berbew | 19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Size

1.9MB
MD5

16e47d838df06dca2825fa0068942ba0
SHA1

1ef295907695ecdb768201b7ea650c6a91343a45
SHA256

19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fb
SHA512

c19fa025334df3d32884362c47d32477b2a4a762420b29d6b9b6b1676371f9ecb0cfceb36d178581c10619a122baa071efc28a5aa6fee7a2def53c02f3dda27b
SSDEEP

24576:UrNIVyeNIVy2j5aaRLVtnX6ojNIVyeNIVy2jZNIVyeNIVy2j5aaRLVtnX6ojNIVi:UCyjAi6yjQyjAi6yjx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpklkgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifmimch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aobpfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eifmimch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faonom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feddombd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inmmbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aobpfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccbbachm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjlhpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpklkgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccbbachm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbjlhpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feddombd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faonom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgnokgcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inmmbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
2368	Aobpfb32.exe
2716	Bfabnl32.exe
2168	Ccbbachm.exe
1680	Cbjlhpkb.exe
2536	Dpklkgoj.exe
2372	Eifmimch.exe
2060	Feddombd.exe
2588	Faonom32.exe
1992	Hgnokgcc.exe
544	Hifbdnbi.exe
1800	Inmmbc32.exe
1148	Jmipdo32.exe
1048	Jbfilffm.exe
2184	Kdnkdmec.exe
2112	Kablnadm.exe
2488	Lbjofi32.exe

Loads dropped DLL 37 IoCs

pid	Process
2020	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
2020	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
2368	Aobpfb32.exe
2368	Aobpfb32.exe
2716	Bfabnl32.exe
2716	Bfabnl32.exe
2168	Ccbbachm.exe
2168	Ccbbachm.exe
1680	Cbjlhpkb.exe
1680	Cbjlhpkb.exe
2536	Dpklkgoj.exe
2536	Dpklkgoj.exe
2372	Eifmimch.exe
2372	Eifmimch.exe
2060	Feddombd.exe
2060	Feddombd.exe
2588	Faonom32.exe
2588	Faonom32.exe
1992	Hgnokgcc.exe
1992	Hgnokgcc.exe
544	Hifbdnbi.exe
544	Hifbdnbi.exe
1800	Inmmbc32.exe
1800	Inmmbc32.exe
1148	Jmipdo32.exe
1148	Jmipdo32.exe
1048	Jbfilffm.exe
1048	Jbfilffm.exe
2184	Kdnkdmec.exe
2184	Kdnkdmec.exe
2112	Kablnadm.exe
2112	Kablnadm.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ilalae32.dll	Eifmimch.exe
File created	C:\Windows\SysWOW64\Jbfilffm.exe	Jmipdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Ojgfoglc.dll	Bfabnl32.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Inmmbc32.exe
File opened for modification	C:\Windows\SysWOW64\Jmipdo32.exe	Inmmbc32.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Aobpfb32.exe	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
File created	C:\Windows\SysWOW64\Abkeba32.dll	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
File opened for modification	C:\Windows\SysWOW64\Dpklkgoj.exe	Cbjlhpkb.exe
File created	C:\Windows\SysWOW64\Faphfl32.dll	Hifbdnbi.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnl32.exe	Aobpfb32.exe
File created	C:\Windows\SysWOW64\Caefkh32.dll	Cbjlhpkb.exe
File created	C:\Windows\SysWOW64\Eifmimch.exe	Dpklkgoj.exe
File opened for modification	C:\Windows\SysWOW64\Eifmimch.exe	Dpklkgoj.exe
File created	C:\Windows\SysWOW64\Hfenefej.dll	Dpklkgoj.exe
File opened for modification	C:\Windows\SysWOW64\Hifbdnbi.exe	Hgnokgcc.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	Hgnokgcc.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Jbfilffm.exe
File opened for modification	C:\Windows\SysWOW64\Aobpfb32.exe	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
File created	C:\Windows\SysWOW64\Inmmbc32.exe	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Pknbhi32.dll	Inmmbc32.exe
File created	C:\Windows\SysWOW64\Bfabnl32.exe	Aobpfb32.exe
File created	C:\Windows\SysWOW64\Ccbbachm.exe	Bfabnl32.exe
File opened for modification	C:\Windows\SysWOW64\Ccbbachm.exe	Bfabnl32.exe
File opened for modification	C:\Windows\SysWOW64\Cbjlhpkb.exe	Ccbbachm.exe
File opened for modification	C:\Windows\SysWOW64\Faonom32.exe	Feddombd.exe
File created	C:\Windows\SysWOW64\Hgnokgcc.exe	Faonom32.exe
File opened for modification	C:\Windows\SysWOW64\Inmmbc32.exe	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Glgcpc32.dll	Aobpfb32.exe
File created	C:\Windows\SysWOW64\Dpklkgoj.exe	Cbjlhpkb.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Jbfilffm.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Gckobc32.dll	Faonom32.exe
File created	C:\Windows\SysWOW64\Cbjlhpkb.exe	Ccbbachm.exe
File created	C:\Windows\SysWOW64\Lddblcik.dll	Ccbbachm.exe
File created	C:\Windows\SysWOW64\Feddombd.exe	Eifmimch.exe
File opened for modification	C:\Windows\SysWOW64\Feddombd.exe	Eifmimch.exe
File created	C:\Windows\SysWOW64\Faonom32.exe	Feddombd.exe
File created	C:\Windows\SysWOW64\Odifibfn.dll	Feddombd.exe
File opened for modification	C:\Windows\SysWOW64\Hgnokgcc.exe	Faonom32.exe
File created	C:\Windows\SysWOW64\Hifbdnbi.exe	Hgnokgcc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
936	2488	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccbbachm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feddombd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aobpfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjlhpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inmmbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifmimch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgnokgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpklkgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faonom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccbbachm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpklkgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfenefej.dll"	Dpklkgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eifmimch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilalae32.dll"	Eifmimch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eifmimch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll"	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll"	Cbjlhpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpklkgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feddombd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbjlhpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll"	Feddombd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faonom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcmae32.dll"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjlhpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faonom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgnokgcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckobc32.dll"	Faonom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faphfl32.dll"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkeba32.dll"	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aobpfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgcpc32.dll"	Aobpfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddblcik.dll"	Ccbbachm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feddombd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aobpfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgfoglc.dll"	Bfabnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccbbachm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inmmbc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2368	2020	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe	30
PID 2020 wrote to memory of 2368	2020	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe	30
PID 2020 wrote to memory of 2368	2020	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe	30
PID 2020 wrote to memory of 2368	2020	19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe	30
PID 2368 wrote to memory of 2716	2368	Aobpfb32.exe	31
PID 2368 wrote to memory of 2716	2368	Aobpfb32.exe	31
PID 2368 wrote to memory of 2716	2368	Aobpfb32.exe	31
PID 2368 wrote to memory of 2716	2368	Aobpfb32.exe	31
PID 2716 wrote to memory of 2168	2716	Bfabnl32.exe	32
PID 2716 wrote to memory of 2168	2716	Bfabnl32.exe	32
PID 2716 wrote to memory of 2168	2716	Bfabnl32.exe	32
PID 2716 wrote to memory of 2168	2716	Bfabnl32.exe	32
PID 2168 wrote to memory of 1680	2168	Ccbbachm.exe	33
PID 2168 wrote to memory of 1680	2168	Ccbbachm.exe	33
PID 2168 wrote to memory of 1680	2168	Ccbbachm.exe	33
PID 2168 wrote to memory of 1680	2168	Ccbbachm.exe	33
PID 1680 wrote to memory of 2536	1680	Cbjlhpkb.exe	34
PID 1680 wrote to memory of 2536	1680	Cbjlhpkb.exe	34
PID 1680 wrote to memory of 2536	1680	Cbjlhpkb.exe	34
PID 1680 wrote to memory of 2536	1680	Cbjlhpkb.exe	34
PID 2536 wrote to memory of 2372	2536	Dpklkgoj.exe	35
PID 2536 wrote to memory of 2372	2536	Dpklkgoj.exe	35
PID 2536 wrote to memory of 2372	2536	Dpklkgoj.exe	35
PID 2536 wrote to memory of 2372	2536	Dpklkgoj.exe	35
PID 2372 wrote to memory of 2060	2372	Eifmimch.exe	36
PID 2372 wrote to memory of 2060	2372	Eifmimch.exe	36
PID 2372 wrote to memory of 2060	2372	Eifmimch.exe	36
PID 2372 wrote to memory of 2060	2372	Eifmimch.exe	36
PID 2060 wrote to memory of 2588	2060	Feddombd.exe	37
PID 2060 wrote to memory of 2588	2060	Feddombd.exe	37
PID 2060 wrote to memory of 2588	2060	Feddombd.exe	37
PID 2060 wrote to memory of 2588	2060	Feddombd.exe	37
PID 2588 wrote to memory of 1992	2588	Faonom32.exe	38
PID 2588 wrote to memory of 1992	2588	Faonom32.exe	38
PID 2588 wrote to memory of 1992	2588	Faonom32.exe	38
PID 2588 wrote to memory of 1992	2588	Faonom32.exe	38
PID 1992 wrote to memory of 544	1992	Hgnokgcc.exe	39
PID 1992 wrote to memory of 544	1992	Hgnokgcc.exe	39
PID 1992 wrote to memory of 544	1992	Hgnokgcc.exe	39
PID 1992 wrote to memory of 544	1992	Hgnokgcc.exe	39
PID 544 wrote to memory of 1800	544	Hifbdnbi.exe	40
PID 544 wrote to memory of 1800	544	Hifbdnbi.exe	40
PID 544 wrote to memory of 1800	544	Hifbdnbi.exe	40
PID 544 wrote to memory of 1800	544	Hifbdnbi.exe	40
PID 1800 wrote to memory of 1148	1800	Inmmbc32.exe	41
PID 1800 wrote to memory of 1148	1800	Inmmbc32.exe	41
PID 1800 wrote to memory of 1148	1800	Inmmbc32.exe	41
PID 1800 wrote to memory of 1148	1800	Inmmbc32.exe	41
PID 1148 wrote to memory of 1048	1148	Jmipdo32.exe	42
PID 1148 wrote to memory of 1048	1148	Jmipdo32.exe	42
PID 1148 wrote to memory of 1048	1148	Jmipdo32.exe	42
PID 1148 wrote to memory of 1048	1148	Jmipdo32.exe	42
PID 1048 wrote to memory of 2184	1048	Jbfilffm.exe	43
PID 1048 wrote to memory of 2184	1048	Jbfilffm.exe	43
PID 1048 wrote to memory of 2184	1048	Jbfilffm.exe	43
PID 1048 wrote to memory of 2184	1048	Jbfilffm.exe	43
PID 2184 wrote to memory of 2112	2184	Kdnkdmec.exe	44
PID 2184 wrote to memory of 2112	2184	Kdnkdmec.exe	44
PID 2184 wrote to memory of 2112	2184	Kdnkdmec.exe	44
PID 2184 wrote to memory of 2112	2184	Kdnkdmec.exe	44
PID 2112 wrote to memory of 2488	2112	Kablnadm.exe	45
PID 2112 wrote to memory of 2488	2112	Kablnadm.exe	45
PID 2112 wrote to memory of 2488	2112	Kablnadm.exe	45
PID 2112 wrote to memory of 2488	2112	Kablnadm.exe	45

C:\Users\Admin\AppData\Local\Temp\19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe
"C:\Users\Admin\AppData\Local\Temp\19b0517f8e184e09046f48b69b9922412cf914ee76c203b6ea357d947632f8fbN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\Aobpfb32.exe
  C:\Windows\system32\Aobpfb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Bfabnl32.exe
    C:\Windows\system32\Bfabnl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Ccbbachm.exe
      C:\Windows\system32\Ccbbachm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Cbjlhpkb.exe
        
        C:\Windows\system32\Cbjlhpkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\Dpklkgoj.exe
        
        C:\Windows\system32\Dpklkgoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Eifmimch.exe
        
        C:\Windows\system32\Eifmimch.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Feddombd.exe
        
        C:\Windows\system32\Feddombd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Faonom32.exe
        
        C:\Windows\system32\Faonom32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Hgnokgcc.exe
        
        C:\Windows\system32\Hgnokgcc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Hifbdnbi.exe
        
        C:\Windows\system32\Hifbdnbi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Inmmbc32.exe
        
        C:\Windows\system32\Inmmbc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfabnl32.exe

Filesize
1.9MB

MD5
d216844a40c3ad761d724bbdc2b2362e

SHA1
798cc15c7169bfdb3a001a026587c27f22b77974

SHA256
ec2a96661f524a8b73188368858fde9743aa130fa8446cb3d7a27ff74af8a68f

SHA512
caaad2d931849f2612269ce80be0b2e29e26fad89acbc1c62b40d029dd953ffe2d8ff596a56487b17c9b8d956c58ca62a11dfbe9f84cf1fc18fd4afe31b0fa01

Download Submit
C:\Windows\SysWOW64\Cbjlhpkb.exe

Filesize
1.9MB

MD5
fcf3971295d74b0654e7f850d89715fa

SHA1
e6576d4630bb9942e3bfe5b7f09f56cc1cea6ace

SHA256
63dc6ecfee33ba291979c4769dfd95003fad2e07b82f8f90af6b190f25e1a021

SHA512
8fe021e602d9cd0f087e38ef38e7e724a16a5799606fab453a407b64bb0c87188a9c1bc790f892e98032f0e805703320f77a1f19e91f63614aeb49094905805d

Download Submit
C:\Windows\SysWOW64\Faonom32.exe

Filesize
1.9MB

MD5
dd8898db3ebca81e88aceaf236389a46

SHA1
9560053bf9463843715e57b96bb2825463c1f76c

SHA256
2485b0f3fef0784125835a670f802f318f73c13bf0e7641582d3e59c3f01d56c

SHA512
fb2a1b8dcf3b750d5dd2936b8df4c11da33fdb4bd1027247af464cf9ab262146de618c099454d0e7b5b91c4768d476b09a3a73556775dd5adcd0cde1b74319aa

Download Submit
C:\Windows\SysWOW64\Hifbdnbi.exe

Filesize
1.9MB

MD5
e5d921bd3587bc9b01e9237c1f8cd96c

SHA1
134df50cb7328a664131359ba593a38ac3c0aac4

SHA256
f2429dc37976ee9f3bf9f67007b3c3c2926e6a94c00e9adfa4283754988ee127

SHA512
113dd02d84120f60c218d0eef5dcf74c553dad1b777ab46f814aa72cfcc0b9280096fb2859137709825f2acf3e67d17969d7e25be992e3c0e7d0c4adb4eaf981

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
1.9MB

MD5
6fb686973a58b152d05a42672a264550

SHA1
8cc4662750a9e514fd051b159eadb859540e209e

SHA256
9f6224ba18b4660ab719c99a1d2953ae9c79db412962ba5dd89e76d5cb096411

SHA512
d4ff0e10d214834cb72f389094734ba1aa7affba223e77ec36e1f9307a9ea5dafeb9ff606bf315104f0b3f7c0b58fd87905ef0e3745bf72e3fbb5ba2a61cc9c4

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
1.9MB

MD5
fcdfc890f78b99c65f266ca1d62a7b57

SHA1
bd258ddd3779b74db8d6f301955d6a726fd2b0b4

SHA256
39a5f8e342d3651af809aaa87f9138842d19151a7d07213edbbbe943ec229323

SHA512
82c739126168897e05c1e85eb2e02f6527773cc4b9288481e0905b4e930e2426c637d7cf45bb4bb7d88fb97e1dbe0ca9fb159a5bcc922c95e5a26f036780d625

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
1.9MB

MD5
c52b6285f5c4d6b0f98320dcf8490808

SHA1
16b6540a9533e210417c0dd8a72dbf1220921bd9

SHA256
5e43161e0f752db57455bad6d76d332d579647eed107ff97d978853907a89be2

SHA512
808aea57ae8128a8a3b48f8b6140e23b970b3ebe333a26eb2233e825789fe357025f5bd036fe1dabecbd226e128fa99e81d4b898b26b94e1c60d1bae3ac7911c

Download Submit
\Windows\SysWOW64\Aobpfb32.exe

Filesize
1.9MB

MD5
fb40b6c45e14e3d1a7bffc6177356398

SHA1
37f83dc1f360ab725e959858978bb97609bee4b0

SHA256
e59449757fddedbb3dba73710ea91acd26a37ff570ffea875c7d78284c221571

SHA512
ddbd91e8f0a3d89af6e7d11d4e5692babd51ff8c7639fed6f26d4b98a548aa6e8314bf8f7cac3bf25138904d74c0a283de9d8aa942e5536d969b9bb32a23093e

Download Submit
\Windows\SysWOW64\Ccbbachm.exe

Filesize
1.9MB

MD5
41027f5e3762a7db8a54291f0a9bc9eb

SHA1
65fdf5fac53f139a6b70fe4bba294cce96753b3c

SHA256
c9d226d1682916cf405771c20fa4697ccfe8ed91f2b59fa2ca1482c87f668a3a

SHA512
3184b3621e2930c930587c9185564ec7ed5d9831efce88acb464c63ef1927c8e07602b8ff6d64fe9c873aa28eb21561bbc5f5ea5a2c641e907cb3a2c2f6abb93

Download Submit
\Windows\SysWOW64\Dpklkgoj.exe

Filesize
1.9MB

MD5
7b8863b487aaafbd832533cf21658890

SHA1
cd28511527066b498775d5ee7be439c0b9e7362b

SHA256
a8a7144c26f23de58432e73a46fb09eff09e7ce2fd639d1be6aa57a551673735

SHA512
be8fcb23eb309e2c6e1bb4617feb5f6fab87befe4c90876fa2b869b23f6593cf38b5ac8209f51d5be5c086f457b482869cf9c1a319924c0a96cda43c8aee34ca

Download Submit
\Windows\SysWOW64\Eifmimch.exe

Filesize
1.9MB

MD5
221c4002ab8e0798f322d89c97f8aa91

SHA1
bea466502eac4b7f0b0c19e2701b79122d3e9b07

SHA256
f8d3002f33be96507faf4c257a18bb1765905193d59a1bca9beb9093aa4f8bbe

SHA512
cb8e5d79060581f46c9c8783e512b062a103fbc161236b0ff214e2d9f47a8774c659a030a7f23543f45888577a1e82c3b6026370dccef7d96c9ecddd16ab934d

Download Submit
\Windows\SysWOW64\Feddombd.exe

Filesize
1.9MB

MD5
fe147f87318d267e7018728059bc543e

SHA1
f7b920cc42015e59705b1150e4ed76f2120e3a95

SHA256
2a82bba95b085814c75290eb24ffc0b28d7968db176206fc04242845fec5eda7

SHA512
822fa866544b6738bf1c83eab3c7408b0db88d204dcf4184b3505947371cb95e39cc84ca13b6b2eb533c2c48ed4ef908d0462b133bac2b5d05448194732b0c77

Download Submit
\Windows\SysWOW64\Hgnokgcc.exe

Filesize
1.9MB

MD5
35c8202d67b73c992566dbb70ee28532

SHA1
199a735e511f49087345406e8f81b9e28046c2d9

SHA256
4ec878aff9392348cde995c99da68ccbde2e48581a9a66c6efcdb719b542e030

SHA512
dd2b1528d3a19275655b36dba806930342a629d81f8f8877e5f016d4fb93c65d52f851757f8d19bf540637fdf5744a5e3871840608b135d7d153d488b6ad13d8

Download Submit
\Windows\SysWOW64\Inmmbc32.exe

Filesize
1.9MB

MD5
f33bf2557adc1f7b55439399976e99cf

SHA1
563e459d012663d0ca0e37eeb799f317eee05136

SHA256
ede21547cad4273f75eeb4303ff52a66b926f1fd52faf2b46ac96b4d41c7e2c8

SHA512
456f16c8ef57a757395efccf98ccf13dc1f87d55c9588a6ebdea3b891764ab936c11dde0c290774c6f1d010bc0f107bbe3bd7eba517ad61667dd7e32234f15de

Download Submit
\Windows\SysWOW64\Jmipdo32.exe

Filesize
1.9MB

MD5
ec7801bdface7b30e03fa20ea8ac5fa8

SHA1
90bbc0a14576b54d0ad135570092a148f8d980f0

SHA256
27497797d39564e5aa338b2356b836a758baeefc96057496ca094ac5cfac552f

SHA512
2add5364181695d03f77a76448dfe1f908185aec39bab8eda70cca51c8a772b87517ec4792d354ddcf37ef7fc358eb4493cce678f6b0cb1729ed4d32b08acf3a

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
1.9MB

MD5
2e4a619cbdf32dff955a882c895f245e

SHA1
42c63ec25ef1e863ef86cdeeaf8657a4efd69569

SHA256
19bbc2064e6aea78e097a58152ef3a746caa2cdcaed153389d0657fd3b15d211

SHA512
15da76b250eb3b2ec7f71db964da318be95bd957b23784e7e823748614e2b1ccf7af049802a616a49e928125671b023b607595afa9a1247a187e7b43fec1cc9b

Download Submit
memory/544-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-148-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/544-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-195-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1048-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-196-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1148-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-181-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1148-180-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1680-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-63-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1800-167-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1800-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-166-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1992-138-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1992-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-7-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2020-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-110-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2112-225-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2112-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-226-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2168-54-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2168-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-210-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2184-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-211-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2368-24-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2368-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-25-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2372-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-96-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2488-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-77-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2588-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-120-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2716-39-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2716-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2716-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads