berbew | ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Size

96KB
MD5

ac90eed07250c51633c27ab8e57aebc5
SHA1

543896cc6c7fce979f934aed114710ee32b6bd67
SHA256

ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375
SHA512

433d976235b7291d87f5a78c46d7d585328829c323b1aac94c3ee526f84362f214f469aae208f33d05f21a27a1e81f865a363432ec788cb6462dd359baba6335
SSDEEP

1536:jcafE7SYFDekwUUKBpM9oAkI2T+myezaDlyvGF4PPbneoIcGXduV9jojTIvjrH:jcactSD9/eWDly+FeSd69jc0vf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
792	Bceibfgj.exe
2956	Bfdenafn.exe
2776	Bchfhfeh.exe
2180	Bqlfaj32.exe
3044	Bigkel32.exe
2800	Cfkloq32.exe
2696	Ckhdggom.exe
2032	Cnfqccna.exe
2008	Cnimiblo.exe
2452	Cagienkb.exe
2888	Cbffoabe.exe
2872	Cgcnghpl.exe
2440	Cmpgpond.exe
2456	Cegoqlof.exe
2080	Dmbcen32.exe
2084	Dpapaj32.exe

Loads dropped DLL 35 IoCs

pid	Process
1712	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
1712	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
792	Bceibfgj.exe
792	Bceibfgj.exe
2956	Bfdenafn.exe
2956	Bfdenafn.exe
2776	Bchfhfeh.exe
2776	Bchfhfeh.exe
2180	Bqlfaj32.exe
2180	Bqlfaj32.exe
3044	Bigkel32.exe
3044	Bigkel32.exe
2800	Cfkloq32.exe
2800	Cfkloq32.exe
2696	Ckhdggom.exe
2696	Ckhdggom.exe
2032	Cnfqccna.exe
2032	Cnfqccna.exe
2008	Cnimiblo.exe
2008	Cnimiblo.exe
2452	Cagienkb.exe
2452	Cagienkb.exe
2888	Cbffoabe.exe
2888	Cbffoabe.exe
2872	Cgcnghpl.exe
2872	Cgcnghpl.exe
2440	Cmpgpond.exe
2440	Cmpgpond.exe
2456	Cegoqlof.exe
2456	Cegoqlof.exe
2080	Dmbcen32.exe
2080	Dmbcen32.exe
288	WerFault.exe
288	WerFault.exe
288	WerFault.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
288	2084	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cegoqlof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 792	1712	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe	31
PID 1712 wrote to memory of 792	1712	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe	31
PID 1712 wrote to memory of 792	1712	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe	31
PID 1712 wrote to memory of 792	1712	ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe	31
PID 792 wrote to memory of 2956	792	Bceibfgj.exe	32
PID 792 wrote to memory of 2956	792	Bceibfgj.exe	32
PID 792 wrote to memory of 2956	792	Bceibfgj.exe	32
PID 792 wrote to memory of 2956	792	Bceibfgj.exe	32
PID 2956 wrote to memory of 2776	2956	Bfdenafn.exe	33
PID 2956 wrote to memory of 2776	2956	Bfdenafn.exe	33
PID 2956 wrote to memory of 2776	2956	Bfdenafn.exe	33
PID 2956 wrote to memory of 2776	2956	Bfdenafn.exe	33
PID 2776 wrote to memory of 2180	2776	Bchfhfeh.exe	34
PID 2776 wrote to memory of 2180	2776	Bchfhfeh.exe	34
PID 2776 wrote to memory of 2180	2776	Bchfhfeh.exe	34
PID 2776 wrote to memory of 2180	2776	Bchfhfeh.exe	34
PID 2180 wrote to memory of 3044	2180	Bqlfaj32.exe	35
PID 2180 wrote to memory of 3044	2180	Bqlfaj32.exe	35
PID 2180 wrote to memory of 3044	2180	Bqlfaj32.exe	35
PID 2180 wrote to memory of 3044	2180	Bqlfaj32.exe	35
PID 3044 wrote to memory of 2800	3044	Bigkel32.exe	36
PID 3044 wrote to memory of 2800	3044	Bigkel32.exe	36
PID 3044 wrote to memory of 2800	3044	Bigkel32.exe	36
PID 3044 wrote to memory of 2800	3044	Bigkel32.exe	36
PID 2800 wrote to memory of 2696	2800	Cfkloq32.exe	37
PID 2800 wrote to memory of 2696	2800	Cfkloq32.exe	37
PID 2800 wrote to memory of 2696	2800	Cfkloq32.exe	37
PID 2800 wrote to memory of 2696	2800	Cfkloq32.exe	37
PID 2696 wrote to memory of 2032	2696	Ckhdggom.exe	38
PID 2696 wrote to memory of 2032	2696	Ckhdggom.exe	38
PID 2696 wrote to memory of 2032	2696	Ckhdggom.exe	38
PID 2696 wrote to memory of 2032	2696	Ckhdggom.exe	38
PID 2032 wrote to memory of 2008	2032	Cnfqccna.exe	39
PID 2032 wrote to memory of 2008	2032	Cnfqccna.exe	39
PID 2032 wrote to memory of 2008	2032	Cnfqccna.exe	39
PID 2032 wrote to memory of 2008	2032	Cnfqccna.exe	39
PID 2008 wrote to memory of 2452	2008	Cnimiblo.exe	40
PID 2008 wrote to memory of 2452	2008	Cnimiblo.exe	40
PID 2008 wrote to memory of 2452	2008	Cnimiblo.exe	40
PID 2008 wrote to memory of 2452	2008	Cnimiblo.exe	40
PID 2452 wrote to memory of 2888	2452	Cagienkb.exe	41
PID 2452 wrote to memory of 2888	2452	Cagienkb.exe	41
PID 2452 wrote to memory of 2888	2452	Cagienkb.exe	41
PID 2452 wrote to memory of 2888	2452	Cagienkb.exe	41
PID 2888 wrote to memory of 2872	2888	Cbffoabe.exe	42
PID 2888 wrote to memory of 2872	2888	Cbffoabe.exe	42
PID 2888 wrote to memory of 2872	2888	Cbffoabe.exe	42
PID 2888 wrote to memory of 2872	2888	Cbffoabe.exe	42
PID 2872 wrote to memory of 2440	2872	Cgcnghpl.exe	43
PID 2872 wrote to memory of 2440	2872	Cgcnghpl.exe	43
PID 2872 wrote to memory of 2440	2872	Cgcnghpl.exe	43
PID 2872 wrote to memory of 2440	2872	Cgcnghpl.exe	43
PID 2440 wrote to memory of 2456	2440	Cmpgpond.exe	44
PID 2440 wrote to memory of 2456	2440	Cmpgpond.exe	44
PID 2440 wrote to memory of 2456	2440	Cmpgpond.exe	44
PID 2440 wrote to memory of 2456	2440	Cmpgpond.exe	44
PID 2456 wrote to memory of 2080	2456	Cegoqlof.exe	45
PID 2456 wrote to memory of 2080	2456	Cegoqlof.exe	45
PID 2456 wrote to memory of 2080	2456	Cegoqlof.exe	45
PID 2456 wrote to memory of 2080	2456	Cegoqlof.exe	45
PID 2080 wrote to memory of 2084	2080	Dmbcen32.exe	46
PID 2080 wrote to memory of 2084	2080	Dmbcen32.exe	46
PID 2080 wrote to memory of 2084	2080	Dmbcen32.exe	46
PID 2080 wrote to memory of 2084	2080	Dmbcen32.exe	46

C:\Users\Admin\AppData\Local\Temp\ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe
"C:\Users\Admin\AppData\Local\Temp\ab66d507007e86251a061a20abdf4da90313f1c3a3fe87b8e4a9af296377d375.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\Bceibfgj.exe
  C:\Windows\system32\Bceibfgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\Bfdenafn.exe
    C:\Windows\system32\Bfdenafn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\Bchfhfeh.exe
      C:\Windows\system32\Bchfhfeh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 144
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
5a8895568c0f94a8cfc0c8789a165d4f

SHA1
5d69b491c509c2bda16b9116770c5c3acbdebc37

SHA256
075d57e4c593cf02593dc7c3dcb82c9deb94d6190b70a0e2b00d26a5aa46cbde

SHA512
10196bca0b2ad9f87d9a772c5aa9a346801c2ddb696b11e23da239cccf849e066df2f8a3e11f90424d7f4008301b125fb97aec680c06543a3bf27555367be9c2

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
96KB

MD5
4f49e7aa9ee81b320e2d4d6d0b66d72c

SHA1
b1118ebfd57b35cd1035b097e595971d36d7f966

SHA256
65fa6a7da188bc281fdb9cadb32c93e1ffcb66335864927736f9e3be9a399f61

SHA512
42984b36bbbb617b8584734cb730c4ff228d19897295a0c0ed76c433a2f555a2f1284bf5fcde59c113e2cd61d197efbe5971d1c8711e47c18e5d95409bc4b697

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
175931357eb0b4e5840f1c74192cbe2b

SHA1
c94a4ffd91b5f39116e73892d3a5c1507a6d42af

SHA256
c66cd69ed128294fbe387de23e8ab485b2410d3f02a38123008748d7eecd24b7

SHA512
280851dfc3ca2988ccb82ee25cf0d23064b8f9c626d8869c71146e07965b21fb0f04128529337c0116e598457765dea62f95c63600061343e0884ae7f40fd724

Download Submit
C:\Windows\SysWOW64\Oinhifdq.dll

Filesize
7KB

MD5
ed2df16d3d87537ea6db9a0838c0f8b5

SHA1
383ad30530d278f72a263bab1c5837fc0ec2f846

SHA256
b9c85dbcb4637bd130639323013c74b6a8a273fb9f9289954efda00b00bc116f

SHA512
ab21152ecfdf857a2444b40c19990d3ed1e9b8c7ac5ff2bec332f8be678311a4f17085f59f08a57fe0635b4ee01157814893ad0288eab58720543c67b0359801

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
96KB

MD5
ac927284e9089f4cb97fdb8045b8dc77

SHA1
23e48e7d75446bca91ba7d2f720aa041ce65c274

SHA256
d29a9b1b05ace031e96f91a26b54191858aec5daec0ead4f58c7ff94747df53c

SHA512
33b6b211a5ba62284d9a88b1a48baaedc1f659a22afca53a2f1089f86a6dfc5b42a8fe47cf8b7c4136bbc4fbb4f935ddf602adee49bbef5e7e7d91f05c7944ac

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
96KB

MD5
81708381ab3bb1e1dadcfb0dcd6fed39

SHA1
1dab993be46ac6c5d739e04adb008ee8d5987dc6

SHA256
0c3d204fc207335bd8689c5893cc551fd95f7b466f6dd6d2acdd90b3f6af9bfe

SHA512
2e82bc60286e47d3ab69b24c6ecd1e6add51cf9d1e113ead1311bc49f484372fdf500c61c652dc53fafbd6dfd2026f7a685876a87154e88ea97783bc6a1f4372

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
96KB

MD5
339ca85a98057255681cf3c56aef32b0

SHA1
7ae016069e3cc65ddcec8eabeacc0a0e4f6bcfad

SHA256
e6654cba868c802be9d8d79e4bebd739d57825b5c3579fa3230625657257dd7f

SHA512
831583bd76752d8e777941ee2230e8dbaed2c8e4945e09e5c5d12aed9cc39408b6246454230940cadbf79d960bca4189beebed94d599fd2321e9b13f3d1847ca

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
6c88c73114234584406e5fe388083137

SHA1
7c8c0f98782cdef5e3c0165613dbb4eef83498fb

SHA256
cbcbd782026bcd489949b6f887248a746a90d6e796bb5a9474e18a2ce20e9902

SHA512
366a664ee8d5b03d6eacf151698be30c05866b23293f204b817a35304d99b4d5c6f0bd067a796fe6144ab8e979eaf217426b9eec86be336377dfb3ce85d9b657

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
3ae3264a61af0659b0cbcae74e495031

SHA1
3f43510fa9f5bddf21e515ed7ecc902780e4c865

SHA256
5bd5fb28c6d4d1547785df7c5be0a9209247fee391c7a2031e6c38105901a15b

SHA512
bbb8ba1ca22050738ef32868e3b8e59555a6f704c7d63c5493171bb715926d1eed7f634a97d118e45961bc31f08218395863e50bc9d8413d42ae8ae74a6b1f72

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
c8a43d3218911b7376ff9395561462f7

SHA1
f0314ba784fec69e713b3985d9a3201e183d7cb3

SHA256
637da214b3901c9e24c3b8385f4d92fd56de17d508692410436ff4c3013fdd99

SHA512
5141466c39188c6284a09366dfcda57817af396392ae8ca53adeeef634b220e55fdfd0bc2d4128b6365510bcd284466343aedfbd6a0f678fa20953e684aaf934

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
7dd9e1d4a19823853592272a486c12c5

SHA1
039b450ef0db5555c5506ae254889f3460950ee5

SHA256
816e9fdaa84919249563bd5ecbf3fd518213e4a7f8d458a2eb79ad7b32d8002e

SHA512
ce6da307ff2fc88a9ed71aea720592f0559fa66b0d34d681daeb2c313f1a62aa39d1c4541d9c79d74cf863feb5aa2455a7b7924d3bebc0d0fc8779b1b8e40465

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
1bcf25f0cc8649b7e416b087ac5b1dbf

SHA1
54a67d5b21d7f1209b0df30fb2e5a5a8f3319afa

SHA256
85d6e686a71deddf6b48f692e552c00070ba4365717e95421a029f6b5f1c5c39

SHA512
d5a2840fadb0ec2fcab121cc5bf78caa83719710696c678dbb97be8f110b46b678ab735a6c1557a5ee405e64748c33cede51da82b2d3a4169e4c523347eb7977

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
96KB

MD5
87b48c541ca1f4f1490bce33e08828ed

SHA1
989c61dc26f9b8110928133b9196fbdfd21650cf

SHA256
47ffe1bad6652b4f1860f35191fe48cca161d20e076a93d0795499ee988a2665

SHA512
609979cba2d4ba5407c6c588d36e9bd9350d218e2932b3abb94e3483cdc579649574ce516858e43713730f037631c6a24bf185a498cb5c1c1e027bb2eda6a729

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
cd4540b2980aafbbfdc98798c0de62b3

SHA1
5bdc06b6606111ec28b12d58215189a2501f36a0

SHA256
1982d86a3521d642b0f34f9bb370ac0fd9057eb8cbd411d57f0397526a01667d

SHA512
a43d8eda6cf53e367a80acc6dd19e62a9aa82fa80aa4b744bad5c6c964bf14313525a3ef990f19f90cd93cb2fc0da39d1b0f8bc487bdb16b2e1040c70d718b64

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
1af466b842669a727a0455d83431fdfb

SHA1
608cc29c7237bca318cb96b4aba6c761df8a2160

SHA256
7e35e4ade06ccae83934fcb61c1e33c88447f874c0fc8a9fa07028598c9299fd

SHA512
d9bdc1eb4abb550762ef6cc3a2959d08fe85c13fcbb967ace6ad37a3e5afa3d73f2f23a3dcd638d29b36c455508897707d9b4d7aceb5928f8eccf29d4e07222f

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
3739bdb9ab3c9139e125f093afc15d8b

SHA1
3d5d6581f384fef9d75f64bfb3d482aa497d88ef

SHA256
a53ff325f424f6886effb2a267c5b1af796da59bb9f81cab1e3acde8cda3848f

SHA512
9760dbad06c5723c073540c42ec49ca58c553520ad5bea87b3423ceaa592d54603712c73bfa7e3aa615b1609765b96282d03bc04193573123d1dcc5322c1bcd7

Download Submit
\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
bba50cef82ceeee3a2b596d19ccc07c7

SHA1
315ee0ab932a40747aa27ec0796dfa37de445e01

SHA256
97effab4626eed368b7eefbdacd3cb2c1625b9550bcaadde1f86291e77d0275b

SHA512
69a805e378888f5f51808cbb49df751ba12fefaf83f15914261464d3e0fdb4d70738e32ba8f4f04c128d6791c52cc4536d6395d418b82edd677503d1f35680ab

Download Submit
memory/792-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/792-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-11-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2008-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-118-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2032-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-60-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2180-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-141-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2452-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-51-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2776-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2888-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-34-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2956-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads