berbew | f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992af

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Size

74KB
MD5

68eb4977d1c513a99808770db82badd0
SHA1

f2260b2c3511de1bd41aa09327c8501e52fe2c2f
SHA256

f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992af
SHA512

d53a7e3831549b40a40a66e691f65df3630942d67c6db7180724c0fedaf75d9091172fd9fa8d4eba37657fab11e1df7db7bc2f3d193433c9f78dc63df07eb9da
SSDEEP

1536:gb63vMrFYTpKNum4rB718sykrajMrBXXM9b5/sgi:gb63vwFY1Sum4rR18vFM58hi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pchbmigj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apclnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkmmigjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apclnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgaeddg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apfici32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfgbkpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pajeanhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbikig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pecelm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmmigjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pajeanhf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pchbmigj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abgaeddg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfbjdf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
3036	Pecelm32.exe
2796	Pkmmigjo.exe
2776	Pajeanhf.exe
2860	Pchbmigj.exe
2696	Qghgigkn.exe
2724	Apclnj32.exe
1032	Apfici32.exe
2228	Abgaeddg.exe
3020	Ahfgbkpl.exe
2920	Bjfpdf32.exe
1664	Bacefpbg.exe
1912	Bfbjdf32.exe
2176	Bbikig32.exe
2428	Cbkgog32.exe
1944	Cpohhk32.exe
996	Ckiiiine.exe
812	Cniajdkg.exe
1868	Coindgbi.exe

Loads dropped DLL 36 IoCs

pid	Process
1852	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
1852	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
3036	Pecelm32.exe
3036	Pecelm32.exe
2796	Pkmmigjo.exe
2796	Pkmmigjo.exe
2776	Pajeanhf.exe
2776	Pajeanhf.exe
2860	Pchbmigj.exe
2860	Pchbmigj.exe
2696	Qghgigkn.exe
2696	Qghgigkn.exe
2724	Apclnj32.exe
2724	Apclnj32.exe
1032	Apfici32.exe
1032	Apfici32.exe
2228	Abgaeddg.exe
2228	Abgaeddg.exe
3020	Ahfgbkpl.exe
3020	Ahfgbkpl.exe
2920	Bjfpdf32.exe
2920	Bjfpdf32.exe
1664	Bacefpbg.exe
1664	Bacefpbg.exe
1912	Bfbjdf32.exe
1912	Bfbjdf32.exe
2176	Bbikig32.exe
2176	Bbikig32.exe
2428	Cbkgog32.exe
2428	Cbkgog32.exe
1944	Cpohhk32.exe
1944	Cpohhk32.exe
996	Ckiiiine.exe
996	Ckiiiine.exe
812	Cniajdkg.exe
812	Cniajdkg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pchbmigj.exe	Pajeanhf.exe
File created	C:\Windows\SysWOW64\Ahfgbkpl.exe	Abgaeddg.exe
File created	C:\Windows\SysWOW64\Cnfnahkp.dll	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Cpohhk32.exe
File opened for modification	C:\Windows\SysWOW64\Qghgigkn.exe	Pchbmigj.exe
File created	C:\Windows\SysWOW64\Apfici32.exe	Apclnj32.exe
File created	C:\Windows\SysWOW64\Pecelm32.exe	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
File opened for modification	C:\Windows\SysWOW64\Ahfgbkpl.exe	Abgaeddg.exe
File created	C:\Windows\SysWOW64\Ndjhjkfi.dll	Ahfgbkpl.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Bbikig32.exe
File created	C:\Windows\SysWOW64\Qghgigkn.exe	Pchbmigj.exe
File created	C:\Windows\SysWOW64\Apclnj32.exe	Qghgigkn.exe
File opened for modification	C:\Windows\SysWOW64\Apclnj32.exe	Qghgigkn.exe
File created	C:\Windows\SysWOW64\Bfbjdf32.exe	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Jpopml32.dll	Pajeanhf.exe
File created	C:\Windows\SysWOW64\Bacefpbg.exe	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Cbkgog32.exe	Bbikig32.exe
File created	C:\Windows\SysWOW64\Gjbcnmen.dll	Pkmmigjo.exe
File opened for modification	C:\Windows\SysWOW64\Pchbmigj.exe	Pajeanhf.exe
File created	C:\Windows\SysWOW64\Bbikig32.exe	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Cpohhk32.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Khpbbn32.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Dhkqcl32.dll	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Cpohhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Cpohhk32.exe
File created	C:\Windows\SysWOW64\Lficmm32.dll	Apclnj32.exe
File created	C:\Windows\SysWOW64\Lecaooal.dll	Apfici32.exe
File opened for modification	C:\Windows\SysWOW64\Bfbjdf32.exe	Bacefpbg.exe
File opened for modification	C:\Windows\SysWOW64\Bbikig32.exe	Bfbjdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkmmigjo.exe	Pecelm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkgog32.exe	Bbikig32.exe
File opened for modification	C:\Windows\SysWOW64\Pecelm32.exe	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
File opened for modification	C:\Windows\SysWOW64\Pajeanhf.exe	Pkmmigjo.exe
File created	C:\Windows\SysWOW64\Lnoipg32.dll	Pchbmigj.exe
File opened for modification	C:\Windows\SysWOW64\Bjfpdf32.exe	Ahfgbkpl.exe
File created	C:\Windows\SysWOW64\Pdgmbedh.dll	Bfbjdf32.exe
File opened for modification	C:\Windows\SysWOW64\Apfici32.exe	Apclnj32.exe
File created	C:\Windows\SysWOW64\Abgaeddg.exe	Apfici32.exe
File created	C:\Windows\SysWOW64\Jfdkkkqh.dll	Bjfpdf32.exe
File opened for modification	C:\Windows\SysWOW64\Cpohhk32.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Pkmmigjo.exe	Pecelm32.exe
File created	C:\Windows\SysWOW64\Hbglqg32.dll	Pecelm32.exe
File created	C:\Windows\SysWOW64\Pajeanhf.exe	Pkmmigjo.exe
File created	C:\Windows\SysWOW64\Kkggemii.dll	Qghgigkn.exe
File opened for modification	C:\Windows\SysWOW64\Abgaeddg.exe	Apfici32.exe
File opened for modification	C:\Windows\SysWOW64\Bacefpbg.exe	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Bkofkccd.dll	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Cniajdkg.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Bjfpdf32.exe	Ahfgbkpl.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Dafikqcd.dll	Abgaeddg.exe
File opened for modification	C:\Windows\SysWOW64\Cniajdkg.exe	Ckiiiine.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pchbmigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpohhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apfici32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgaeddg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacefpbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pajeanhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qghgigkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apclnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbjdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmmigjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfgbkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahfgbkpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qghgigkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfpdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoipg32.dll"	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecaooal.dll"	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abgaeddg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pecelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkmmigjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafikqcd.dll"	Abgaeddg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll"	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abgaeddg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll"	Pajeanhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkqcl32.dll"	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Bbikig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pajeanhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhjkfi.dll"	Ahfgbkpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbikig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apclnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lficmm32.dll"	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgmbedh.dll"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbikig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdkkkqh.dll"	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pecelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbcnmen.dll"	Pkmmigjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pajeanhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkmmigjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbglqg32.dll"	Pecelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll"	Bacefpbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 3036	1852	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe	30
PID 1852 wrote to memory of 3036	1852	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe	30
PID 1852 wrote to memory of 3036	1852	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe	30
PID 1852 wrote to memory of 3036	1852	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe	30
PID 3036 wrote to memory of 2796	3036	Pecelm32.exe	31
PID 3036 wrote to memory of 2796	3036	Pecelm32.exe	31
PID 3036 wrote to memory of 2796	3036	Pecelm32.exe	31
PID 3036 wrote to memory of 2796	3036	Pecelm32.exe	31
PID 2796 wrote to memory of 2776	2796	Pkmmigjo.exe	32
PID 2796 wrote to memory of 2776	2796	Pkmmigjo.exe	32
PID 2796 wrote to memory of 2776	2796	Pkmmigjo.exe	32
PID 2796 wrote to memory of 2776	2796	Pkmmigjo.exe	32
PID 2776 wrote to memory of 2860	2776	Pajeanhf.exe	33
PID 2776 wrote to memory of 2860	2776	Pajeanhf.exe	33
PID 2776 wrote to memory of 2860	2776	Pajeanhf.exe	33
PID 2776 wrote to memory of 2860	2776	Pajeanhf.exe	33
PID 2860 wrote to memory of 2696	2860	Pchbmigj.exe	34
PID 2860 wrote to memory of 2696	2860	Pchbmigj.exe	34
PID 2860 wrote to memory of 2696	2860	Pchbmigj.exe	34
PID 2860 wrote to memory of 2696	2860	Pchbmigj.exe	34
PID 2696 wrote to memory of 2724	2696	Qghgigkn.exe	35
PID 2696 wrote to memory of 2724	2696	Qghgigkn.exe	35
PID 2696 wrote to memory of 2724	2696	Qghgigkn.exe	35
PID 2696 wrote to memory of 2724	2696	Qghgigkn.exe	35
PID 2724 wrote to memory of 1032	2724	Apclnj32.exe	36
PID 2724 wrote to memory of 1032	2724	Apclnj32.exe	36
PID 2724 wrote to memory of 1032	2724	Apclnj32.exe	36
PID 2724 wrote to memory of 1032	2724	Apclnj32.exe	36
PID 1032 wrote to memory of 2228	1032	Apfici32.exe	37
PID 1032 wrote to memory of 2228	1032	Apfici32.exe	37
PID 1032 wrote to memory of 2228	1032	Apfici32.exe	37
PID 1032 wrote to memory of 2228	1032	Apfici32.exe	37
PID 2228 wrote to memory of 3020	2228	Abgaeddg.exe	38
PID 2228 wrote to memory of 3020	2228	Abgaeddg.exe	38
PID 2228 wrote to memory of 3020	2228	Abgaeddg.exe	38
PID 2228 wrote to memory of 3020	2228	Abgaeddg.exe	38
PID 3020 wrote to memory of 2920	3020	Ahfgbkpl.exe	39
PID 3020 wrote to memory of 2920	3020	Ahfgbkpl.exe	39
PID 3020 wrote to memory of 2920	3020	Ahfgbkpl.exe	39
PID 3020 wrote to memory of 2920	3020	Ahfgbkpl.exe	39
PID 2920 wrote to memory of 1664	2920	Bjfpdf32.exe	40
PID 2920 wrote to memory of 1664	2920	Bjfpdf32.exe	40
PID 2920 wrote to memory of 1664	2920	Bjfpdf32.exe	40
PID 2920 wrote to memory of 1664	2920	Bjfpdf32.exe	40
PID 1664 wrote to memory of 1912	1664	Bacefpbg.exe	41
PID 1664 wrote to memory of 1912	1664	Bacefpbg.exe	41
PID 1664 wrote to memory of 1912	1664	Bacefpbg.exe	41
PID 1664 wrote to memory of 1912	1664	Bacefpbg.exe	41
PID 1912 wrote to memory of 2176	1912	Bfbjdf32.exe	42
PID 1912 wrote to memory of 2176	1912	Bfbjdf32.exe	42
PID 1912 wrote to memory of 2176	1912	Bfbjdf32.exe	42
PID 1912 wrote to memory of 2176	1912	Bfbjdf32.exe	42
PID 2176 wrote to memory of 2428	2176	Bbikig32.exe	43
PID 2176 wrote to memory of 2428	2176	Bbikig32.exe	43
PID 2176 wrote to memory of 2428	2176	Bbikig32.exe	43
PID 2176 wrote to memory of 2428	2176	Bbikig32.exe	43
PID 2428 wrote to memory of 1944	2428	Cbkgog32.exe	44
PID 2428 wrote to memory of 1944	2428	Cbkgog32.exe	44
PID 2428 wrote to memory of 1944	2428	Cbkgog32.exe	44
PID 2428 wrote to memory of 1944	2428	Cbkgog32.exe	44
PID 1944 wrote to memory of 996	1944	Cpohhk32.exe	45
PID 1944 wrote to memory of 996	1944	Cpohhk32.exe	45
PID 1944 wrote to memory of 996	1944	Cpohhk32.exe	45
PID 1944 wrote to memory of 996	1944	Cpohhk32.exe	45

C:\Users\Admin\AppData\Local\Temp\f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
"C:\Users\Admin\AppData\Local\Temp\f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\Pecelm32.exe
  C:\Windows\system32\Pecelm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\Pkmmigjo.exe
    C:\Windows\system32\Pkmmigjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Pajeanhf.exe
      C:\Windows\system32\Pajeanhf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Pchbmigj.exe
        
        C:\Windows\system32\Pchbmigj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\Qghgigkn.exe
        
        C:\Windows\system32\Qghgigkn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Apclnj32.exe
        
        C:\Windows\system32\Apclnj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Apfici32.exe
        
        C:\Windows\system32\Apfici32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Abgaeddg.exe
        
        C:\Windows\system32\Abgaeddg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ahfgbkpl.exe
        
        C:\Windows\system32\Ahfgbkpl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Bjfpdf32.exe
        
        C:\Windows\system32\Bjfpdf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Bacefpbg.exe
        
        C:\Windows\system32\Bacefpbg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Bfbjdf32.exe
        
        C:\Windows\system32\Bfbjdf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Bbikig32.exe
        
        C:\Windows\system32\Bbikig32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Cpohhk32.exe
        
        C:\Windows\system32\Cpohhk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahfgbkpl.exe

Filesize
74KB

MD5
c0454b0af129325a86cfa5bbc3750595

SHA1
8dc6c8d63e76127fa741b7eae9071c6dc6dcb005

SHA256
8761fd89ea94863db4a547f2adaaefbaf7ca305c9968e161ffa242beed43f6a6

SHA512
d6eec87a582730065c6a9173c339f3f262108b205ecbb83171c65e898c4ec320ccd3d451027eac4eb759c6787eacd9e3a4f287c85ded6ed4574c3ef3443ccd57

Download Submit
C:\Windows\SysWOW64\Cniajdkg.exe

Filesize
74KB

MD5
a23a962d33f007ebc83d4827f9dae280

SHA1
97f91ab9921b4ee45b89ca43a0e66d5b3b868ccf

SHA256
81039d0aca881b09496397c28c4d1b4033899f3ab5fc2c87628fa033e534d020

SHA512
6b62fd1618dbd9786d7e4bd1b6820c9a18651d984931c0e9eb1609b64009e6090cf71a6c297611ac10f6e74826386c883d029ddd1466161d5c9cb2b7d3ef0ee3

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
74KB

MD5
df3ae1487628f2b112d7850110056041

SHA1
e95959cc0478a3ffb6ef62958c9a25f9b3b8e359

SHA256
8d78299ed2e5f07649bdbc322356e476e27915c37b3f096186f78eff6645f7e6

SHA512
0a2397b6ead5d5aef2df0f4479b2b883b8005bf9e628daab5b64162b81bd1f202fcfd383d9b542ba9741d1e8e3cb32f80ae9457e5adae9797dd1423276e4bf22

Download Submit
C:\Windows\SysWOW64\Lnoipg32.dll

Filesize
7KB

MD5
bd685a8ac15d284ba62984943665dae2

SHA1
e5a177f2362ac703a99c0196cfdba589c1b756b6

SHA256
5fd7c90f9f34104bee2f01aaf20c161565a8dcc6e2c16a545d832f990e3a7430

SHA512
69c4e194e69b3df7ed102d5c117acf4c3a45c02e8da88d4b12d8f276fc5def7ab0d598301dc344be965a232a810e8d4a84af8e18eef45b7b5bd66cd0d9641e19

Download Submit
C:\Windows\SysWOW64\Pajeanhf.exe

Filesize
74KB

MD5
c549654c5795738e58fd5c00f99c4a02

SHA1
aa472710f58938e8d1f3f00be79bfa51b8b2bb2e

SHA256
dc34be53e3a4b89b46ab45d00f60c30b9e360dab37b7a1123838c10e30aeb89d

SHA512
5e7333df438e0350fb627d457c70b3543363886dc5868e94f8f99d53e1a8aebd37d1dc4a8f6b4587c66849119958032e8a66a28b6de6fe79d8989e7b7918bbeb

Download Submit
C:\Windows\SysWOW64\Pecelm32.exe

Filesize
74KB

MD5
aa177a90cb6b6fec543c4f4f37d8af69

SHA1
79bdefc93763ef72e4da0e851b0aa1560f730c06

SHA256
ba1e6e0fd8f364064d78402a8b9cf724ac969e238fe7aa6b71b62e36fa40e2dd

SHA512
3dbc105d3b6178433725db3a378b65edee51b11c0660be571a0593ff23a3495d59ff5204359395bd8c5a7be2a86bbd91b918ee1a9aa2f5fac1c2d4b7faaf319b

Download Submit
C:\Windows\SysWOW64\Pkmmigjo.exe

Filesize
74KB

MD5
93087adff9267cd229307767cd244734

SHA1
952ef3b6933bd0f3f38bec852fed35b700476fdc

SHA256
c5be489870b35e00f50e726e99e46778b3f5bb06375494a3da8f4dcdfdee3820

SHA512
e9734d534177125f21511d3879939eb6efa2a5e6cd0f60dae7e9d5b179b0e1964eee5febf43e1725e79275f29e52972366e647929c7d900389bc46f45a9f341f

Download Submit
C:\Windows\SysWOW64\Qghgigkn.exe

Filesize
74KB

MD5
2bd281033317dd33c7c1b96fd82c2d42

SHA1
811182d7574766f11f36fd6571dce94b99dc4623

SHA256
f87f0bf8b7ca76de86d130369f580545f4149f099c24f7d60383b098f3156b29

SHA512
e1d5a63c7c4391af4508ef63b8a64bdadc5bab76db49ca76e0e50cdadf2dd1880f3fee373d81ba66a03b17627f4d484aa8a44b543e93b38e12b53eb026460ccc

Download Submit
\Windows\SysWOW64\Abgaeddg.exe

Filesize
74KB

MD5
4e80a3da93a91d9a515b79042eee10ad

SHA1
dc469660e07477358edc01d13eae0a3d38539d84

SHA256
399844688e38fc0c09169063a2bc54a98ab18bc84d8b14d52c1eaab138f1917d

SHA512
bf9f6f1e48b12960a9374261e320a0ce03515e5be99902c121aa82bfd1f2d19b04627d77bdfd28c7dcdf4feb4f7691b15482201e211f5b81e7969474ef9c2730

Download Submit
\Windows\SysWOW64\Apclnj32.exe

Filesize
74KB

MD5
a475073c853a322ba199759c2ca43dd6

SHA1
6fbc570611d0cae5e015a1dab4a9c1773b1c7c32

SHA256
1045ce9a1bb39703f38fb33737206ec320ca7f3ae886ac40412761d14858b195

SHA512
2a1108b4e8358cdce96a0de8c5421ebca0631fcb38648b2d78f25698eaf12af9b4d7b61f90264057f7806d5fce9e87daad30abc8ffb7d5d494c024c3ba0bd790

Download Submit
\Windows\SysWOW64\Apfici32.exe

Filesize
74KB

MD5
6271b618db5bb50a5e9efe33b39ce62e

SHA1
7bcb882546f08b61002cc70ca548a6ace7c7c00e

SHA256
983f3ffb528d6c22ad8e2188a49403ddb7b7fa17192a07c796340f2647593d2b

SHA512
0d44d6cb8b697a604f583fea7e1a635ba922441401989a1b3fc19a32b291f325d7773441ed6da2244c43ea753e1e6f6d1efdf2281c357628d45fb6c1acf998c7

Download Submit
\Windows\SysWOW64\Bacefpbg.exe

Filesize
74KB

MD5
f0ad1fb939fa53c99599ffe77ea47b7f

SHA1
cc7446e3d3bef5832ec7ac76b0870964753f1bb9

SHA256
dc15323f62f5f54870a01ebaa9719c1b312fc4ffbc24aadbf3836f48038484f3

SHA512
59756f2d6e532c4b80d94ad8cd15d0107937b911b20bea19d78900a2e2a34c1ac552bb3994ce8f85cb2890428b23c5693e96705022029d0b1f78fff319cf9e04

Download Submit
\Windows\SysWOW64\Bbikig32.exe

Filesize
74KB

MD5
4de4f038d26b45c727297fae49051e15

SHA1
6396dbcbd2d904b823efeeaeed5e73934e8d4753

SHA256
414dcbcd73fc3369c2daabf1f188bd377952cf0229e342991411eb2c3ebf8673

SHA512
18fa02e4307f1f94598f594c5cfb7dc6e89e4f5b65dc007e906c84572898d16879849e6582f0acd2c128025cbd210f93790da0a13e2b22726ed796e409edf5a9

Download Submit
\Windows\SysWOW64\Bfbjdf32.exe

Filesize
74KB

MD5
969d97d4c9f6948584dc952a66ddd9ed

SHA1
6b4b10fdad73243bce7c2ecbe3c464564b188336

SHA256
81c825fb0c21e4533c3934fabe0b1729a329756917153eb11e57b9c3cbb99615

SHA512
35306eb1bc8126273aa35ff2c1adb956d824ddee7dad2d3772b594d33db65d353e7888943ed65b824616e7d5e2163f72fc454dfe7060226eb4d5091f71434ba6

Download Submit
\Windows\SysWOW64\Bjfpdf32.exe

Filesize
74KB

MD5
2ad05ee57f19565eff2406e504450859

SHA1
634b9ec5674f705b336dffd91daf9753c3669c37

SHA256
ad64ef910b49156ddbc1888124b863fd79b41e6f80cd6dbc20761a9bcb03fab9

SHA512
01f48957d933358ef1e56700ba89cbfcf47e21255bc15d224c0fb2070c82b66a947b55d83b679da36edf9c4ab487db95e80765b7790b351e9da9e12b88476f65

Download Submit
\Windows\SysWOW64\Cbkgog32.exe

Filesize
74KB

MD5
5d3fb0b15a3331124969d6c98b707778

SHA1
d7dab435b4acad920965eb518506defe1c529547

SHA256
d2f084684438cc147e6e514e455eef7023a8c2ee74d03df5120afb57688ef0ec

SHA512
6f1ac817749f370e2f9bffc5005ac5f72dd95e602253536fb9f9c5e3276d320184714ddb4edab9c470281af9757c2f244e9dc23b1d24c5fa390b11a01d8af7e0

Download Submit
\Windows\SysWOW64\Ckiiiine.exe

Filesize
74KB

MD5
d2f5838613eb1407979dc4bde153c9cd

SHA1
e5bfe145cf01ea0a6156cb1a63966f9ee61a38d2

SHA256
35599c1238433ec0ccf2681914417db63cda834e795115fd1c65dbd36cb2b7b2

SHA512
23af488a044f837157074ce7f957cee8519c84e673b14fe89cbb9d9d08b09c8f46fe20310947131c1a0c634b127b432869354bb4f7c66c64f96a9a90cb4e3e2a

Download Submit
\Windows\SysWOW64\Cpohhk32.exe

Filesize
74KB

MD5
97e0144ac52ba7f53128cb4dc8ea98d2

SHA1
f09b0aabc8d8f1348dce64a7abed3dbdd0888f6e

SHA256
c6926d64c677d3c267af7718877bcb150c61569509d6df45f9cda14d0f5f2669

SHA512
17aed373089d61f512b8ea892d8428893c80fd7770d457c1779888fa6bbad6b507fd619e9c9e3469934103b37da92788af10c12ba859409f8201acd01862a762

Download Submit
\Windows\SysWOW64\Pchbmigj.exe

Filesize
74KB

MD5
dc6e3616ac08facd92db057bccde1094

SHA1
3e7db5b525e1a8880988d3ed0289f460f26f50fa

SHA256
47ff70015b1fa9b57392be423fc2df032d83bd3f7648372237dac4d44f6eedf7

SHA512
e9b53aa7188b540802c0dd62a7195f9d7f455bcadb5027342e2f24dc45fb8412326e4996742a4153a0e4c6d9f3dc7637e0dab433d3819544e30569bbe21cbddc

Download Submit
memory/812-226-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/812-250-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/812-232-0x00000000001B0000-0x00000000001E7000-memory.dmp

Filesize
220KB

Download
memory/996-221-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-94-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-241-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-107-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1032-106-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1664-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1664-245-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1852-17-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1852-24-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1852-237-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1852-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1868-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1868-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1912-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1912-161-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1944-202-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1944-210-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1944-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2176-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2176-174-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2176-182-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2228-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2228-109-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2428-188-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2428-196-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2428-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-75-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2724-86-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2796-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2796-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2860-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2860-66-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2860-53-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2920-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-243-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-130-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/3020-122-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3036-25-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads