berbew | b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Size

64KB
MD5

88f54b00ec7c54c5d4d0286f70cecc59
SHA1

b2b07e38efefd6887905abc58805e8526e447bb2
SHA256

b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7
SHA512

26f78198abe4515e3ccfcf3c9177906c3bb3d0eb6100b27134ec6f50f2e552f5f85cfd84be7d84404d867bd020298b7ca47eb848dba4b6ee2a18c1e5e810034f
SSDEEP

1536:K59JbI4OHxHhWCuM1Y7Lj+m8jXJA5GTKn2LUAMCeW:K5TbIFHcadmmXJlNUpW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 7 IoCs

pid	Process
2824	Bmclhi32.exe
2892	Bdmddc32.exe
2692	Baadng32.exe
2736	Cilibi32.exe
560	Cgpjlnhh.exe
2152	Cmjbhh32.exe
2404	Ceegmj32.exe

Loads dropped DLL 18 IoCs

pid	Process
2944	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
2944	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
2824	Bmclhi32.exe
2824	Bmclhi32.exe
2892	Bdmddc32.exe
2892	Bdmddc32.exe
2692	Baadng32.exe
2692	Baadng32.exe
2736	Cilibi32.exe
2736	Cilibi32.exe
560	Cgpjlnhh.exe
560	Cgpjlnhh.exe
2152	Cmjbhh32.exe
2152	Cmjbhh32.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bdmddc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2348	2404	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2824	2944	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe	30
PID 2944 wrote to memory of 2824	2944	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe	30
PID 2944 wrote to memory of 2824	2944	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe	30
PID 2944 wrote to memory of 2824	2944	b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe	30
PID 2824 wrote to memory of 2892	2824	Bmclhi32.exe	31
PID 2824 wrote to memory of 2892	2824	Bmclhi32.exe	31
PID 2824 wrote to memory of 2892	2824	Bmclhi32.exe	31
PID 2824 wrote to memory of 2892	2824	Bmclhi32.exe	31
PID 2892 wrote to memory of 2692	2892	Bdmddc32.exe	32
PID 2892 wrote to memory of 2692	2892	Bdmddc32.exe	32
PID 2892 wrote to memory of 2692	2892	Bdmddc32.exe	32
PID 2892 wrote to memory of 2692	2892	Bdmddc32.exe	32
PID 2692 wrote to memory of 2736	2692	Baadng32.exe	33
PID 2692 wrote to memory of 2736	2692	Baadng32.exe	33
PID 2692 wrote to memory of 2736	2692	Baadng32.exe	33
PID 2692 wrote to memory of 2736	2692	Baadng32.exe	33
PID 2736 wrote to memory of 560	2736	Cilibi32.exe	34
PID 2736 wrote to memory of 560	2736	Cilibi32.exe	34
PID 2736 wrote to memory of 560	2736	Cilibi32.exe	34
PID 2736 wrote to memory of 560	2736	Cilibi32.exe	34
PID 560 wrote to memory of 2152	560	Cgpjlnhh.exe	35
PID 560 wrote to memory of 2152	560	Cgpjlnhh.exe	35
PID 560 wrote to memory of 2152	560	Cgpjlnhh.exe	35
PID 560 wrote to memory of 2152	560	Cgpjlnhh.exe	35
PID 2152 wrote to memory of 2404	2152	Cmjbhh32.exe	36
PID 2152 wrote to memory of 2404	2152	Cmjbhh32.exe	36
PID 2152 wrote to memory of 2404	2152	Cmjbhh32.exe	36
PID 2152 wrote to memory of 2404	2152	Cmjbhh32.exe	36
PID 2404 wrote to memory of 2348	2404	Ceegmj32.exe	37
PID 2404 wrote to memory of 2348	2404	Ceegmj32.exe	37
PID 2404 wrote to memory of 2348	2404	Ceegmj32.exe	37
PID 2404 wrote to memory of 2348	2404	Ceegmj32.exe	37

C:\Users\Admin\AppData\Local\Temp\b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe
"C:\Users\Admin\AppData\Local\Temp\b85c5981caff8b4d84cfe76c80fcd514b845603135cc17d5aa7e66c91f5ccde7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\Bmclhi32.exe
  C:\Windows\system32\Bmclhi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\Bdmddc32.exe
    C:\Windows\system32\Bdmddc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Baadng32.exe
      C:\Windows\system32\Baadng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
64KB

MD5
74372de7e6f0adac41e192780f5cdede

SHA1
5bc456f6bd417a58f67e026853f1fe7d96fa8f16

SHA256
8175b3c23f2ada513247de117c73fda6bdd2e54285cf0a00562c27fdcd7030a4

SHA512
9c09714c64f2cc0352bc6e3395aab1beca4a1dfaee673d5295f7bd5666320feb3bce43a1e8c0e5e33eb5d4f0d4729853298b8b33e34b013b834db9a5f3865291

Download Submit
\Windows\SysWOW64\Baadng32.exe

Filesize
64KB

MD5
811343ed20180aa22934c9e8ddf4e98e

SHA1
6d69abeb2f46b61479135f35f522a5df708c946d

SHA256
af3cc33b8b68769edb3e780b79f45e4774d67a74dbfe71d25e2bb77213d510eb

SHA512
9c2e4533190cf60494ddc4e466910f1c199fd81c5230144c1da87225fcea58c439859854836af5daf2e76d83b0944efecfb09cad87eefdd31a40f27d7ea5debd

Download Submit
\Windows\SysWOW64\Bmclhi32.exe

Filesize
64KB

MD5
843ec285c1e48eaf4b8f4cfd99767912

SHA1
4af188488c2a11e7b422ae8447d2d4efcbbba2e5

SHA256
d98c2d9675613e3e7ef727c99a0c3834f45aa4f37eec65db17e521b8e6c71455

SHA512
303e044aa02aa5d96aced9b5b8e2cc6fe44b6a10045821c2d28287340e653f955bb8deb1567692effbaf02648d3daad45dcc82d15db62abe762312cd1982f856

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
64KB

MD5
60083926df5732b966e3836eed89a40a

SHA1
96f359132a637834e3ef18649bd57e6735e77b36

SHA256
9787fdf6235fa72e3092527c0f2925cf34393d2b05cfd86625dda45cf95de829

SHA512
030122264d601489be14f20f6f0ea3c41267a3a4122d73a15ce262e5537837ae8f1b76e8f614d9338e84f0d51a5f7d6f7c783d3fcb40c64c6bd84f45d792e180

Download Submit
\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
64KB

MD5
2d1733834e48044b13b64951c2a51ebc

SHA1
1845e52780436916ad3751babbe3f41e6db7a1e4

SHA256
fa1bec85c3baa0c6816e4ba48ecf20bef486bf7bf77c6fb42aad1a8151b681cd

SHA512
ba12d86e62ef619327208968e2252550a417a961b3ff789bba1f3d030bbc85f82eb84172e329a2d3998d890f62db8a7179ae9f4c0bcde0017bea082851f5c2e1

Download Submit
\Windows\SysWOW64\Cilibi32.exe

Filesize
64KB

MD5
974d0cb41adedf213b54a46bb6b9ca06

SHA1
2fdf73d05a88f1323bd790378e18a7894205b1b0

SHA256
9165e34f44c2dfd535f50e18004f3c7acd2279a3eb2e39f237a5a1220243f0ce

SHA512
21827a52b36305a0a1a393b5ca83f8c97fd7c9471d7787eae815cc7afec26920b2cd693dd97c1f4259603f22987ef66330791f020e447778e23275c13e11e7bd

Download Submit
\Windows\SysWOW64\Cmjbhh32.exe

Filesize
64KB

MD5
036eda2e990231f7b160e359bcf4de83

SHA1
69c7902307586e0dc25bdcaa75b437429a377a59

SHA256
eb68fbf47652d118e61b069e794ff90baa5badfbc1fed58646d7b737fdd8ccef

SHA512
e713481e7ff8c3708566e0c19bdefafd1fa3d73d497727f557e26f82b92f5db3ec598cb5645a9d110b1b6ec9f0cfea45b282cfeb97db0cb27ed3500895524d2a

Download Submit
memory/560-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/560-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/560-77-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2152-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-91-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2404-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2404-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2692-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2692-49-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2692-42-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2736-107-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2736-63-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2824-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-26-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2824-21-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2892-35-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2892-40-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2892-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-17-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2944-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads