berbew | 293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd

Analysis

max time kernel
24s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Size

93KB
MD5

e64585a7c69e45d5680061f2237c262f
SHA1

3a43f8ae6fc02be1b14f28b45d70b548249aaae6
SHA256

293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd
SHA512

cdc18925a5e5a619c735df6755c091001b89b443dc45b580122f4898b6f6f8ff3cd23f5cd2f77f6e31a4c31f232cdf4701a57f4115f2392019423ffc900534ef
SSDEEP

1536:N3qezt9+FLDsRPovTSBewlcBAIhNpPShe1DaYfMZRWuLsV+1j:1qeztjPqEcBAI+egYfc0DV+1j

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 17 IoCs

pid	Process
2916	Aeqabgoj.exe
2704	Blkioa32.exe
2716	Bpfeppop.exe
2788	Bphbeplm.exe
536	Bajomhbl.exe
1504	Bhdgjb32.exe
2768	Balkchpi.exe
2764	Bdkgocpm.exe
2412	Blaopqpo.exe
1820	Bmclhi32.exe
1908	Bejdiffp.exe
1304	Bkglameg.exe
844	Bmeimhdj.exe
2184	Cpceidcn.exe
2212	Cfnmfn32.exe
2296	Cilibi32.exe
1788	Cacacg32.exe

Loads dropped DLL 38 IoCs

pid	Process
2912	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
2912	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
2916	Aeqabgoj.exe
2916	Aeqabgoj.exe
2704	Blkioa32.exe
2704	Blkioa32.exe
2716	Bpfeppop.exe
2716	Bpfeppop.exe
2788	Bphbeplm.exe
2788	Bphbeplm.exe
536	Bajomhbl.exe
536	Bajomhbl.exe
1504	Bhdgjb32.exe
1504	Bhdgjb32.exe
2768	Balkchpi.exe
2768	Balkchpi.exe
2764	Bdkgocpm.exe
2764	Bdkgocpm.exe
2412	Blaopqpo.exe
2412	Blaopqpo.exe
1820	Bmclhi32.exe
1820	Bmclhi32.exe
1908	Bejdiffp.exe
1908	Bejdiffp.exe
1304	Bkglameg.exe
1304	Bkglameg.exe
844	Bmeimhdj.exe
844	Bmeimhdj.exe
2184	Cpceidcn.exe
2184	Cpceidcn.exe
2212	Cfnmfn32.exe
2212	Cfnmfn32.exe
2296	Cilibi32.exe
2296	Cilibi32.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
File created	C:\Windows\SysWOW64\Ajpjcomh.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Blkioa32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Aeqabgoj.exe	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Balkchpi.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bejdiffp.exe

Program crash 1 IoCs

pid	pid_target	Process
1040	1788	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2916	2912	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe	30
PID 2912 wrote to memory of 2916	2912	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe	30
PID 2912 wrote to memory of 2916	2912	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe	30
PID 2912 wrote to memory of 2916	2912	293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe	30
PID 2916 wrote to memory of 2704	2916	Aeqabgoj.exe	31
PID 2916 wrote to memory of 2704	2916	Aeqabgoj.exe	31
PID 2916 wrote to memory of 2704	2916	Aeqabgoj.exe	31
PID 2916 wrote to memory of 2704	2916	Aeqabgoj.exe	31
PID 2704 wrote to memory of 2716	2704	Blkioa32.exe	32
PID 2704 wrote to memory of 2716	2704	Blkioa32.exe	32
PID 2704 wrote to memory of 2716	2704	Blkioa32.exe	32
PID 2704 wrote to memory of 2716	2704	Blkioa32.exe	32
PID 2716 wrote to memory of 2788	2716	Bpfeppop.exe	33
PID 2716 wrote to memory of 2788	2716	Bpfeppop.exe	33
PID 2716 wrote to memory of 2788	2716	Bpfeppop.exe	33
PID 2716 wrote to memory of 2788	2716	Bpfeppop.exe	33
PID 2788 wrote to memory of 536	2788	Bphbeplm.exe	34
PID 2788 wrote to memory of 536	2788	Bphbeplm.exe	34
PID 2788 wrote to memory of 536	2788	Bphbeplm.exe	34
PID 2788 wrote to memory of 536	2788	Bphbeplm.exe	34
PID 536 wrote to memory of 1504	536	Bajomhbl.exe	35
PID 536 wrote to memory of 1504	536	Bajomhbl.exe	35
PID 536 wrote to memory of 1504	536	Bajomhbl.exe	35
PID 536 wrote to memory of 1504	536	Bajomhbl.exe	35
PID 1504 wrote to memory of 2768	1504	Bhdgjb32.exe	36
PID 1504 wrote to memory of 2768	1504	Bhdgjb32.exe	36
PID 1504 wrote to memory of 2768	1504	Bhdgjb32.exe	36
PID 1504 wrote to memory of 2768	1504	Bhdgjb32.exe	36
PID 2768 wrote to memory of 2764	2768	Balkchpi.exe	37
PID 2768 wrote to memory of 2764	2768	Balkchpi.exe	37
PID 2768 wrote to memory of 2764	2768	Balkchpi.exe	37
PID 2768 wrote to memory of 2764	2768	Balkchpi.exe	37
PID 2764 wrote to memory of 2412	2764	Bdkgocpm.exe	38
PID 2764 wrote to memory of 2412	2764	Bdkgocpm.exe	38
PID 2764 wrote to memory of 2412	2764	Bdkgocpm.exe	38
PID 2764 wrote to memory of 2412	2764	Bdkgocpm.exe	38
PID 2412 wrote to memory of 1820	2412	Blaopqpo.exe	39
PID 2412 wrote to memory of 1820	2412	Blaopqpo.exe	39
PID 2412 wrote to memory of 1820	2412	Blaopqpo.exe	39
PID 2412 wrote to memory of 1820	2412	Blaopqpo.exe	39
PID 1820 wrote to memory of 1908	1820	Bmclhi32.exe	40
PID 1820 wrote to memory of 1908	1820	Bmclhi32.exe	40
PID 1820 wrote to memory of 1908	1820	Bmclhi32.exe	40
PID 1820 wrote to memory of 1908	1820	Bmclhi32.exe	40
PID 1908 wrote to memory of 1304	1908	Bejdiffp.exe	41
PID 1908 wrote to memory of 1304	1908	Bejdiffp.exe	41
PID 1908 wrote to memory of 1304	1908	Bejdiffp.exe	41
PID 1908 wrote to memory of 1304	1908	Bejdiffp.exe	41
PID 1304 wrote to memory of 844	1304	Bkglameg.exe	42
PID 1304 wrote to memory of 844	1304	Bkglameg.exe	42
PID 1304 wrote to memory of 844	1304	Bkglameg.exe	42
PID 1304 wrote to memory of 844	1304	Bkglameg.exe	42
PID 844 wrote to memory of 2184	844	Bmeimhdj.exe	43
PID 844 wrote to memory of 2184	844	Bmeimhdj.exe	43
PID 844 wrote to memory of 2184	844	Bmeimhdj.exe	43
PID 844 wrote to memory of 2184	844	Bmeimhdj.exe	43
PID 2184 wrote to memory of 2212	2184	Cpceidcn.exe	44
PID 2184 wrote to memory of 2212	2184	Cpceidcn.exe	44
PID 2184 wrote to memory of 2212	2184	Cpceidcn.exe	44
PID 2184 wrote to memory of 2212	2184	Cpceidcn.exe	44
PID 2212 wrote to memory of 2296	2212	Cfnmfn32.exe	45
PID 2212 wrote to memory of 2296	2212	Cfnmfn32.exe	45
PID 2212 wrote to memory of 2296	2212	Cfnmfn32.exe	45
PID 2212 wrote to memory of 2296	2212	Cfnmfn32.exe	45

C:\Users\Admin\AppData\Local\Temp\293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe
"C:\Users\Admin\AppData\Local\Temp\293a1be9db3ed45db805902e853d0a33fd9a3ce138e53a4f6bca0e40277e01bd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\Aeqabgoj.exe
  C:\Windows\system32\Aeqabgoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\Blkioa32.exe
    C:\Windows\system32\Blkioa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Bpfeppop.exe
      C:\Windows\system32\Bpfeppop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Blkioa32.exe

Filesize
93KB

MD5
b7e120824fe560e30fade56f9a73b4ee

SHA1
2001aa890a45d972f9823a3e7c455898deba8658

SHA256
10c967dba1f501a8257997d0752f163074484bfc80c255ba58763cbc70c8f04c

SHA512
a65dc8756bd88ec5cf37e128a60a79505aea552090acf03390d389bca87016c7dd1dcb472507dd67d921a1899f875968ae6df35e41844fd9e0f060e95c2b8c3e

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
93KB

MD5
878e67a1edad2bc95463ab85c7c51147

SHA1
661e237a143259e45adc45f342029164cd4ab602

SHA256
984258ecb6161ed9006fa0b1502dafe96be34b1fdfa0183daa57ad49d268c683

SHA512
3e1446c40d547994b44c82fb85758b9aeb2b9d99b8d31d71d3b9fb428fe9f6cb7ce576fc2028a2b38147e0478a57ca2123498769d8f8e2a02def25d604342a4b

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
93KB

MD5
7ea4298470268b763a81aeaa92118332

SHA1
c632c3a65d8936ec521a32809a22f7b182235faa

SHA256
a412e7cc21badc50e5228ec9e1c6faeb26ea049165f141dcd69c7e4aacb80b5e

SHA512
edcbe15aefcaefc9c463f84bb1f980fe6d0ae64ea997c8f246f13173f67206a5869f68582136ed658ba8b632ce390cce63f089708edeff3a4a2d3215bb960d25

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
93KB

MD5
6e37b4e380323aa67b4fe53943fed936

SHA1
136fa895a98b7468330021fc17766cafa89744ad

SHA256
e14480a3bc47b97d80bdd616b4b2e4a45b4e178ab567338157e4b72a8861bfb4

SHA512
905229110f0a4b20874685476d5d9d2d1c0ce161b97369f8ece67ee075ae99f9f2951afd97c8ed2fffe870d8a9c1b3763ede7147ed5ce60136e00fff036d97a8

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
93KB

MD5
3cda8c7fb67e622c365a8cd842eece33

SHA1
702417cdfdc8b33a57d2959c97de1c37d3d5665a

SHA256
ad5798fa4e4cb2b53e5a238bd6f63bc48d604f69e96e4f15007153acda4d4f5a

SHA512
7cf11a036c698dd0676a989e520eb62dd0054154bac57c621aa738acd1c9d865403bd9d4e677f64aa537cdf5a55f131d33d9d7b8e0fea22baa2642b31ea8170c

Download Submit
\Windows\SysWOW64\Aeqabgoj.exe

Filesize
93KB

MD5
76001b642f72ec536247435e61f33bc2

SHA1
4bf6b0a0ad2347d44acc3add33806427dcd35ff5

SHA256
2ca213d7d9ec63b7dbd7850292ed95047013df406aea8a65029ab7155d3ff08e

SHA512
13a2ab8347e603237d9cb7ceba555d63247d470edbd3a2248d870fb8f54a2edd2bfcb4330d8242441ca29005b533f11686a735228a63fd2fb745b42e4cd6056a

Download Submit
\Windows\SysWOW64\Bajomhbl.exe

Filesize
93KB

MD5
42284ffef2cc90311ae1d3b901f47f51

SHA1
a679912e28cece27c3352a9583b8485c3e7dba46

SHA256
1db2f427b4ed11d13110f32bed50fc51902f8944913fd11f91a62ca712e667b5

SHA512
80587319476835fb29dfeb5a14764af2457c1cce817b4d63d259f4ab8589c7fa4d4a45020c5f23f765d64d1bb8038de8abc4e2da12cbb2cc484e21eeb445a157

Download Submit
\Windows\SysWOW64\Balkchpi.exe

Filesize
93KB

MD5
e2e8c78ccfee1dd619a5c4625fce5e21

SHA1
53d05b7579cb9b8d95f24641a3452d7538f999d2

SHA256
3d89209e489e2c0ac9dba11c7380702c01109c26179c5ad1266514dc14b9f445

SHA512
c7055f62991b5b1664da2684c7146b4d5a1689dd0f5872d9e1565decf41b591872128a9c1cf5e502230c6737eca111add0c423a1e2b9b8228e94c60b48bfa3c7

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
93KB

MD5
a779aebbbbbbfc19adcf265d3a219b6a

SHA1
13dfadc7431159ea11d24b8e6553b207aad60898

SHA256
e4ef9d31176445a6b043ea77100fa706242134331bca04ca7bb7e19d77add5cb

SHA512
4b39b475cf69c184c44d2873a9a43f64da5854aacbfc230b9fccee99653d104de4da370e21729fc526ede6de08a6a1597bca9036d17377a1ec41ec6d189bb029

Download Submit
\Windows\SysWOW64\Bejdiffp.exe

Filesize
93KB

MD5
c0d976c7cb2d65cbbf04a3b02f97f5ff

SHA1
fbd7b85ef2b51a00f85276611c2191d199a257e6

SHA256
f539d534b840d80bfac14ee77802fa497a72d69fd7223b880d4263fef9f831c0

SHA512
fbd6ba56b486d2f7da0bb231ac13df75051fd31e8daaec6c0661f8e470566a0756327e56619ccd48f3745da6eb229b6191d2ce7d089e7b9d5241948b037f8ccf

Download Submit
\Windows\SysWOW64\Bhdgjb32.exe

Filesize
93KB

MD5
69f38c392d7db972cbfa31138a691c96

SHA1
bd28fba36842ec8766590baaa42bea01bfa78581

SHA256
7f3b3ca965eefeef2b958fd344d0033125e19bc2b9a493b95771663bded9650b

SHA512
b9ea1c01bfcbc4b7177599d103055de9ce70129d934562eed835a2031689fba08f57e7d70bf59044f15b14c813a23c4d55973b3df1f27abc3ee5bf9007a846c8

Download Submit
\Windows\SysWOW64\Bkglameg.exe

Filesize
93KB

MD5
32020688d9a951b05d2af0523d730f87

SHA1
fd6ba830114564e20dd6e07c50ffb6c45f3cd9f1

SHA256
512966306f61db3c623662f43c6d48b588829efc529260e71e76c1ea71d2fbe6

SHA512
39d5b3f9d4ce1c5f8c97c0be61656d0ed48c530719f02616c6082e453af5d645ae743d2192174797b040225d4a23e149781a04f711a2988735191cd45c632ab4

Download Submit
\Windows\SysWOW64\Blaopqpo.exe

Filesize
93KB

MD5
db4a5a8dc278a118c7c8de4d574bdb32

SHA1
efed0ec5da8fe11f955a8ec1c2b60cae58d68ad8

SHA256
9ee691c206a47322334c602247a611b3840fe6ec1c81f0454b9d4e68baf86e4b

SHA512
24d8f196db5ecf5e704a18585d649edf2992735c71ac4cc9e6ae30da08eceff906e79698fc3e7d0a0bbd72091e355669cc85b81a22564142f27e31ad9543acf5

Download Submit
\Windows\SysWOW64\Bmclhi32.exe

Filesize
93KB

MD5
2008cabd6347bc73c95d7055b13708ca

SHA1
0d47ec97c6dd0833b0fdab7a9ba1d0c6adc07086

SHA256
6abe428266bfb5135e024fc8b660337c67357ef91d9104c28c3db4a9f10059a8

SHA512
c1db36d50f602037e9eb8aa9cbc8e7b763d403ce7948f9146d4f34d19d8844415b2c85da3f7ccc783d65f919162a2fc43be424afed9c3d67da78d991ba993390

Download Submit
\Windows\SysWOW64\Bpfeppop.exe

Filesize
93KB

MD5
15f2d79b7fab7021ea8744e32f4fb310

SHA1
3a8f428776d2e73a0a1694c8941947ae473f7dda

SHA256
43c774557c58fdd8f66be466188d280a118ae7f07eb672bbfa01b500f5b2079d

SHA512
61421c97b24123896957b1dab431ab78939a720f359307b4a8523368457ef5c04712fb59999d507f43312032fb9c909b7a3120f7524fa8a2c8d137b6c45cc43b

Download Submit
\Windows\SysWOW64\Bphbeplm.exe

Filesize
93KB

MD5
511c7b6290b7490097c89b58baf8296e

SHA1
e1e1bc0c9554b17bdda427bfb42bcf8dd9bc1ef4

SHA256
e22d16ec532294a5c8d8465e072fd7a6192a89dccd163984bcf4e822b27a3e97

SHA512
2bb8934c8aa68bd066ef3eafec5d47c58ef84d529e54b0f63633a54bfe38a322577837803ccc71c12156d63a99aafdca7faa083b8884121cac0a62de7dbcecfa

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
93KB

MD5
b299b2a3e8a3fb691af049c7fd04867f

SHA1
ba44542933910d5a40b15cf3ce71f3561b31401a

SHA256
c2717ff708a7f1ce3a2822ad2e01dfccdbe822c51e904354f01f90aa5a740137

SHA512
932f37d2ef9eccace11b20a4f07801664260a646a1945e609adc7f7102661c0ff63c19c23dc5cc1d75bfbc74659ff059754edf6296beb2ff2cefc8ff08f1968c

Download Submit
memory/536-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/536-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-185-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/844-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-141-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1820-146-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1820-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-195-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-220-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2412-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-127-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-35-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-115-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2764-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-62-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2788-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-17-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2912-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-18-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2912-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads