berbew | 51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Size

265KB
MD5

204fba344b628199594fa0224838cd7f
SHA1

33549db449f828a8fb2a8c7e0c804dd816f4d957
SHA256

51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e
SHA512

e157d9f0282e7199bf06fe2f5bf25cee6e634d82d48a8cbece84ffae96a84217dee84e059670c507b766678c6d393322acb33b7d82de04edf6f9cb15cd416c89
SSDEEP

6144:9RI/M4HCnIJI0IGFM6234lKm3pT11Tgkz1581hWh:9KEU5PFB24lzx1skz15Lh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bodhjdcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baealp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhmmcjjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baealp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciglaa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
576	Admgglep.exe
2964	Baqhapdj.exe
2044	Bodhjdcc.exe
3068	Bhmmcjjd.exe
2820	Baealp32.exe
2828	Bknfeege.exe
3052	Bdfjnkne.exe
2464	Bmnofp32.exe
2212	Cggcofkf.exe
2204	Clclhmin.exe
2136	Ciglaa32.exe
1848	Clfhml32.exe
1728	Ccpqjfnh.exe
2348	Chmibmlo.exe
2416	Coindgbi.exe

Loads dropped DLL 30 IoCs

pid	Process
1172	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
1172	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
576	Admgglep.exe
576	Admgglep.exe
2964	Baqhapdj.exe
2964	Baqhapdj.exe
2044	Bodhjdcc.exe
2044	Bodhjdcc.exe
3068	Bhmmcjjd.exe
3068	Bhmmcjjd.exe
2820	Baealp32.exe
2820	Baealp32.exe
2828	Bknfeege.exe
2828	Bknfeege.exe
3052	Bdfjnkne.exe
3052	Bdfjnkne.exe
2464	Bmnofp32.exe
2464	Bmnofp32.exe
2212	Cggcofkf.exe
2212	Cggcofkf.exe
2204	Clclhmin.exe
2204	Clclhmin.exe
2136	Ciglaa32.exe
2136	Ciglaa32.exe
1848	Clfhml32.exe
1848	Clfhml32.exe
1728	Ccpqjfnh.exe
1728	Ccpqjfnh.exe
2348	Chmibmlo.exe
2348	Chmibmlo.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmnofp32.exe	Bdfjnkne.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Bknfeege.exe
File created	C:\Windows\SysWOW64\Peapkpkj.dll	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Clclhmin.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Ggqbii32.dll	Clfhml32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfjnkne.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Dhhdmc32.dll	Cggcofkf.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Ccpqjfnh.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Eobohl32.dll	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
File created	C:\Windows\SysWOW64\Baqhapdj.exe	Admgglep.exe
File opened for modification	C:\Windows\SysWOW64\Baqhapdj.exe	Admgglep.exe
File opened for modification	C:\Windows\SysWOW64\Bknfeege.exe	Baealp32.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Admgglep.exe	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
File opened for modification	C:\Windows\SysWOW64\Admgglep.exe	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
File created	C:\Windows\SysWOW64\Anfdhfiq.dll	Admgglep.exe
File created	C:\Windows\SysWOW64\Mjhdbb32.dll	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Edalmn32.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Cggcofkf.exe	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Cggcofkf.exe	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Bodhjdcc.exe	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Acdlnnal.dll	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Baealp32.exe	Bhmmcjjd.exe
File opened for modification	C:\Windows\SysWOW64\Baealp32.exe	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Bodhjdcc.exe	Baqhapdj.exe
File opened for modification	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bodhjdcc.exe
File created	C:\Windows\SysWOW64\Aohiimmp.dll	Bodhjdcc.exe
File opened for modification	C:\Windows\SysWOW64\Bmnofp32.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Idcnlffk.dll	Baealp32.exe
File created	C:\Windows\SysWOW64\Bdfjnkne.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Ccpqjfnh.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bodhjdcc.exe
File created	C:\Windows\SysWOW64\Bknfeege.exe	Baealp32.exe
File created	C:\Windows\SysWOW64\Mokegi32.dll	Clclhmin.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Ccpqjfnh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccpqjfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggcofkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baqhapdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmmcjjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baealp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnofp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bodhjdcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknfeege.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll"	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bknfeege.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqbii32.dll"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhdbb32.dll"	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobohl32.dll"	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bodhjdcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baealp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bknfeege.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohiimmp.dll"	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll"	Bmnofp32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 576	1172	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe	30
PID 1172 wrote to memory of 576	1172	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe	30
PID 1172 wrote to memory of 576	1172	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe	30
PID 1172 wrote to memory of 576	1172	51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe	30
PID 576 wrote to memory of 2964	576	Admgglep.exe	31
PID 576 wrote to memory of 2964	576	Admgglep.exe	31
PID 576 wrote to memory of 2964	576	Admgglep.exe	31
PID 576 wrote to memory of 2964	576	Admgglep.exe	31
PID 2964 wrote to memory of 2044	2964	Baqhapdj.exe	32
PID 2964 wrote to memory of 2044	2964	Baqhapdj.exe	32
PID 2964 wrote to memory of 2044	2964	Baqhapdj.exe	32
PID 2964 wrote to memory of 2044	2964	Baqhapdj.exe	32
PID 2044 wrote to memory of 3068	2044	Bodhjdcc.exe	33
PID 2044 wrote to memory of 3068	2044	Bodhjdcc.exe	33
PID 2044 wrote to memory of 3068	2044	Bodhjdcc.exe	33
PID 2044 wrote to memory of 3068	2044	Bodhjdcc.exe	33
PID 3068 wrote to memory of 2820	3068	Bhmmcjjd.exe	34
PID 3068 wrote to memory of 2820	3068	Bhmmcjjd.exe	34
PID 3068 wrote to memory of 2820	3068	Bhmmcjjd.exe	34
PID 3068 wrote to memory of 2820	3068	Bhmmcjjd.exe	34
PID 2820 wrote to memory of 2828	2820	Baealp32.exe	35
PID 2820 wrote to memory of 2828	2820	Baealp32.exe	35
PID 2820 wrote to memory of 2828	2820	Baealp32.exe	35
PID 2820 wrote to memory of 2828	2820	Baealp32.exe	35
PID 2828 wrote to memory of 3052	2828	Bknfeege.exe	36
PID 2828 wrote to memory of 3052	2828	Bknfeege.exe	36
PID 2828 wrote to memory of 3052	2828	Bknfeege.exe	36
PID 2828 wrote to memory of 3052	2828	Bknfeege.exe	36
PID 3052 wrote to memory of 2464	3052	Bdfjnkne.exe	37
PID 3052 wrote to memory of 2464	3052	Bdfjnkne.exe	37
PID 3052 wrote to memory of 2464	3052	Bdfjnkne.exe	37
PID 3052 wrote to memory of 2464	3052	Bdfjnkne.exe	37
PID 2464 wrote to memory of 2212	2464	Bmnofp32.exe	38
PID 2464 wrote to memory of 2212	2464	Bmnofp32.exe	38
PID 2464 wrote to memory of 2212	2464	Bmnofp32.exe	38
PID 2464 wrote to memory of 2212	2464	Bmnofp32.exe	38
PID 2212 wrote to memory of 2204	2212	Cggcofkf.exe	39
PID 2212 wrote to memory of 2204	2212	Cggcofkf.exe	39
PID 2212 wrote to memory of 2204	2212	Cggcofkf.exe	39
PID 2212 wrote to memory of 2204	2212	Cggcofkf.exe	39
PID 2204 wrote to memory of 2136	2204	Clclhmin.exe	40
PID 2204 wrote to memory of 2136	2204	Clclhmin.exe	40
PID 2204 wrote to memory of 2136	2204	Clclhmin.exe	40
PID 2204 wrote to memory of 2136	2204	Clclhmin.exe	40
PID 2136 wrote to memory of 1848	2136	Ciglaa32.exe	41
PID 2136 wrote to memory of 1848	2136	Ciglaa32.exe	41
PID 2136 wrote to memory of 1848	2136	Ciglaa32.exe	41
PID 2136 wrote to memory of 1848	2136	Ciglaa32.exe	41
PID 1848 wrote to memory of 1728	1848	Clfhml32.exe	42
PID 1848 wrote to memory of 1728	1848	Clfhml32.exe	42
PID 1848 wrote to memory of 1728	1848	Clfhml32.exe	42
PID 1848 wrote to memory of 1728	1848	Clfhml32.exe	42
PID 1728 wrote to memory of 2348	1728	Ccpqjfnh.exe	43
PID 1728 wrote to memory of 2348	1728	Ccpqjfnh.exe	43
PID 1728 wrote to memory of 2348	1728	Ccpqjfnh.exe	43
PID 1728 wrote to memory of 2348	1728	Ccpqjfnh.exe	43
PID 2348 wrote to memory of 2416	2348	Chmibmlo.exe	44
PID 2348 wrote to memory of 2416	2348	Chmibmlo.exe	44
PID 2348 wrote to memory of 2416	2348	Chmibmlo.exe	44
PID 2348 wrote to memory of 2416	2348	Chmibmlo.exe	44

C:\Users\Admin\AppData\Local\Temp\51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe
"C:\Users\Admin\AppData\Local\Temp\51e5bf355cc3747dd9b00c20be975298d6acc8354a7f11a4676d44b2c9850e0e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\Admgglep.exe
  C:\Windows\system32\Admgglep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\Baqhapdj.exe
    C:\Windows\system32\Baqhapdj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\Bodhjdcc.exe
      C:\Windows\system32\Bodhjdcc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\Bhmmcjjd.exe
        
        C:\Windows\system32\Bhmmcjjd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Baealp32.exe
        
        C:\Windows\system32\Baealp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Bknfeege.exe
        
        C:\Windows\system32\Bknfeege.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Bmnofp32.exe
        
        C:\Windows\system32\Bmnofp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Cggcofkf.exe
        
        C:\Windows\system32\Cggcofkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Ccpqjfnh.exe
        
        C:\Windows\system32\Ccpqjfnh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baqhapdj.exe

Filesize
265KB

MD5
8c94e6672f4df9b3c6be73592b6a6e56

SHA1
929a36dbed3419a11d4e99719989dd5f64ecd6b4

SHA256
e242061a17ee06582a726198c33fc730dab9e270c59c32d9491ab7d7fefc34f0

SHA512
93937cb23ab524abf26c8fa17a785eb6249fc0aedeed91245f67b672a7ab5bcac7985a0250ef5b2385f8d30f819923cfd8f1c6f0b60496df6b701b4c0f38f3ce

Download Submit
C:\Windows\SysWOW64\Bknfeege.exe

Filesize
265KB

MD5
c9ba27794582910cf14de6d973e5a089

SHA1
8204c2e2365fc581f418981befb5ec2439704f64

SHA256
cbedf1e53e2dcd8def0199cafcc4730ae90cf9a76c5b711491ab4a4c9ed5781c

SHA512
959d4c29a2c5e699b0f534433c39579a08ac35842027ef2953e4e748c7cbb058885fae853b872fbab7cf74e93065f279b654919a99b60724bc2bdad63dadb090

Download Submit
C:\Windows\SysWOW64\Bmnofp32.exe

Filesize
265KB

MD5
8d5632807102572341311863bc36cd0d

SHA1
0730b7533183c3fd1071b5e0f74b275d02e97ce2

SHA256
f9653e6f95f97bc170c3a802262b59ecb1b30358bc8a565e44c46628bd8317e3

SHA512
d723192694a943e5a3b7ea76bc8cd0078d65a0030f7640e645928183f8d14c3df08304bbeb442b984e0f63d1109a84ed168648d5c359f7ee1fefd8d9d9e663f7

Download Submit
C:\Windows\SysWOW64\Clfhml32.exe

Filesize
265KB

MD5
54b4684d2367ef29ea3246dd9e2fd321

SHA1
b0125e0085135ecf5702c4cec5a1f989fd7a0acf

SHA256
4d4b3d0ab5ee792cd2b03b40ad9a529bc1edf7e8771597520e416ec243499c48

SHA512
22a7be765898b0c16dada466d9bff4465df8d2daa76c0f7826de1d60c529b1b3540fd5f15e3cbaa1704eba63fa9c03bca3c9367f13150f4ad2b26a04518424aa

Download Submit
C:\Windows\SysWOW64\Mjhdbb32.dll

Filesize
7KB

MD5
b3d8be23e1beb40718463e765c52eb81

SHA1
bdc32d5ae1910c3b0988812eae728f28280844e0

SHA256
50effe17168bdedd1a0c725a060157a1130e227682204d5ffb379ea1f119647f

SHA512
bc4f3a2509193d7e4a14360638ac3bd1fc32b92a1469ce272a6fec568858e81a9c2832630bb4726880d198b7ea965d34b272c98d457e9d78c7a4e75fe251208c

Download Submit
\Windows\SysWOW64\Admgglep.exe

Filesize
265KB

MD5
c76871b09df331004fa45f04701101e4

SHA1
da2a5114200fb2569a99858f5332f4fcdcdec7e0

SHA256
c6edfc43eb7d8377f751a4f4a59c63b88ef3ce09a8007509e589d10a08026f81

SHA512
4fcd55ec279308be1d82107edf5cad5afe072099836eec230f7bcf508a26756bfb61e62450cac3cfb1cc5dd3351c1dfefaa6d58533fd16c917b91f9bbbae13c7

Download Submit
\Windows\SysWOW64\Baealp32.exe

Filesize
265KB

MD5
00628b53533a055aad1d9930bf946cb0

SHA1
4f638525e855aaac38fb63324d0f43a0067d9204

SHA256
e89ebe60f41b527aa8f5189aea3f4e9b9ac6219f56008f7218d70955cd74535f

SHA512
0e803006afcf6dfbd4f1395fc78fda599d94fb593394f26625625b8be740e2f03bf18e6917f8ebb9f682b67e4ee3dfabdb5ff364bdfe552c7cf15a865e47a346

Download Submit
\Windows\SysWOW64\Bdfjnkne.exe

Filesize
265KB

MD5
5defbf0227cb505ee8834092810884bb

SHA1
4cbda138381cad69a6c330c96aed913de8f9f945

SHA256
a107be1a6869d0ede51fddd1dd1e61fca3119536a485fd4fffd74736907fa6da

SHA512
3aa743a7af32e536768b3a8405bdc0398bf243b937c4d9077e0a20d4a8722238daff4906a44a5d47938a60200f23ba2fc1bd2b370615c82c8c1ee10fc5f7674c

Download Submit
\Windows\SysWOW64\Bhmmcjjd.exe

Filesize
265KB

MD5
af3e463b99dd8822271017775b2240fc

SHA1
92cff7b2b58f346f72ea73e345acf3975fac9c55

SHA256
4a7988756dc2e9a6ff8866bd67f9e6bffccd3c428bf5e2c982dfc954557811f8

SHA512
f1a7a86059a9c5d9aaaf58f57f076a50055cb301bfad6ce03502e2b79f7f7ae678c75fd677895067aaeca8d3f955b02ec207aab12023f353f030900e4cb18692

Download Submit
\Windows\SysWOW64\Bodhjdcc.exe

Filesize
265KB

MD5
9f9b8e9ad514d89566e73f46cc014595

SHA1
7138cd3caf4900f638655136875f03576fb0c617

SHA256
91111d3aaba6643e91e41723c6d14669c5b13fb9a29ad00aa8372b4e4b3e2c4d

SHA512
f222bd6c31cde047a9494bb4d10f481acb1abbcb12dd4eb98c160919d36cf2a32d0d27392b7093b76886ac6e7989145c839300da5d589b585258fe0731b15943

Download Submit
\Windows\SysWOW64\Ccpqjfnh.exe

Filesize
265KB

MD5
4e5484daa34ccf44c7ef99b0b2459eaa

SHA1
0c05e7fcea528ca6a337f5baa83f9894e48f0ee2

SHA256
76a3de6547654a8ccb8c5654343355a6ca9652c92cf6106486d83eb0af8e234e

SHA512
7973bad8bea68d906a8be704201269525196ce15336cf1a00dd44e543d459a02f0efecdbbdc38bd2afb3db9df17e0e145cbd218e6b64076c5fc61ef55593f333

Download Submit
\Windows\SysWOW64\Cggcofkf.exe

Filesize
265KB

MD5
478bae440e9d40ff488bb90fd894b7fb

SHA1
18f42558c1db2630784e2998810ca0af1cc84be5

SHA256
511739c1ca7475b96874ce94c3d5f4864dd6dadfa52857fc3ab63d2072f79358

SHA512
bd41be1b437421e86cd76d142920be56ca077aaf82c10e3b1ab509f37b1543ca0770652f5771fde73d1cda14197ef45cf827987c610475346c6f177dd3c899b1

Download Submit
\Windows\SysWOW64\Chmibmlo.exe

Filesize
265KB

MD5
640412a38e3e1cb7a4922188b0e76cda

SHA1
b76c44849550454b49da31b9420b2172c2bc878a

SHA256
0cf7ccb766c72532c79c76c7059a71d301f7940f1f1920517624d1320b36ff51

SHA512
64d5f1133d8988bfba963c777359f435dcde694322c358e997d051c02401308300eacc857ef7052633c40567cd5a460d20f9795a500541e100188175f8146ff7

Download Submit
\Windows\SysWOW64\Ciglaa32.exe

Filesize
265KB

MD5
26cd335820750b68cb74fece9e22698c

SHA1
17938db60c14e89d0b9badbb9dc04ff264e294b0

SHA256
a75ef5562ad7555de19afd2372d957dc4bac7d8e6590a1dc52f1985af5ad7cc1

SHA512
b65bc8f4878bbd600dfaa9614cf5d4d3f2fb237f83807480534a324eef7313b1bb1bdab311f095e16984268529a5c186aa9437ed7eec360053e866899cc8be13

Download Submit
\Windows\SysWOW64\Clclhmin.exe

Filesize
265KB

MD5
62194aaf1e5acc26871173ccfdac18fe

SHA1
88929e097cc9d5ba395586b4be7eea464107bc7e

SHA256
e7b59b780e8de00387cbcc87a781505efa48558eb62f80fab9cf5c74d495762c

SHA512
c657107473abd9bf14592bb70ab5c71e2474106b72a99f4139e57987684e009755954c0019c2896ea398ddb13d2ea882cba964963ac514ebea71481acb73b90e

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
265KB

MD5
842ba707035cf4591462836eb35adca9

SHA1
f61b22f7ef08c99fa4e6e6bb467ebc9edb3af475

SHA256
a2fdc7f48b0c6986b9c80818cd52b497e353209e826e3d227bca41f3881e4ac4

SHA512
9095c621003af8e5e1cf6fc952fea81b5cc08b46c5419e9284a5b35ba5eea38436a387885e83ba996556db530140c033c84ab5c5f5c615f6715773e451853ebc

Download Submit
memory/576-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/576-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1172-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1172-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-192-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1728-187-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1728-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-172-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1848-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-177-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1848-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-162-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2136-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-148-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2204-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-134-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-202-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2348-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-116-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2464-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-80-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-89-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2828-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-35-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2964-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-107-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3068-62-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/3068-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads