berbew | ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Size

448KB
MD5

a8e265255d8fe43a7b52eb79c9d0f360
SHA1

223a9cd603ea022bd3df5704963f280f950527df
SHA256

ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5
SHA512

cb5e681044139fbdf4a9aaf80e60f1d76f6dadebe89968f430e2789124787c07c36a706d2dfac17f18502c38c97a4851b6e16d17bb918eb9bab70a3ab4a47379
SSDEEP

6144:zY3IBSdUUsQn8+9ZiLUmKyIxLDXXoq9FJZCUmKyIxL:z50Y+W32XXf9Do3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oebimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oebimf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apoooa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 17 IoCs

pid	Process
2684	Ocdmaj32.exe
2704	Oebimf32.exe
2680	Oqacic32.exe
1928	Pjldghjm.exe
484	Pqhijbog.exe
1844	Picnndmb.exe
3020	Pmccjbaf.exe
3012	Qqeicede.exe
2744	Aganeoip.exe
2512	Apoooa32.exe
1496	Amelne32.exe
2452	Bilmcf32.exe
2316	Biafnecn.exe
1492	Bjbcfn32.exe
2468	Ckiigmcd.exe
2472	Cbgjqo32.exe
672	Ceegmj32.exe

Loads dropped DLL 38 IoCs

pid	Process
2172	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
2172	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
2684	Ocdmaj32.exe
2684	Ocdmaj32.exe
2704	Oebimf32.exe
2704	Oebimf32.exe
2680	Oqacic32.exe
2680	Oqacic32.exe
1928	Pjldghjm.exe
1928	Pjldghjm.exe
484	Pqhijbog.exe
484	Pqhijbog.exe
1844	Picnndmb.exe
1844	Picnndmb.exe
3020	Pmccjbaf.exe
3020	Pmccjbaf.exe
3012	Qqeicede.exe
3012	Qqeicede.exe
2744	Aganeoip.exe
2744	Aganeoip.exe
2512	Apoooa32.exe
2512	Apoooa32.exe
1496	Amelne32.exe
1496	Amelne32.exe
2452	Bilmcf32.exe
2452	Bilmcf32.exe
2316	Biafnecn.exe
2316	Biafnecn.exe
1492	Bjbcfn32.exe
1492	Bjbcfn32.exe
2468	Ckiigmcd.exe
2468	Ckiigmcd.exe
2472	Cbgjqo32.exe
2472	Cbgjqo32.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pqhijbog.exe	Pjldghjm.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Pjldghjm.exe	Oqacic32.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Blkepk32.dll	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
File opened for modification	C:\Windows\SysWOW64\Oebimf32.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Ghkekdhl.dll	Oebimf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjldghjm.exe	Oqacic32.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Picnndmb.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ocdmaj32.exe	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Bpodeegi.dll	Pjldghjm.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Oqacic32.exe	Oebimf32.exe
File created	C:\Windows\SysWOW64\Pmccjbaf.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Oebimf32.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Lnhbfpnj.dll	Oqacic32.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Pjldghjm.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Oqacic32.exe	Oebimf32.exe
File created	C:\Windows\SysWOW64\Kpkdli32.dll	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pqhijbog.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Ocdmaj32.exe	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1756	672	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqacic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oebimf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll"	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpkdli32.dll"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oebimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oebimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkekdhl.dll"	Oebimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2684	2172	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe	30
PID 2172 wrote to memory of 2684	2172	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe	30
PID 2172 wrote to memory of 2684	2172	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe	30
PID 2172 wrote to memory of 2684	2172	ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe	30
PID 2684 wrote to memory of 2704	2684	Ocdmaj32.exe	31
PID 2684 wrote to memory of 2704	2684	Ocdmaj32.exe	31
PID 2684 wrote to memory of 2704	2684	Ocdmaj32.exe	31
PID 2684 wrote to memory of 2704	2684	Ocdmaj32.exe	31
PID 2704 wrote to memory of 2680	2704	Oebimf32.exe	32
PID 2704 wrote to memory of 2680	2704	Oebimf32.exe	32
PID 2704 wrote to memory of 2680	2704	Oebimf32.exe	32
PID 2704 wrote to memory of 2680	2704	Oebimf32.exe	32
PID 2680 wrote to memory of 1928	2680	Oqacic32.exe	33
PID 2680 wrote to memory of 1928	2680	Oqacic32.exe	33
PID 2680 wrote to memory of 1928	2680	Oqacic32.exe	33
PID 2680 wrote to memory of 1928	2680	Oqacic32.exe	33
PID 1928 wrote to memory of 484	1928	Pjldghjm.exe	34
PID 1928 wrote to memory of 484	1928	Pjldghjm.exe	34
PID 1928 wrote to memory of 484	1928	Pjldghjm.exe	34
PID 1928 wrote to memory of 484	1928	Pjldghjm.exe	34
PID 484 wrote to memory of 1844	484	Pqhijbog.exe	35
PID 484 wrote to memory of 1844	484	Pqhijbog.exe	35
PID 484 wrote to memory of 1844	484	Pqhijbog.exe	35
PID 484 wrote to memory of 1844	484	Pqhijbog.exe	35
PID 1844 wrote to memory of 3020	1844	Picnndmb.exe	36
PID 1844 wrote to memory of 3020	1844	Picnndmb.exe	36
PID 1844 wrote to memory of 3020	1844	Picnndmb.exe	36
PID 1844 wrote to memory of 3020	1844	Picnndmb.exe	36
PID 3020 wrote to memory of 3012	3020	Pmccjbaf.exe	37
PID 3020 wrote to memory of 3012	3020	Pmccjbaf.exe	37
PID 3020 wrote to memory of 3012	3020	Pmccjbaf.exe	37
PID 3020 wrote to memory of 3012	3020	Pmccjbaf.exe	37
PID 3012 wrote to memory of 2744	3012	Qqeicede.exe	38
PID 3012 wrote to memory of 2744	3012	Qqeicede.exe	38
PID 3012 wrote to memory of 2744	3012	Qqeicede.exe	38
PID 3012 wrote to memory of 2744	3012	Qqeicede.exe	38
PID 2744 wrote to memory of 2512	2744	Aganeoip.exe	39
PID 2744 wrote to memory of 2512	2744	Aganeoip.exe	39
PID 2744 wrote to memory of 2512	2744	Aganeoip.exe	39
PID 2744 wrote to memory of 2512	2744	Aganeoip.exe	39
PID 2512 wrote to memory of 1496	2512	Apoooa32.exe	40
PID 2512 wrote to memory of 1496	2512	Apoooa32.exe	40
PID 2512 wrote to memory of 1496	2512	Apoooa32.exe	40
PID 2512 wrote to memory of 1496	2512	Apoooa32.exe	40
PID 1496 wrote to memory of 2452	1496	Amelne32.exe	41
PID 1496 wrote to memory of 2452	1496	Amelne32.exe	41
PID 1496 wrote to memory of 2452	1496	Amelne32.exe	41
PID 1496 wrote to memory of 2452	1496	Amelne32.exe	41
PID 2452 wrote to memory of 2316	2452	Bilmcf32.exe	42
PID 2452 wrote to memory of 2316	2452	Bilmcf32.exe	42
PID 2452 wrote to memory of 2316	2452	Bilmcf32.exe	42
PID 2452 wrote to memory of 2316	2452	Bilmcf32.exe	42
PID 2316 wrote to memory of 1492	2316	Biafnecn.exe	43
PID 2316 wrote to memory of 1492	2316	Biafnecn.exe	43
PID 2316 wrote to memory of 1492	2316	Biafnecn.exe	43
PID 2316 wrote to memory of 1492	2316	Biafnecn.exe	43
PID 1492 wrote to memory of 2468	1492	Bjbcfn32.exe	44
PID 1492 wrote to memory of 2468	1492	Bjbcfn32.exe	44
PID 1492 wrote to memory of 2468	1492	Bjbcfn32.exe	44
PID 1492 wrote to memory of 2468	1492	Bjbcfn32.exe	44
PID 2468 wrote to memory of 2472	2468	Ckiigmcd.exe	45
PID 2468 wrote to memory of 2472	2468	Ckiigmcd.exe	45
PID 2468 wrote to memory of 2472	2468	Ckiigmcd.exe	45
PID 2468 wrote to memory of 2472	2468	Ckiigmcd.exe	45

C:\Users\Admin\AppData\Local\Temp\ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe
"C:\Users\Admin\AppData\Local\Temp\ff02a69b0d79e97a310410bd9ca7f87281b9fbd0ae7ac446d05df7ba2c7b28b5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\Ocdmaj32.exe
  C:\Windows\system32\Ocdmaj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\Oebimf32.exe
    C:\Windows\system32\Oebimf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Oqacic32.exe
      C:\Windows\system32\Oqacic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aganeoip.exe

Filesize
448KB

MD5
4ebfe5afc92b720a30587842d509ab77

SHA1
228f10510136234fbd342ecafa2474de78625e83

SHA256
db99ef2004ad8abd21e731e881ce3b852de4754e0ca22fb46486827ed740c96b

SHA512
ac7d715d77d6fef3cf5d2bad717dfca920ae3b525c4c762ae267a1c2859b8346e03f0af14a8cc09ffee1f38f6eeecc9a3b50101e732f18800aefce1e9e76c58b

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
448KB

MD5
6e74dd859ec5dcba6a27835050b98c36

SHA1
5e15126702d3ffd9088b94a94395d6f642197f74

SHA256
3eefa40cc38683757e34a0d53fdb1ef3051db21c0c47e8d3885d9be94554d8d7

SHA512
0ec847e12ddd5f6c945576f673aaab79417c6d0b5a7e063a934698714acb644ee39f4237eb3f982bfaad35341284a64a862cc52b07e3ec70b6c449deb054dd7a

Download Submit
C:\Windows\SysWOW64\Bpodeegi.dll

Filesize
7KB

MD5
a3accdaddebf8af222887692106cb894

SHA1
5f137c3268dbba733f909125310f74bc15a5323b

SHA256
0d0bf158df9e0d0776975dc27b7055b05e657b44d131b894c5738c8fae051da0

SHA512
767c6370447bed36f93887c6ae3e4c1c672677c7a1aa96f6a65efe248ee36728ebd6d080e3a95c813e36d9825984f897c1cf1f1a21e505704ec9d9985585b27c

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
448KB

MD5
82357e9b9fb96bb3717a1447e2a4219f

SHA1
f15c313231b353bb3a6e11201119d1792db7cba6

SHA256
80df6256a63a254894dfe502501929763b9d4e86429de5d1cab68c73d24cc066

SHA512
1bbeb98a46fd9461a9479cfef51b4f7bd89cdd14eb056d30aef4ce455a456d92e5b16bd9e67d7ec8f7633afaa8398d80c562726943b80650a14208bdf65cd952

Download Submit
C:\Windows\SysWOW64\Ocdmaj32.exe

Filesize
448KB

MD5
df2f7e73f24b07d37602b3d680159504

SHA1
de7c9cbf582742ef4b2215e18b0710dcd4cb8cfa

SHA256
983d80e0e81f2d926516629bee1aa6460210b38f56ab5a05ad49b250ae41fe22

SHA512
20b8b7f5f6f8635e57f0f9a882985cf8ef159ffa718dbabfaaa7fcd2a86f37a99b3e19cb68379bee45f7158d6a6b8f6c437bee1b9c74330ef5dccf940811ce3f

Download Submit
C:\Windows\SysWOW64\Oebimf32.exe

Filesize
448KB

MD5
93193494c3301e1ac26760bebd060fd0

SHA1
98cd02df47900443fda42b526c8bfcda4ecbca72

SHA256
4de3415394e7a554df703483cfb14c0354219075a2ec3a3e604348b86dce4c54

SHA512
2f6cfa41d8aecf27a523fd85a90efba5c9c28410861d757d08ae08818c07085e823c6287b0f2616978f4df0b22db10719b85f2fe4addab26c559ddeef8680ad9

Download Submit
\Windows\SysWOW64\Amelne32.exe

Filesize
448KB

MD5
b919e265a97c39ea28b9735d84281faa

SHA1
a86f9b2356c42b94189017088ebbb346434d8777

SHA256
57c81f338ef50da49457c5dcea00a3db031acdc375154b0c5b837ba93b8b12c4

SHA512
1ccc80711f3b3fc69711119afa6ca035fcf55f85d20895c140f42fc02f6e0175b78a864b7b57db82fbcc4e678ef60a8193b325fab18638cf0f8007dd58033814

Download Submit
\Windows\SysWOW64\Apoooa32.exe

Filesize
448KB

MD5
f7da8b6116d7b6be426daba8de823e6e

SHA1
bbe4b3a669a0f5f862e327edd2f5c3d6b7135bc7

SHA256
f00cd03a07a879565b5a4f7a8f0bd8501f16bbd0dc3d4b00c77d680c39ca6099

SHA512
631e02ff6bb74ecd19cef131410dd1b80abde3f43565555929e897bb49471187711d740ad1acd3ce5132e90253b5ef3630976fcee2222df2293fe386172ef821

Download Submit
\Windows\SysWOW64\Biafnecn.exe

Filesize
448KB

MD5
2f441f133158f587018a80bd2d0acc9e

SHA1
7659fd669496875b1184b883ef40400559d5e645

SHA256
88d545d01893594ac918b9f4da4e3f44430e5f65eb73251207594026fff53fd5

SHA512
b6f08f5ccdad3ca4614457f3d12bbbac7ff8a01bdb41fc474eb994f504f4a4bdc6ab51a116e671196f527805e27f2eae729053e56335017a2162a63ba9a25e5d

Download Submit
\Windows\SysWOW64\Bilmcf32.exe

Filesize
448KB

MD5
46502f82f2130dca84e54d75db58c2b0

SHA1
de30b11c5fea25f9876cdd56486775a1d0ec0d24

SHA256
46205ef7c4f428488c916e2d721b062b87ba52d0ea9f7376ad902ddedc718ea1

SHA512
816700d3e4d449a98553ecac4fba2c091bfc57ca8d5f22f276104cd0687e09bb171ee8b7005acbbee878c4c542312ac84c9431cdcfbfc075c3ab008fc21f4db9

Download Submit
\Windows\SysWOW64\Cbgjqo32.exe

Filesize
448KB

MD5
93343c512fea35359e20d0e04fe3c50b

SHA1
9f55720ace6b8ada2eac388abf544e12c3ec3366

SHA256
ebdb0ac1e3056baf9d3af48ffb41f9f3e5cb53612060aae5b091e2c97bc20fcf

SHA512
d9816b45127fdaeafc54ea5668d48e6655f45f708ea1871d4fbd65be31ddfe23b0aef57761be47fa7b96400022b2359771540c6e4b58919070f1c792e70e8015

Download Submit
\Windows\SysWOW64\Ckiigmcd.exe

Filesize
448KB

MD5
24cd3eedba579343e15fb8e8aa631cfc

SHA1
68d04841124169b6a852cc2ae469bedc56db53e4

SHA256
6e5c2cfacaa3a5233c63fdf6315eac5d6bc9833ac5e35906e2a2846413dffc1c

SHA512
fea68f2e821340e2a0cc1aa3a5db0acaed8ec2faee12a3c7e435c841fa1ec1edd15f95602dd613121cd5f99a966f747f5f0f4cc7605b13fd4247e8150e49c6b9

Download Submit
\Windows\SysWOW64\Oqacic32.exe

Filesize
448KB

MD5
7a293c345eecc9f7aabb00f0ffb3900d

SHA1
d6a53e39e25e3ceec4321c1836efe3e0e6834add

SHA256
b828915639b3fe46677400a7bb6ad4509044c014eaf80be9d24522540ef36019

SHA512
22c81a5589edf15a1f6b6cb12a77954ad463dfb10d348669b8863a4b2ef7674d36fb6dfa3c566e1b4d22b73ce6d72cfb7bcd6a4ee990cc72948603e6de2a1d09

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
448KB

MD5
9e2e8301b5ae172b5c605b607ccaeb15

SHA1
3b5653261e7bc21f4ba7926d0f1a50d29a017dc8

SHA256
8218a02cdd66bd0ae619724d9542eb4996e3a4e5e0c235bdef2347544da63e78

SHA512
04cde857618cab08a515c03ea7bad9bd2dd645d3e83b11fe03ce68e11f8d00605e96d0adb471cbb912022e7d736e724755e20b8788b5a2063328471c28ced385

Download Submit
\Windows\SysWOW64\Pjldghjm.exe

Filesize
448KB

MD5
6b1c5db726ecd2cd890a69cd5d28383a

SHA1
a926dce118fefd884f5f1729a1886f0991204e13

SHA256
15fbd974de1964263ce79bf639a536ea131354b22b56548790f21a6730be059e

SHA512
182877ac60eb475e5bed17ccc4230804b444c22a64cb21ba40a8683e738aab3f65e67c71a055837f28943037dbed2d959778fe900da4199b68894c476ad5ad58

Download Submit
\Windows\SysWOW64\Pmccjbaf.exe

Filesize
448KB

MD5
1cbe2099c54c5acf23f269550e03e993

SHA1
b54c16ec6a592168b30d96f8edcb7b9f0ac76cf2

SHA256
b7325d80b5a2dd019ef3261f3434b67105ca09de33efcce12dda5fdc3b364db7

SHA512
14f06c2e234f8fb2ff7b6bba38864611808c6d40ca2122be6967e850578bab916b6f132fc5d042041d79c024e6171fcf0cb567c484787ae6eea4f94e285d46c8

Download Submit
\Windows\SysWOW64\Pqhijbog.exe

Filesize
448KB

MD5
4a7216d2fe93d6ecc2a2adee4fb5eab1

SHA1
8510dd5e70f09a97974f75674f18a0215f5ea218

SHA256
9b77d6083cd4ab8234b6ea778c8afb10445ab236e5cfdb708121a345bab27928

SHA512
fcce238375d7bc45113600bb4a886912a6ded1b534b71f41626e0d602b44a9e0dd2c6c1dc6a9f4379dd247f3f5a2378031eeb22b848e20018adf512cb95d42f3

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
448KB

MD5
4e879e2c4acb700538a1c28d44a59ab4

SHA1
bcf509ec45e2ca6ac8caa89e039fb32843edb145

SHA256
57a1a7e05ae751bbefaf595965ffc2b9b89e2aa59b59f69be8a2d28af60322a4

SHA512
910bd80983fad73cb2ecf32ea9489c982d307c24ae6e1838bd8ad5d14f38f6869e2b80f0aa8d57390c897039b6a7ad277feb03329f5c6314563477836041f32b

Download Submit
memory/484-77-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/484-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/484-260-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/672-237-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/672-269-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1492-196-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1492-204-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1492-253-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1496-157-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1496-161-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1496-244-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1844-255-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1844-83-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1844-91-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1844-257-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1928-62-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1928-261-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1928-55-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2172-12-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2172-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2172-13-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2172-270-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2316-252-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2316-186-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2316-194-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2452-167-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2452-180-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2452-175-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2452-273-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2468-210-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2468-239-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2468-241-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2468-224-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2468-223-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2472-232-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2472-236-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2472-240-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2472-238-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2472-225-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2512-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2512-245-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2512-147-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2680-272-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-271-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-54-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2680-41-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2684-267-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2684-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2704-268-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2704-27-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2704-35-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2744-125-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-250-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-137-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/3012-123-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3012-111-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3012-251-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3020-97-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3020-254-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3020-256-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3020-109-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads