berbew | 189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110

Analysis

max time kernel
82s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Size

128KB
MD5

aa752dbdaf69c20010a4b9fb4cda0e6f
SHA1

097cfdc77c62b86ba50af55b61ada1853a39def9
SHA256

189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110
SHA512

ebe2685483f42e9c6d146c118e11afc83876396fe8fe39cbe6ac4d716c34560e0ad55a1a6b6cf8e415f2ed293fbb8717da735b19e76607d1bcbe40d9d4322f66
SSDEEP

3072:RzxoZ9yEmE/zw2Feblj9pui6yYPaI7DehizrVtN:hx69yE5zwvjpui6yYPaIGc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbfnchfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfnchfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capdpcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clclhmin.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 17 IoCs

pid	Process
2944	Bjiljf32.exe
2952	Bacefpbg.exe
2832	Bmjekahk.exe
2896	Bbfnchfb.exe
2756	Bpjnmlel.exe
2780	Bgdfjfmi.exe
1352	Bmnofp32.exe
2468	Bopknhjd.exe
2688	Ciepkajj.exe
2064	Clclhmin.exe
2932	Capdpcge.exe
2272	Clfhml32.exe
1848	Cabaec32.exe
1728	Cdamao32.exe
2400	Cniajdkg.exe
2200	Chofhm32.exe
2060	Coindgbi.exe

Loads dropped DLL 34 IoCs

pid	Process
528	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
528	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
2944	Bjiljf32.exe
2944	Bjiljf32.exe
2952	Bacefpbg.exe
2952	Bacefpbg.exe
2832	Bmjekahk.exe
2832	Bmjekahk.exe
2896	Bbfnchfb.exe
2896	Bbfnchfb.exe
2756	Bpjnmlel.exe
2756	Bpjnmlel.exe
2780	Bgdfjfmi.exe
2780	Bgdfjfmi.exe
1352	Bmnofp32.exe
1352	Bmnofp32.exe
2468	Bopknhjd.exe
2468	Bopknhjd.exe
2688	Ciepkajj.exe
2688	Ciepkajj.exe
2064	Clclhmin.exe
2064	Clclhmin.exe
2932	Capdpcge.exe
2932	Capdpcge.exe
2272	Clfhml32.exe
2272	Clfhml32.exe
1848	Cabaec32.exe
1848	Cabaec32.exe
1728	Cdamao32.exe
1728	Cdamao32.exe
2400	Cniajdkg.exe
2400	Cniajdkg.exe
2200	Chofhm32.exe
2200	Chofhm32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Capdpcge.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Capdpcge.exe
File opened for modification	C:\Windows\SysWOW64\Chofhm32.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Bjiljf32.exe	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
File created	C:\Windows\SysWOW64\Flffpf32.dll	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Bpjnmlel.exe	Bbfnchfb.exe
File opened for modification	C:\Windows\SysWOW64\Bopknhjd.exe	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Ciepkajj.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Pkknia32.dll	Cniajdkg.exe
File opened for modification	C:\Windows\SysWOW64\Cabaec32.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Bbfnchfb.exe	Bmjekahk.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Iibogmjf.dll	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Cabaec32.exe	Clfhml32.exe
File opened for modification	C:\Windows\SysWOW64\Cniajdkg.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chofhm32.exe
File created	C:\Windows\SysWOW64\Jfdkkkqh.dll	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Bbfnchfb.exe	Bmjekahk.exe
File created	C:\Windows\SysWOW64\Bpjnmlel.exe	Bbfnchfb.exe
File created	C:\Windows\SysWOW64\Cbiphidl.dll	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Cdamao32.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjiljf32.exe	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
File created	C:\Windows\SysWOW64\Bmjekahk.exe	Bacefpbg.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Bmnofp32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Ciepkajj.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Niienepq.dll	Cabaec32.exe
File created	C:\Windows\SysWOW64\Qamnbhdj.dll	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bpjnmlel.exe
File opened for modification	C:\Windows\SysWOW64\Bmnofp32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Bopknhjd.exe	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Capdpcge.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File created	C:\Windows\SysWOW64\Edalmn32.dll	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Clclhmin.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Jqlidcln.dll	Clfhml32.exe
File created	C:\Windows\SysWOW64\Khpbbn32.dll	Cdamao32.exe
File created	C:\Windows\SysWOW64\Chofhm32.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Bacefpbg.exe	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmjekahk.exe	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Capdpcge.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Cniajdkg.exe	Cdamao32.exe
File opened for modification	C:\Windows\SysWOW64\Cdamao32.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
File opened for modification	C:\Windows\SysWOW64\Bacefpbg.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Kpijio32.dll	Bbfnchfb.exe
File created	C:\Windows\SysWOW64\Dhhdmc32.dll	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Cmfjgc32.dll	Clclhmin.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjekahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbfnchfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnofp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capdpcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacefpbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjnmlel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopknhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciepkajj.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijio32.dll"	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flffpf32.dll"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkknia32.dll"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbiphidl.dll"	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdkkkqh.dll"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 2944	528	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe	30
PID 528 wrote to memory of 2944	528	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe	30
PID 528 wrote to memory of 2944	528	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe	30
PID 528 wrote to memory of 2944	528	189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe	30
PID 2944 wrote to memory of 2952	2944	Bjiljf32.exe	31
PID 2944 wrote to memory of 2952	2944	Bjiljf32.exe	31
PID 2944 wrote to memory of 2952	2944	Bjiljf32.exe	31
PID 2944 wrote to memory of 2952	2944	Bjiljf32.exe	31
PID 2952 wrote to memory of 2832	2952	Bacefpbg.exe	32
PID 2952 wrote to memory of 2832	2952	Bacefpbg.exe	32
PID 2952 wrote to memory of 2832	2952	Bacefpbg.exe	32
PID 2952 wrote to memory of 2832	2952	Bacefpbg.exe	32
PID 2832 wrote to memory of 2896	2832	Bmjekahk.exe	33
PID 2832 wrote to memory of 2896	2832	Bmjekahk.exe	33
PID 2832 wrote to memory of 2896	2832	Bmjekahk.exe	33
PID 2832 wrote to memory of 2896	2832	Bmjekahk.exe	33
PID 2896 wrote to memory of 2756	2896	Bbfnchfb.exe	34
PID 2896 wrote to memory of 2756	2896	Bbfnchfb.exe	34
PID 2896 wrote to memory of 2756	2896	Bbfnchfb.exe	34
PID 2896 wrote to memory of 2756	2896	Bbfnchfb.exe	34
PID 2756 wrote to memory of 2780	2756	Bpjnmlel.exe	35
PID 2756 wrote to memory of 2780	2756	Bpjnmlel.exe	35
PID 2756 wrote to memory of 2780	2756	Bpjnmlel.exe	35
PID 2756 wrote to memory of 2780	2756	Bpjnmlel.exe	35
PID 2780 wrote to memory of 1352	2780	Bgdfjfmi.exe	36
PID 2780 wrote to memory of 1352	2780	Bgdfjfmi.exe	36
PID 2780 wrote to memory of 1352	2780	Bgdfjfmi.exe	36
PID 2780 wrote to memory of 1352	2780	Bgdfjfmi.exe	36
PID 1352 wrote to memory of 2468	1352	Bmnofp32.exe	37
PID 1352 wrote to memory of 2468	1352	Bmnofp32.exe	37
PID 1352 wrote to memory of 2468	1352	Bmnofp32.exe	37
PID 1352 wrote to memory of 2468	1352	Bmnofp32.exe	37
PID 2468 wrote to memory of 2688	2468	Bopknhjd.exe	38
PID 2468 wrote to memory of 2688	2468	Bopknhjd.exe	38
PID 2468 wrote to memory of 2688	2468	Bopknhjd.exe	38
PID 2468 wrote to memory of 2688	2468	Bopknhjd.exe	38
PID 2688 wrote to memory of 2064	2688	Ciepkajj.exe	39
PID 2688 wrote to memory of 2064	2688	Ciepkajj.exe	39
PID 2688 wrote to memory of 2064	2688	Ciepkajj.exe	39
PID 2688 wrote to memory of 2064	2688	Ciepkajj.exe	39
PID 2064 wrote to memory of 2932	2064	Clclhmin.exe	40
PID 2064 wrote to memory of 2932	2064	Clclhmin.exe	40
PID 2064 wrote to memory of 2932	2064	Clclhmin.exe	40
PID 2064 wrote to memory of 2932	2064	Clclhmin.exe	40
PID 2932 wrote to memory of 2272	2932	Capdpcge.exe	41
PID 2932 wrote to memory of 2272	2932	Capdpcge.exe	41
PID 2932 wrote to memory of 2272	2932	Capdpcge.exe	41
PID 2932 wrote to memory of 2272	2932	Capdpcge.exe	41
PID 2272 wrote to memory of 1848	2272	Clfhml32.exe	42
PID 2272 wrote to memory of 1848	2272	Clfhml32.exe	42
PID 2272 wrote to memory of 1848	2272	Clfhml32.exe	42
PID 2272 wrote to memory of 1848	2272	Clfhml32.exe	42
PID 1848 wrote to memory of 1728	1848	Cabaec32.exe	43
PID 1848 wrote to memory of 1728	1848	Cabaec32.exe	43
PID 1848 wrote to memory of 1728	1848	Cabaec32.exe	43
PID 1848 wrote to memory of 1728	1848	Cabaec32.exe	43
PID 1728 wrote to memory of 2400	1728	Cdamao32.exe	44
PID 1728 wrote to memory of 2400	1728	Cdamao32.exe	44
PID 1728 wrote to memory of 2400	1728	Cdamao32.exe	44
PID 1728 wrote to memory of 2400	1728	Cdamao32.exe	44
PID 2400 wrote to memory of 2200	2400	Cniajdkg.exe	45
PID 2400 wrote to memory of 2200	2400	Cniajdkg.exe	45
PID 2400 wrote to memory of 2200	2400	Cniajdkg.exe	45
PID 2400 wrote to memory of 2200	2400	Cniajdkg.exe	45

C:\Users\Admin\AppData\Local\Temp\189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe
"C:\Users\Admin\AppData\Local\Temp\189756bfc487bfd923c7ad4fb969c689854def5d7b2a54183cf052cc57ab6110.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\Bjiljf32.exe
  C:\Windows\system32\Bjiljf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Bacefpbg.exe
    C:\Windows\system32\Bacefpbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\Bmjekahk.exe
      C:\Windows\system32\Bmjekahk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Bbfnchfb.exe
        
        C:\Windows\system32\Bbfnchfb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Bpjnmlel.exe
        
        C:\Windows\system32\Bpjnmlel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Bmnofp32.exe
        
        C:\Windows\system32\Bmnofp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Bopknhjd.exe
        
        C:\Windows\system32\Bopknhjd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Ciepkajj.exe
        
        C:\Windows\system32\Ciepkajj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Capdpcge.exe
        
        C:\Windows\system32\Capdpcge.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bacefpbg.exe

Filesize
128KB

MD5
c3cd1206ae0b6730ee247f357546c33f

SHA1
b4b38c00a533ca2c713d630b243ad5f605584a7b

SHA256
50450b34c5d2753dea594c2d677405b1468857c7a37e74d9ff01fdb0b289388d

SHA512
2451882e8501dbcbf40f7754402dd7ba2cc79bb322be59f5bf53536b5bc2c6dd4be9c5110198b11dbb78ef90aacbddbba567018eefdf077167ef0c9a12919a76

Download Submit
C:\Windows\SysWOW64\Bbfnchfb.exe

Filesize
128KB

MD5
b3b54c9485538e24fbd2cfd4b7777e71

SHA1
8e4db831edceaa14518a60ab0fecf4d5df240e42

SHA256
243a3d5c9a99eb47cea6ead76989187d2686abaec545ff5e208c17b9a38f5a18

SHA512
337de71162e5cf55225a467a5ccd188bdc1e4948c3b162761cc6251c72a5318344596ced28f202a97f3396e1f066fa46c4924383c02a0df566bec247c5e3ce1c

Download Submit
C:\Windows\SysWOW64\Clclhmin.exe

Filesize
128KB

MD5
08d5b43aa774327d8be3a97e35d41c0b

SHA1
f95429fec44c99d63acfc035c633f22360561fad

SHA256
2aee1309db5ef697eed682592cffc40641008b376b7c32e57c96a9e8b721789f

SHA512
df0f027db91e03b51f3280ffb584d5f8e82eb3f8a5ff1d557023960846e0abae0ee21b7e1b7b9524e0037b964a87f2ef95830048fe956d197af833278a393c41

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
128KB

MD5
9e30e1fa41dbcf80d20c50c6ba9bde0c

SHA1
f0734a2aebf5474ee502ee19de64be2aff5ed37f

SHA256
a1ed3c2a0dd7be4e576f7c76964299b8499f1b7cecc5ce1983d308ca323e609f

SHA512
0f6c8dad948f7724fbccd36692feec438ca0bcce6e339b9abb84d920d696dde76dc809a176c658d54fc9a16e63f139b51fdd9c88a4a334d0402c675156b0389d

Download Submit
C:\Windows\SysWOW64\Kpijio32.dll

Filesize
7KB

MD5
7a23d2b22b0bf558d189d37c560ff045

SHA1
49a0efd2f396c5425938ea30c6158aa5a512ff1c

SHA256
de9428ae986768dbcf8912d57eaea908f8095054f2ef282d66e3ff1b354eb69c

SHA512
cad0ed6140023f6eefa0428431269db976e9ca6f3c3a2fc44255a2fa745b7ca6733be39029173541cf2f875b5e8758fb23714c83cdf973c8db653854022eac3c

Download Submit
\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
128KB

MD5
cb3895026bef04395dc10a1a246e6c01

SHA1
073cc421784b691fb895c4d7d4d79981f1e8d213

SHA256
488c2e86ff9f94747922e09948df0832d32bdcdacc7a0d5c57a20edf8df320be

SHA512
20059a41b5740835d74e4e76c64d5e990cdb776712d38b536ba8ca934bc8f77ef336e7b5fa0267331b38e9f73952a9734460526a0d8057c8bcfa06b85b8faaf9

Download Submit
\Windows\SysWOW64\Bjiljf32.exe

Filesize
128KB

MD5
a85b6afcec378a9f4fb51e2c7d957383

SHA1
c72e6b7c07b5b2b321cfc4a6db8edee0d889807e

SHA256
3b4d3d631c7682b69d35334de5ece29bc66473c94eb7d6ec65706b24f1ff0a9b

SHA512
2a0697bf3699ec36ac95872fb5743d19ab1f333eb1acb4764dfacc1893a026a65350cc93fc78b1b1928bf08d936d13ab203f7e7ce9dcc002a32744220be7241d

Download Submit
\Windows\SysWOW64\Bmjekahk.exe

Filesize
128KB

MD5
d8e1cc0656cd71a2e3bb643e6fc06256

SHA1
b63b8377d724485bb9237139062cc817f4433f00

SHA256
c1fd274980acb1d2efd67abde7165e87927694d104b7143bd7cde3daa2d9dec2

SHA512
036a8d1af05dd7c47dd6613ade1bb758badb10415c066254b8fb45daabc603975479352072c3e22a0dac83306eb36df486f9611691dd8867d4d785ac80feed03

Download Submit
\Windows\SysWOW64\Bmnofp32.exe

Filesize
128KB

MD5
080d1c7bcf5630269157cb39d56da498

SHA1
268a46b82af16b4fdddf2597b1f62d4b26d8db0a

SHA256
13db5570e2690c95ae90fd2fe05bcba856f2ac3a3b461f6601b47a7bbf2eb77b

SHA512
3f784580a8a577b42d529917c0be3af2fccd459db21850e90d2317ec6a58f91b339aefb5326286b164b9932de9af10936960329b41c34e5f869eb2029e1bf495

Download Submit
\Windows\SysWOW64\Bopknhjd.exe

Filesize
128KB

MD5
0f371add5cd143618d68e002f67f4eb4

SHA1
7a73927d32bc87d04d455c4a58babc189f4980a0

SHA256
757f7669faaacf00023c4fbd77c2d94d2f9371ee03e37dd737ae94eee16fea7c

SHA512
dc7377b83816c792cd79cc68ad32f4cb0a3cb8fe3e7d0b9f59bd104b675e4b3d4e5b3eb1be6ea1106a8977b4fb136f584c933ece5e2c63103096a88fabd0aff3

Download Submit
\Windows\SysWOW64\Bpjnmlel.exe

Filesize
128KB

MD5
be2adde4a56f66953f704aff9af86748

SHA1
ddc22e0b3c179046cd493f36680b5da476c8411d

SHA256
2e8a5b7bb30c4ab039c2210f86bb1bf1c252697820a3d633309e3a08aef0318c

SHA512
7234cf0888235615b58a62125002d39c4f96adb8491b9bbaef4ee06ec1ef74739c3295b45646c90188bcd0094dfb58d038dddbae5f9776b25dd880398f6d6c33

Download Submit
\Windows\SysWOW64\Cabaec32.exe

Filesize
128KB

MD5
dc67d9b5fbab1d3aa9d57bd116bddbab

SHA1
d554330f4909d4b8139755d24dd95e80352bdaa4

SHA256
a84482b831eb4ac23d726130a53e67da4e596a8141c67c8be1efda36671adce7

SHA512
580138e040bef0b3ba9e5f9373bbda8a8d4425d3f2b286e4fb9dbfd5d9418aac643df66f4ef393e1274b7695f2ff91eba484e2b6c7e6a13595d50dfcd4c39665

Download Submit
\Windows\SysWOW64\Capdpcge.exe

Filesize
128KB

MD5
6b6520a94045072cb6532fb9734099f2

SHA1
d982a5006779652e283022503f730703f5a88118

SHA256
5c86dbdb3a8e82e1681f4a841d89c92c374ca7c2c3f43a569b91f638e849f042

SHA512
d1b41d0ef6f98cc18fe0dd96332e4e788c2c09f585e9adbffd69e9063c779d7cbe3e9bab9199bb1e4b3b0376a84f49eb1173dfb5fb1bf40ffcc69203467e6f2d

Download Submit
\Windows\SysWOW64\Cdamao32.exe

Filesize
128KB

MD5
41af0459289b69d0431e6aaee4d4d9d3

SHA1
2d6474820e720ce9dd67aeb1300beedec040cac4

SHA256
ab3c115022c6d5a61eb777b7463ffa8eded330b3917118a3bf2daf188852b66d

SHA512
08625ef5bf770fcc25fe4e31796bd6587ac6cb1a9bbd4e263f312a9b8d0e6dcae0fe0c1efa6a373a7d641c39472bdb08b45a0ad56dc382db7efe3d8c87c6eb4a

Download Submit
\Windows\SysWOW64\Chofhm32.exe

Filesize
128KB

MD5
093937da7fa0beab8e95373ff5563e9d

SHA1
83b20801c2e1d5df152168e0b6ecbb8fdcd7d469

SHA256
6b739c264e2f5c1a0623b9e58e3eb1b1146756ef025f2ce7ff437fc631b5b793

SHA512
201b1eea3c75547351ed28b2343f6335274128bf4942b682f18ced4c4f826da1a0abc7037957d3caf72037b4b05ef650d2f2f35949502e672cc58247491002a6

Download Submit
\Windows\SysWOW64\Ciepkajj.exe

Filesize
128KB

MD5
538cda0d050958a662aaf0c3202e6f2d

SHA1
6fd457dd6f4448ee686c0b2033a8b5c6df663569

SHA256
49c961adf83af31311d0ad7ba88c0e3cd16e5967a19d8d21017ec5f61530de24

SHA512
a627963419facee545c75caef74cf18dbded921eb5c3ed6d3dfdc4cec297ddfa77557df056e47be8f4efc2f6af77aa9a8a6a0d81b38ea565aaccf41d4194a100

Download Submit
\Windows\SysWOW64\Clfhml32.exe

Filesize
128KB

MD5
294cd7ee41e9ce1716903f302df1a34f

SHA1
287d1cc29847ac8ba1a5c351106bdfa893d8b260

SHA256
42803b6da9f70e582427d2712971dbcc0b5fd13e83acdf31b7f664c666c66a13

SHA512
9a8472f10deae8883c6a462f774339f7a13bf07ff954063474d2c4dfa11399c2442720dda5da13e884a1ad01f1eedef2ef95ef3200d2e1fff9b2299d52a0aa9e

Download Submit
\Windows\SysWOW64\Cniajdkg.exe

Filesize
128KB

MD5
da220d1937735e67bc13c7467d555e5a

SHA1
90979ad1fa09dbaee5a73d562ac5a5f29f8a3c8a

SHA256
b5a4cd82624726421e52e15fe36deeb9199481a0e8b36ed39205f97794369b56

SHA512
f2f6e03caf5eadcc8b99af628111402ef14aa1df6e18d6bd8f71726249c953a01e518815e3b46c0978d0f8046fd6d314d42718c23a5c32cf000486a0b2711d51

Download Submit
memory/528-13-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/528-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/528-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/528-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-196-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1728-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-144-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/2064-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-222-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2200-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-169-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2272-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-120-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2468-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-134-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2688-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-90-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2780-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-54-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2832-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-63-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2932-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-26-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2944-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-35-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2952-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads