berbew | 77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Size

74KB
MD5

c6380d1621ccbf30a4850d929c0ff89d
SHA1

f24493069fee44563941f8b338468dae6284bcd5
SHA256

77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8
SHA512

93d80c5dad3c681323aff62649c2da5a8568e7f05533792eced2a6ca0f98db3c2e47f13162286674352f4064467b9ef6944677178f28adea509ba630ea528cdc
SSDEEP

768:BtuA8oViYPSLMoIVHzqovh/VPGQOg3yvBXm6l6QFjyZIr+bFMX5B+Te5SbvX9eg7:PuSVpPedSq45CvBXmqr5ye+b+qe+2gT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdplm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 6 IoCs

pid	Process
2824	Bdkgocpm.exe
2900	Bjdplm32.exe
2692	Bhhpeafc.exe
2468	Bmeimhdj.exe
480	Ckiigmcd.exe
3028	Cacacg32.exe

Loads dropped DLL 16 IoCs

pid	Process
2944	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
2944	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
2824	Bdkgocpm.exe
2824	Bdkgocpm.exe
2900	Bjdplm32.exe
2900	Bjdplm32.exe
2692	Bhhpeafc.exe
2692	Bhhpeafc.exe
2468	Bmeimhdj.exe
2468	Bmeimhdj.exe
480	Ckiigmcd.exe
480	Ckiigmcd.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2080	3028	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Bmeimhdj.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2824	2944	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe	30
PID 2944 wrote to memory of 2824	2944	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe	30
PID 2944 wrote to memory of 2824	2944	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe	30
PID 2944 wrote to memory of 2824	2944	77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe	30
PID 2824 wrote to memory of 2900	2824	Bdkgocpm.exe	31
PID 2824 wrote to memory of 2900	2824	Bdkgocpm.exe	31
PID 2824 wrote to memory of 2900	2824	Bdkgocpm.exe	31
PID 2824 wrote to memory of 2900	2824	Bdkgocpm.exe	31
PID 2900 wrote to memory of 2692	2900	Bjdplm32.exe	32
PID 2900 wrote to memory of 2692	2900	Bjdplm32.exe	32
PID 2900 wrote to memory of 2692	2900	Bjdplm32.exe	32
PID 2900 wrote to memory of 2692	2900	Bjdplm32.exe	32
PID 2692 wrote to memory of 2468	2692	Bhhpeafc.exe	33
PID 2692 wrote to memory of 2468	2692	Bhhpeafc.exe	33
PID 2692 wrote to memory of 2468	2692	Bhhpeafc.exe	33
PID 2692 wrote to memory of 2468	2692	Bhhpeafc.exe	33
PID 2468 wrote to memory of 480	2468	Bmeimhdj.exe	34
PID 2468 wrote to memory of 480	2468	Bmeimhdj.exe	34
PID 2468 wrote to memory of 480	2468	Bmeimhdj.exe	34
PID 2468 wrote to memory of 480	2468	Bmeimhdj.exe	34
PID 480 wrote to memory of 3028	480	Ckiigmcd.exe	35
PID 480 wrote to memory of 3028	480	Ckiigmcd.exe	35
PID 480 wrote to memory of 3028	480	Ckiigmcd.exe	35
PID 480 wrote to memory of 3028	480	Ckiigmcd.exe	35
PID 3028 wrote to memory of 2080	3028	Cacacg32.exe	36
PID 3028 wrote to memory of 2080	3028	Cacacg32.exe	36
PID 3028 wrote to memory of 2080	3028	Cacacg32.exe	36
PID 3028 wrote to memory of 2080	3028	Cacacg32.exe	36

C:\Users\Admin\AppData\Local\Temp\77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe
"C:\Users\Admin\AppData\Local\Temp\77de34dc35eddbc5655673bf6f4030da2dd9963d9f0d7b77ca1eba01612cb3a8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\Bdkgocpm.exe
  C:\Windows\system32\Bdkgocpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\Bjdplm32.exe
    C:\Windows\system32\Bjdplm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Bhhpeafc.exe
      C:\Windows\system32\Bhhpeafc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 140
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjpdmqog.dll

Filesize
7KB

MD5
e73274b2dbedd56e5af6cffdae83480c

SHA1
0a45a99be4952d72c04d2af958a33d48038c7f65

SHA256
072d3c3dbf06efbeab0451b1c8135b232aace5cae760709198f99092c73c187c

SHA512
f7aa8164c68cef531b7a30baa23d3e485f10d98dbe7f9f95cca4ea985e023cea2df35d8b386aa972fd1e38c39e8f0416dc492ed47b0736ee9b9d50094ba5a810

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
74KB

MD5
5f8447f5d4ea2ddeb8019040672fcccc

SHA1
d324ddc05b6d0ea8030eb812fbb9657e05e57d4d

SHA256
0b3cd9b7e1abd0200711564910a10876be85050d59c9b6389222cef6ca4c6862

SHA512
93b40e1060706bd5fe6ca6400cd78cffc853661b2cafceb6bf59171a40e2b40319011d2cf0e3e12bff58c0a059748888b2f0d228a1c98f0b2f51aa689e1c79f2

Download Submit
\Windows\SysWOW64\Bhhpeafc.exe

Filesize
74KB

MD5
bfd0e6a7ee7ad2f2892d1a14fe3dc04d

SHA1
f698074f22766b9b3cdf756ef0ae21267c5375a1

SHA256
e48e5ac3d365b4465ed91412e7cb267b8949f64d17904eeee8bca041ae514c10

SHA512
bdff004dfeac207245e090106b1eb7e10751c80a4ae5cdb8c14da46907b502695af595ac826a262fabab2487603bfb348513638e3179ebe294f2e65a5e46214c

Download Submit
\Windows\SysWOW64\Bjdplm32.exe

Filesize
74KB

MD5
46e92b3a5d4a1cd29f5039f1fe1c4838

SHA1
d6d9dac2955ecf196a9b60aa6ed6e53690e683e4

SHA256
79d5f638d26f7f751fa25b109a8f66ebe83db3bcb487ebe31147df853bcc8c5b

SHA512
702fc5a2a3023aa1ac1953d7ce87e9d2b273b00feeb768742f59efcb6ec2b763e9800d69009ea480a9806518f66dc266c1bf17dfd38027e1d5eb442319bdee54

Download Submit
\Windows\SysWOW64\Bmeimhdj.exe

Filesize
74KB

MD5
bcfa13546b98892e3bb329ea29527a94

SHA1
e57171fd403a35e942e81f8291220f033fe7c75c

SHA256
77f6f12e66bbae21c35ec07b54c0a7d259daee306b6e1157cdf60d8140d9474d

SHA512
4d682e06c9d9149e80b59ecd01e74b349ff320ec1611ecd5103aa1084da6acc1712a7189031cd7e8754076b859b124adf4e9bf1db9fa8f73b2b1a603f51fe72b

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
74KB

MD5
d31a2f635179195cf86e1df89afd6728

SHA1
b57f2d9abf9f6c69f6520d5cf50eb4884df98203

SHA256
c7d2197130479f269e316276d7f91b0798236143710112286fc894549b4ac01b

SHA512
939220c2a90201a2e9586a1420b6e97545c2a8e17809bfedc81a96076a42aab505ff94ae9878842f4594f0c834e13cddb482f32628477034f54fb8f94cd89eda

Download Submit
\Windows\SysWOW64\Ckiigmcd.exe

Filesize
74KB

MD5
cfe5b9525e565a95a1babdcb4696c144

SHA1
0a1f18a5778fa44c9a75550c6288079a146e1e34

SHA256
ed3a8062f34cdcbe0aa85f52fcfc1555e34622602eaa6a13d3c1f10ac5e0152b

SHA512
5b9fd84489809dd23610dd7b58e2ab6223cf7773f9edbe1b7c8635c6418fae1c9a862c778235e8a03fd5519eefd4c4d2216455dd06b48d1c2879d12810e48d9f

Download Submit
memory/480-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/480-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2468-61-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2468-86-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2468-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2692-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2824-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2824-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-35-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2900-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-12-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2944-13-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2944-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3028-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3028-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads