berbew | 50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Size

352KB
MD5

f4c8dd4e06fe904aaf439b1e5ea21e35
SHA1

d713b202659fc1173977d3abe46db1d96759f760
SHA256

50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928
SHA512

48595301ceb900023e9ffa54bb068ba4352f0a834062d908ee680b9749b318b50ffffc1587bf97fe43aa8435a15ec41710ffa5865ef0fb2f65e411cac720edd0
SSDEEP

6144:2LBp+cz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisj:UosUasUqsU6sj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbpenco.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
2956	Aakjdo32.exe
1364	Aficjnpm.exe
3044	Abpcooea.exe
2808	Bbbpenco.exe
2780	Bdqlajbb.exe
2684	Bgaebe32.exe
2576	Bchfhfeh.exe
2356	Bmpkqklh.exe
1796	Bfioia32.exe
952	Ciihklpj.exe
1152	Ckjamgmk.exe
2520	Cbdiia32.exe
2432	Cinafkkd.exe
1648	Dnpciaef.exe
1924	Dpapaj32.exe

Loads dropped DLL 33 IoCs

pid	Process
2316	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
2316	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
2956	Aakjdo32.exe
2956	Aakjdo32.exe
1364	Aficjnpm.exe
1364	Aficjnpm.exe
3044	Abpcooea.exe
3044	Abpcooea.exe
2808	Bbbpenco.exe
2808	Bbbpenco.exe
2780	Bdqlajbb.exe
2780	Bdqlajbb.exe
2684	Bgaebe32.exe
2684	Bgaebe32.exe
2576	Bchfhfeh.exe
2576	Bchfhfeh.exe
2356	Bmpkqklh.exe
2356	Bmpkqklh.exe
1796	Bfioia32.exe
1796	Bfioia32.exe
952	Ciihklpj.exe
952	Ciihklpj.exe
1152	Ckjamgmk.exe
1152	Ckjamgmk.exe
2520	Cbdiia32.exe
2520	Cbdiia32.exe
2432	Cinafkkd.exe
2432	Cinafkkd.exe
1648	Dnpciaef.exe
1648	Dnpciaef.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Aakjdo32.exe	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bbbpenco.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	1924	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2956	2316	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe	31
PID 2316 wrote to memory of 2956	2316	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe	31
PID 2316 wrote to memory of 2956	2316	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe	31
PID 2316 wrote to memory of 2956	2316	50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe	31
PID 2956 wrote to memory of 1364	2956	Aakjdo32.exe	32
PID 2956 wrote to memory of 1364	2956	Aakjdo32.exe	32
PID 2956 wrote to memory of 1364	2956	Aakjdo32.exe	32
PID 2956 wrote to memory of 1364	2956	Aakjdo32.exe	32
PID 1364 wrote to memory of 3044	1364	Aficjnpm.exe	33
PID 1364 wrote to memory of 3044	1364	Aficjnpm.exe	33
PID 1364 wrote to memory of 3044	1364	Aficjnpm.exe	33
PID 1364 wrote to memory of 3044	1364	Aficjnpm.exe	33
PID 3044 wrote to memory of 2808	3044	Abpcooea.exe	34
PID 3044 wrote to memory of 2808	3044	Abpcooea.exe	34
PID 3044 wrote to memory of 2808	3044	Abpcooea.exe	34
PID 3044 wrote to memory of 2808	3044	Abpcooea.exe	34
PID 2808 wrote to memory of 2780	2808	Bbbpenco.exe	35
PID 2808 wrote to memory of 2780	2808	Bbbpenco.exe	35
PID 2808 wrote to memory of 2780	2808	Bbbpenco.exe	35
PID 2808 wrote to memory of 2780	2808	Bbbpenco.exe	35
PID 2780 wrote to memory of 2684	2780	Bdqlajbb.exe	36
PID 2780 wrote to memory of 2684	2780	Bdqlajbb.exe	36
PID 2780 wrote to memory of 2684	2780	Bdqlajbb.exe	36
PID 2780 wrote to memory of 2684	2780	Bdqlajbb.exe	36
PID 2684 wrote to memory of 2576	2684	Bgaebe32.exe	37
PID 2684 wrote to memory of 2576	2684	Bgaebe32.exe	37
PID 2684 wrote to memory of 2576	2684	Bgaebe32.exe	37
PID 2684 wrote to memory of 2576	2684	Bgaebe32.exe	37
PID 2576 wrote to memory of 2356	2576	Bchfhfeh.exe	38
PID 2576 wrote to memory of 2356	2576	Bchfhfeh.exe	38
PID 2576 wrote to memory of 2356	2576	Bchfhfeh.exe	38
PID 2576 wrote to memory of 2356	2576	Bchfhfeh.exe	38
PID 2356 wrote to memory of 1796	2356	Bmpkqklh.exe	39
PID 2356 wrote to memory of 1796	2356	Bmpkqklh.exe	39
PID 2356 wrote to memory of 1796	2356	Bmpkqklh.exe	39
PID 2356 wrote to memory of 1796	2356	Bmpkqklh.exe	39
PID 1796 wrote to memory of 952	1796	Bfioia32.exe	40
PID 1796 wrote to memory of 952	1796	Bfioia32.exe	40
PID 1796 wrote to memory of 952	1796	Bfioia32.exe	40
PID 1796 wrote to memory of 952	1796	Bfioia32.exe	40
PID 952 wrote to memory of 1152	952	Ciihklpj.exe	41
PID 952 wrote to memory of 1152	952	Ciihklpj.exe	41
PID 952 wrote to memory of 1152	952	Ciihklpj.exe	41
PID 952 wrote to memory of 1152	952	Ciihklpj.exe	41
PID 1152 wrote to memory of 2520	1152	Ckjamgmk.exe	42
PID 1152 wrote to memory of 2520	1152	Ckjamgmk.exe	42
PID 1152 wrote to memory of 2520	1152	Ckjamgmk.exe	42
PID 1152 wrote to memory of 2520	1152	Ckjamgmk.exe	42
PID 2520 wrote to memory of 2432	2520	Cbdiia32.exe	43
PID 2520 wrote to memory of 2432	2520	Cbdiia32.exe	43
PID 2520 wrote to memory of 2432	2520	Cbdiia32.exe	43
PID 2520 wrote to memory of 2432	2520	Cbdiia32.exe	43
PID 2432 wrote to memory of 1648	2432	Cinafkkd.exe	44
PID 2432 wrote to memory of 1648	2432	Cinafkkd.exe	44
PID 2432 wrote to memory of 1648	2432	Cinafkkd.exe	44
PID 2432 wrote to memory of 1648	2432	Cinafkkd.exe	44
PID 1648 wrote to memory of 1924	1648	Dnpciaef.exe	45
PID 1648 wrote to memory of 1924	1648	Dnpciaef.exe	45
PID 1648 wrote to memory of 1924	1648	Dnpciaef.exe	45
PID 1648 wrote to memory of 1924	1648	Dnpciaef.exe	45
PID 1924 wrote to memory of 2000	1924	Dpapaj32.exe	46
PID 1924 wrote to memory of 2000	1924	Dpapaj32.exe	46
PID 1924 wrote to memory of 2000	1924	Dpapaj32.exe	46
PID 1924 wrote to memory of 2000	1924	Dpapaj32.exe	46

C:\Users\Admin\AppData\Local\Temp\50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe
"C:\Users\Admin\AppData\Local\Temp\50eeaab5ce4f6799d24c4fb1799ea8b3a383020354a2be7cb62a8a50e7f19928.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Aakjdo32.exe
  C:\Windows\system32\Aakjdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\Aficjnpm.exe
    C:\Windows\system32\Aficjnpm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\Abpcooea.exe
      C:\Windows\system32\Abpcooea.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 144
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
352KB

MD5
b9915757287e7fbc0216cb04bef1df80

SHA1
18cf0726e1be9723a502d4e51351fcb41d96d808

SHA256
9774979af90f58a8051943905815e0c777b3bce52af48a75c767c183ac58897b

SHA512
e404211013022afa76c7127eaf605d04d01f09670bdc46058029ef7d6550fb4918976902cc67e9f8e3b9e552bb030a57c0482f22c6d7c973b6c76d35e23fbb7a

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
352KB

MD5
d153ba8d769e13475878ba73504a9032

SHA1
186cf1f4ca2ad5432bfc07526e6846a5e13d803c

SHA256
45becbfb1fcefa48cd443ba325767087c8fdd37931fcf794614cfb8508272d7a

SHA512
c9287fe7f356a7a752bf1609e413499992da8e0cccdde5e7003b7066dc2d3973e5fc8ca625fb8c1aa92958b99350013e3016bec36c5341b23a78751dba5fd07e

Download Submit
\Windows\SysWOW64\Aakjdo32.exe

Filesize
352KB

MD5
316c830d2837373c94f72aaee396ad04

SHA1
3b3d7202bc4303a04094561b805ca30ca928e89b

SHA256
47b19ab044967e6e59a4eee0d1904d8542b238804d023a82dcf2ccdd1ed95047

SHA512
b5a0e6ce09c67ee8c6f9f637fa4b6cce69791af74dbb0f96d9794606e966bd4270c2fd1e31a9c055abc010f82e50e0c437d700a028cc381213a12baf38bfdc39

Download Submit
\Windows\SysWOW64\Abpcooea.exe

Filesize
352KB

MD5
9fdeaccaf419b1f51e95bf8da89c0f7b

SHA1
d6977227d90d978ac5e40707685d41540dcfd7fa

SHA256
4adfe09c398a0bbdccfb711444769cdfd5eef32f052bbfdeaad6f41c0c98ce81

SHA512
d667ffa79f30cb8b98b123b42639a25a02e8faa4f12781a8a8eab29ce9eb6638d8f10049063605bf3ecc6acd69398df101063e745676ed581da6a84572f8597d

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
352KB

MD5
9fa38e503526aa34f0b5baa5790028a1

SHA1
f291d49978963c7dcaef64b604b2d80b176d51ce

SHA256
508deb956046477d1e819bb773217763ae0c005f3b39b2567d519f68a8957bf9

SHA512
db15243c687acafc0303a50c5cc572a9d461bb4f2c909a13d1c649911b5a089b762938ad6826019cb192b50c157c6d2d1a583c26c6658176a63738e336ecd82e

Download Submit
\Windows\SysWOW64\Bbbpenco.exe

Filesize
352KB

MD5
21a27c047ed5e68e8be866dbc933ce0b

SHA1
658fb5dfa6f0bf78765828f877b839d7f2f7806d

SHA256
0a96bd3bc11ddac34c0cfcaeb31378e7676044ad80895b01f209ec5969bb8f5c

SHA512
c9e6fec73a896f9e78aa60c75dde624ca0cf7e4c5a98c0d0be086661ec852afda170dfa4d42d9fbfa0ec51188295e32bc88be5d13b793b7ce99fd71f0e89c4a8

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
352KB

MD5
28142a49c9dc3659db126b0f06333636

SHA1
e9ccd7d267f01c34e27af84a8f50701b2d19f785

SHA256
dfa0d1042088f33211e8f85030b125ea71b5e24d15a9e312a762446843ee1101

SHA512
02137902a27848015876e65049369d9322615a5e3fa11b3540ace8038f7782f6f008ccd4aa420fcfa6f14e84f493699a7e001b85ebd69220071dd04d93a1816e

Download Submit
\Windows\SysWOW64\Bdqlajbb.exe

Filesize
352KB

MD5
741c0aff63bf33699e0b0acf1097a878

SHA1
7e5527a78abfb42e5cf0b1ab3a334fdeef3ce1ee

SHA256
571cf6407428670ec34af77218dcee51a048c8bba246482d60b7d679e25aa458

SHA512
e8f783cc3245219cba55ed3a3c22807dd4ae097a137de687fe2211dae28f522f70604d1122c0841311b18625b97f4d31f52e90247e5a9ce623980a5c9310e656

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
352KB

MD5
e324cc493abd33ff25d8a8a156b0d14e

SHA1
4df1e4070c0d947d859881d2f68b53d1982d5fa9

SHA256
6006f0471747a330cbb7ffcd38082491d175bda9e48ff902a3fb18606f02ee14

SHA512
63c558471414df3f2e57e045eaf39a5410c20fd9ce7cb0a34141a430c767cc7997fa8192dbabbe53e4ae0e0df7ecc8b799d7b03144cfc8e4cc7722dfe14d8ed5

Download Submit
\Windows\SysWOW64\Cbdiia32.exe

Filesize
352KB

MD5
ef0301d17a924e0b0d87ad5a63b65e30

SHA1
5fe165b1c5d3fa11b547b3b5394c3d437e7f33e2

SHA256
ddc9c02f996a412284765e36caa7bc477ea5702dac7116f100af98365b51bd2e

SHA512
df395ea82d576b0d72a6bee7aad8c43cf404e660ae4117fd52675135ea0439f0045c91aabc15c60290ed34f1cd36e76038445e91a2a0bf0cefda0429520908fb

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
352KB

MD5
e2a0fbd796bec42922cb50f08dacf6f1

SHA1
b60874563f582639bddbd0504288b3d6aef7f216

SHA256
aba2fb7f69622b73140f907e15284e3d33a8f3833e12faef41192068bbccf14b

SHA512
befc7a16b1e15de96316f1937db93c71af4776f4899ef2c08cf6bc406aa029e6910be68ae270452cd43a4046401504295ecdb56c373d9f4b24a1923a6f81f7c7

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
352KB

MD5
8327fcf994360a339cb9b620b4e2755a

SHA1
345503d54f3b342d97e346cf868ab6079513b411

SHA256
e71257f535d3066eb17d1b7110fbd6710e9f253a2d210f3029adb231e3e35fb1

SHA512
98764ee0628d0efcfa10a9ee0fb0bae4bfb4e17e32ac7a901d82c52c26edcb2a1aab13c194ef98893a9c368100385b037c04adfe1eeec56046204c8f3da5bb94

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
352KB

MD5
f7c4742e56e88eb8aa4c80a96623ebc4

SHA1
9e3cdc6ed75c813275f07d644b756df5630f9cb3

SHA256
e7d992f7af5f5734dc7358e6a39d25bcea801f95f20a5a81ad1847aa46b8492b

SHA512
9b4693235c0624a0aa671759ace648406d71ddb6509534befc86e7ff4ef58723f69c603712cd1381f4fbb081dad3d1957a18a40b0a30caac9b5cc17243008681

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
352KB

MD5
986160f5e7f178f20aac2ec507dbe59c

SHA1
77d5b6cf59f866867e1b7a5cec9897f5bde33bbc

SHA256
2f2424c45897fad05e172e348b65a31fceefed2bb1f2c65d74440b747af2f4d4

SHA512
2c75ac0d2d7de283eea66527d89ba3fdf9f8fa869b391c1a9f1a528f47ce2bf7a16df1bb80f17e9f6839b83154e43595431a72c6b55d0a319532aa5d7e24b738

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
352KB

MD5
9517c52cd1a79a0523705c610f8891bd

SHA1
5e8a1d1295c16835b30d8a22eeff172158eb02f5

SHA256
f58d002dd944452b8f1ddac4b5a4ba83a451b7b33f9483bd71fb9677c7de0dab

SHA512
960b27dd5581d3a10cd825c6aaa6a5c6042ea8377e3defcc73b0583236ecf9183d815cf2cb211c38c6b3faa1e27fe223664f4771295be8c147319736a4c1a75a

Download Submit
memory/952-149-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/952-147-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/952-225-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/952-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1152-164-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/1152-222-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1152-162-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/1152-228-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1152-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1364-245-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1364-36-0x0000000000260000-0x00000000002DF000-memory.dmp

Filesize
508KB

Download
memory/1364-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1364-244-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1648-208-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1648-203-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1648-196-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1648-220-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1796-133-0x0000000000340000-0x00000000003BF000-memory.dmp

Filesize
508KB

Download
memory/1796-226-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1924-210-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1924-241-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-247-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-243-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-11-0x0000000000330000-0x00000000003AF000-memory.dmp

Filesize
508KB

Download
memory/2316-12-0x0000000000330000-0x00000000003AF000-memory.dmp

Filesize
508KB

Download
memory/2356-116-0x0000000000310000-0x000000000038F000-memory.dmp

Filesize
508KB

Download
memory/2356-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2356-229-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2432-192-0x00000000006F0000-0x000000000076F000-memory.dmp

Filesize
508KB

Download
memory/2432-240-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2432-193-0x00000000006F0000-0x000000000076F000-memory.dmp

Filesize
508KB

Download
memory/2432-180-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2520-166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2520-178-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2520-177-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2576-232-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2684-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2684-234-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2684-231-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2780-236-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2780-233-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-238-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-235-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-64-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2808-69-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2956-246-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2956-26-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2956-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3044-239-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3044-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3044-55-0x0000000000330000-0x00000000003AF000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads