon.exe	43
PID 1944 wrote to memory of 1624	1944	Ccpqjfnh.exe	44
PID 1944 wrote to memory of 1624	1944	Ccpqjfnh.exe	44
PID 1944 wrote to memory of 1624	1944	Ccpqjfnh.exe	44
PID 1944 wrote to memory of 1624	1944	Ccpqjfnh.exe	44

C:\Users\Admin\AppData\Local\Temp\f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
"C:\Users\Admin\AppData\Local\Temp\f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\SysWOW64\Pajeanhf.exe
  C:\Windows\system32\Pajeanhf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\Pkojoghl.exe
    C:\Windows\system32\Pkojoghl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Qfkgdd32.exe
      C:\Windows\system32\Qfkgdd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\Aljmbknm.exe
        
        C:\Windows\system32\Aljmbknm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\Almihjlj.exe
        
        C:\Windows\system32\Almihjlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Aiqjao32.exe
        
        C:\Windows\system32\Aiqjao32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Aicfgn32.exe
        
        C:\Windows\system32\Aicfgn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Bobleeef.exe
        
        C:\Windows\system32\Bobleeef.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bpfebmia.exe
        
        C:\Windows\system32\Bpfebmia.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Bmjekahk.exe
        
        C:\Windows\system32\Bmjekahk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Bopknhjd.exe
        
        C:\Windows\system32\Bopknhjd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Celpqbon.exe
        
        C:\Windows\system32\Celpqbon.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ccpqjfnh.exe
        
        C:\Windows\system32\Ccpqjfnh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lflppehm.dll

Filesize
7KB

MD5
d785f049b99cd8cfbcc524bd642cdeac

SHA1
03977f2f68678cd1320bed187c81fa22420f808d

SHA256
3602ea8b740e2d836541ce5748d72db04f55570cc1c756b6270bdd1c86e51b67

SHA512
2890a3e0ef76c9056dd1e42335e6b99ffffcbc4ad60f1add4700bc3f1f48688d111668f0de66658e07f33b33030a7b4a95cdbfa0334e019bb1fdb7953723a568

Download Submit
C:\Windows\SysWOW64\Pkojoghl.exe

Filesize
105KB

MD5
6cc098306e807a468eea1a8829778ab1

SHA1
850a7f786c33beea6b898505574ea912ffe7d432

SHA256
fcceb1213e7cdef48ab731d129eb1ef54ab0a8ce1d0b7417c206257c5c81fe2b

SHA512
9cc08fe5650079626be47368e5ee9e00b8c0cc40343c4224ddeaa0e02ba9668250a1390fc098824fcb9b252a1790650a482a2332b94e5d466ddcbbf1bcf20eca

Download Submit
\Windows\SysWOW64\Aicfgn32.exe

Filesize
105KB

MD5
8f245cf6bd2463669e70d2bec93811f7

SHA1
78db3773d93496b21bf98275a7ac2de215a5fb0a

SHA256
2694a98db17143b3656c13a80d23c03a057da6027da9d55f9fdd38c4f4a83dc2

SHA512
8f5c044cb096245ce65b0f213304ac0def0a6d3a88e77ad3ced9d3b262743cffcdb050552b12fd3189c83c68d912e90465647ae309a6c02eb4b06ae68e5934db

Download Submit
\Windows\SysWOW64\Aiqjao32.exe

Filesize
105KB

MD5
540677418dc5706af7fc304e770ff859

SHA1
41f625749a7db4ab8454ae2450eb92bdf28e776a

SHA256
b506d60d17e0c27425f561f03f2bcaaed8b10fca84e7e825c9cfb9363adfe3a8

SHA512
fc382e097822033dac1ebc51d045875e35e8d3bd208d5f672d0795335a8db5825bfdd25f9f3fcebe651079f2d257bc86723a674118a98ed941454a2dbb37c4ae

Download Submit
\Windows\SysWOW64\Aljmbknm.exe

Filesize
105KB

MD5
26d7ba2ff694ccfbb677091377151aa5

SHA1
c8c3497bd214c329c0695e7cf6e17402e05658d5

SHA256
2306d1d31a2d7e954dbb47b48d762a4f257af156a426b976305609fad56db2ca

SHA512
d2fdc52af551d6d0cd5e7516bd69c32964348cbed5ad00b4ce4e77a0950d1322fdc35e4a2901f5264892dca6cb2fa2dd70b7adbaa58943bbfbbb46ce07aa4f7e

Download Submit
\Windows\SysWOW64\Almihjlj.exe

Filesize
105KB

MD5
9992aec74587ee22e1640ddcfe6cd5cd

SHA1
98f208ee549d53ad006e7a26f73661a3e3ad1a92

SHA256
b2b18ea7c293c66b314c89f339528c9f45ddddb321dc742e9830be2ddf7df7a4

SHA512
d39ace144266f294576c4ea001f547b745ac3ee96a4a1d40f898816668f69aa36450ac3b9b37e491bf4c32c8919140e51e73aad99036f1ce2603eda24ce7e8b4

Download Submit
\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
105KB

MD5
64a9d2fb4e57f147e78e06c490c6754f

SHA1
384d0303963e634d358998dc9a636ee455fa1443

SHA256
2aa6340e78c7d68d1acc89ba78ecb228d7b92f9edd1f47746e42a43b449ae864

SHA512
dc8b37e48d742979b4957bfed0e7f4149c163190a281638f9c0434137b4d66ae17261acf3d19b898e3545808997a6b78db0218cd3295622531bc9e9493972c0d

Download Submit
\Windows\SysWOW64\Bmjekahk.exe

Filesize
105KB

MD5
50f90eb19fff9902d2798f46f15e0821

SHA1
8ca4bb7e008c77955d50149517920b2fc2e02fde

SHA256
fc68893b137c1e5e35d8a892a45c361f52973409d1c8f1834390e824369000b8

SHA512
a0a6535a69dfe9e0f6cbd0228e388f57dde9e8ee03b52c125a4573864773b16afbb11038f54fcd77e86c002f1a4c67592e61ccd0747fb30909de4a54b6c0d9b5

Download Submit
\Windows\SysWOW64\Bobleeef.exe

Filesize
105KB

MD5
aa84fac0c1ab4b9321de1b4687924054

SHA1
fa6173788cea17eca55b8761d7be0aa4e0c31da5

SHA256
74e6a3cb5a8fe274ebd22e7dcb5e82a08544b18fa74eb0f9d6b157f98511bf63

SHA512
69aa6f204caf122eed55a8d9b908d471f18edf4cfeacfca397f6c0c20b1ad4b22214678a0f46b2d93bb8be3a78f202a8669418fb8f5e9fb75eab8b2d47e6307a

Download Submit
\Windows\SysWOW64\Bopknhjd.exe

Filesize
105KB

MD5
ed76dd61968bb9da0678f96e3766c7b2

SHA1
2cf18239256d7e8ffcf1399ebd564be40b1b5bcd

SHA256
a2a6bb7cba8bb07bc51186043d108319d153ba8074cf670c909cad617e2b662c

SHA512
49375cc63cd5c8f3ad311c9c7ef1506874e4bc5ca21a1f6f69c81610d418dca41958bbf9f99700899e46d8a7f25b8b4b06f99bc853f7a1d1826d5b45ef03943b

Download Submit
\Windows\SysWOW64\Bpfebmia.exe

Filesize
105KB

MD5
fc9883c92ebf7650e3985034d9914e37

SHA1
6d528edeac4d9dd72dc2503429066dea8e764250

SHA256
1de7eec410ed63c18e7f9f6281b7b4be0d0a2da9e9f70a33f191e96cc573a9f5

SHA512
41e967816c878825d524b411e302644ae7b03bf1375acd012ea6ae9411eeb1e6ea02cad885ae84e98b657d424916baa025326432c924107e7d9e144c7e143a6d

Download Submit
\Windows\SysWOW64\Ccpqjfnh.exe

Filesize
105KB

MD5
1d7ddfdc74b02c8eacf0edc4b2745330

SHA1
0ee61ac2ad735f09ed59b6794450cbcaab38884b

SHA256
37d2f693d5a7090b16b6ec626c2168f3cdf84454f36382c5d5711a07b604c609

SHA512
2925c4d50bfd32ba3838f6da6657d33c6c50d12b14e4a88442483ecf10f8c345dc5e4e626e4ddb4344db4621eb2f72745366251a7e188bdfda507b66d6b64265

Download Submit
\Windows\SysWOW64\Celpqbon.exe

Filesize
105KB

MD5
5d0bac4f544650f6735b390f1e1b5802

SHA1
e0dd4ae696679b06d87ffd33bf524234d86aa714

SHA256
dab1bf8d234d2ca9d82991b0172de47b938b72b9f1ad378bb5f346b82ad0dfe6

SHA512
bcb2bc487fd494d3173f9fe346bb8e7ab520d8d9c5b1346c9fd01c08378236fc4a5b6ec7bdccca87f3022be10422ed05fee4cb2538428293db0e95d6152d4727

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
105KB

MD5
c830ae8df2d258fc92ce7d65ad161059

SHA1
5d391afab0012a7ef0dcb6ee04f818cc87a7e521

SHA256
2653d5101cf0faf61173d587b3f231b18cf195bc372141161a68ef00f801af87

SHA512
91a13f8d06db386bdea8cf9cd9559b71ee99121960d59e43a34491e5fac1ca13de9d250bce383ea3ab470f3f62f96015a68913ef102dd0c9f5861861d421a8f2

Download Submit
\Windows\SysWOW64\Pajeanhf.exe

Filesize
105KB

MD5
0a6c9be418b512f7057cd20a2e54a2c0

SHA1
fcec6ebb37da6cd80416395597da3ca7a3cbb143

SHA256
4e6cf3c0d7368ffd87daa81c09cb3f9986606813d5c25bd13af9e42d406e86e0

SHA512
51bac23a3476e0ce10f249f0c54d0f5f1162ba3808501c2d75c64d3aa58b7ca2223a17987868fe0f9fc2fe83f90d43093147c51a4217d70b8667890401df3d6f

Download Submit
\Windows\SysWOW64\Qfkgdd32.exe

Filesize
105KB

MD5
fb81bb14efed4654be9a4418d72d82f6

SHA1
2702df2d7447ed6aec7b966808e90c539b20e8e3

SHA256
62edcea15a2d522f7b1ecf18d0f4acc66988826e6410e8035edb041c5b135e2e

SHA512
6218b4e460386d93d76dbb1e8e9a7381b3ca5525a44eb49cfb0d1b9e2730d9138aa2b90c9bac58e98e3b2ddb4ea8c33478cb9aa3ab62c77682797e78a6e89edc

Download Submit
memory/564-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/564-12-0x00000000003A0000-0x00000000003DF000-memory.dmp

Filesize
252KB

Download
memory/564-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/564-11-0x00000000003A0000-0x00000000003DF000-memory.dmp

Filesize
252KB

Download
memory/780-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/780-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/780-165-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/1396-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1752-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1752-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-181-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2624-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-99-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2692-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-86-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2728-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-35-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2920-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads